Data Exfiltration

Amber Boehm - January 31, 2022

What Is Data Exfiltration?

Data exfiltration is the theft or unauthorized transfer of data from a device or network. According to the Mitre ATT&CK Framework, “once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption.”

How Does Data Exfiltration Occur?

Data exfiltration can be conducted by outsiders, who penetrate the network in order to steal user credentials, intellectual property and company secrets. Outsider attacks usually start with the injection of malware onto an endpoint such as a computer or mobile device that is connected to the corporate network. The malware exfiltrates the data to an external server controlled by the outsider, who may then sell it or publish it.

Data exfiltration may also occur when an insider moves data outside of the network, such as by emailing it to a non-corporate email address or copying it to an unsecured cloud storage service or software-as-a-service (SaaS) product. These actions are often performed with benign intent by employees just trying to do their jobs, but they are exposing the data to risk by removing it from the oversight of the security team and corporate policies.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

Common Data Exfiltration Techniques

Social Engineering

Social engineering is one of the most common methods of exfiltrating data. An adversary tricks a user into sharing sensitive data or credentials by posing as a legitimate employee or partner. For example, an adversary may pose as a help desk agent to ask a user for sensitive information, such as username and password.

One common type of social engineering attack is phishing. In phishing attacks, the attacker sends users an email that appears to be from a legitimate source, such as the human resources department. The email will ask the user to click on a link, which will send victims to a false site that looks exactly like the official human resources portal. This false site may be set up exclusively to harvest credentials, or the site’s code may contain a malicious script that installs a keylogger or other malware that will then be used to execute the next stage of the phishing attack.

Human Error

Careless insiders commonly download sensitive company data from their secure company-issued devices to personal devices that are not protected by their employers’ network security solutions or policies. Instead, the data is either entirely unprotected or protected only by the basic level of consumer security tools. In this situation, data exfiltration may not be limited to the movement of files — it could include photos of monitor screens taken with smartphones, recordings of conversations made with smartphones, etc.

Insider Threat Uploads to External Device

Malicious insiders are less common than their careless coworkers, but a malicious insider can do a great deal more damage. A malicious insider is able to use legitimate credentials to conduct nefarious activities for an extremely long period of time before detection occurs — if it ever occurs. Because this user’s credentials are legitimate, their data exfiltration attack will not be noticed unless they are moving large amounts of valuable data or trying to access parts of systems that are beyond their level of privilege. During their period of activity, malicious insiders usually download data from a trusted device onto a personal device or thumb drive, and then upload it to an external device, such as a storage service on the dark web, before selling it or disseminating it.

Preventing Data Exfiltration

The statistics on how long it takes to detect a data breach are alarming. That’s because detecting data exfiltration is hard, particularly when the data exfiltration technique used by the attacker is one that presents as normal network traffic.

The most significant defensive practice a business can establish is also the most difficult: educate employees. Of course, many businesses already do this with regular mandatory security awareness training, but most employees continue to underestimate the likelihood that they’ll be targeted. Businesses need to foment a culture of security throughout the organization before they can have faith in their employees to act as the first line of defense.

Bring-your-own-device (BYOD) policies should be in place and made clear to all employees. Today in particular, with the shift to remote work, employees may be using any manner of personal device to access valuable data, from a kid’s gaming system to a Windows 8 tower. Monitoring the network to see who is logging on and which devices they are using is not only necessary to prevent a data breach today, but also to understand how users are interacting with the network in order to plan better for tomorrow.

To control insider threats, both benign and malicious, control privilege. That means only granting least privilege; dynamically controlling privilege so that when an employee’s reason to access a sensitive system is no longer valid, they no longer have access; and systematically revoking privilege for former employees from the moment their employment ends, rather than waiting a week or two to clean up old accounts.


Amber Boehm is a Director of Product Marketing for Data Detection and Response at CrowdStrike and based in Seattle, Washington.