Data Exfiltration
Info
ID: AT-IM001
Tactic: Impact
Platforms: Linux, macOS, Windows, IaaS
Impact Type: Integrity
Version: 1.0
Data Exfiltration
Adversaries may steal data from an application's environment, such as sensitive customer records, intellectual property, or operational intelligence. This can happen via direct data dumps, continuous network egress, or by siphoning data through cloud services. Once exfiltrated, stolen information can be sold, used for extortion, or leveraged to enable further attacks on related targets.
Data Sources
- Network Traffic: Data transfer patterns and unusual network connections
- File Monitoring: File access and transfer activities
- Cloud Audit Logs: Cloud storage and service access logs
- Process Monitoring: Data processing and extraction activities
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1057 | Data Loss Prevention | Implement data loss prevention tools to monitor and prevent data exfiltration |
| M1030 | Network Segmentation | Implement network segmentation to limit data exfiltration paths |
| M1041 | Encrypt Sensitive Information | Implement data encryption to protect data during exfiltration attempts |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0029 | Network Traffic Content | Detect sustained high-volume outbound transfers or bursts to unfamiliar external endpoints, especially when protocol or port deviates from baseline application behaviour. |
| DS0015 | Application Log | Alert on API routes or database queries returning unusually large result sets or invoked outside normal business hours, correlating with subsequent download responses. |
| DS0036 | Cloud Storage Access | Monitor cloud object-store audit logs for bulk GetObject or CopyObject operations, cross-account sharing, or access from new service principals. |
| DS0022 | File: File Access | Identify rapid sequential reads across many files/directories (e.g., mass archive staging) which often precede compression and exfiltration. |