If you downloaded an update for Chrome, NordVPN, Outlook, or Discord in early 2021, there’s a chance you introduced a data exfiltration Trojan to your network. Researchers discovered this in February 2021 as they realized that exfiltration malware, known as Masslogger, had been hidden in seemingly benevolent copies of the above applications.
But what is data exfiltration, and how does it work? As importantly, how can you protect your systems from this threat? Here’s a breakdown of what data exfiltration is and tips for protecting your organization.
Data exfiltration is, simply put, the theft of data. An attacker either uses manual methods—such as accessing a database, copying its contents, and transmitting it outside your network—or automated methods, such as the Masslogger Trojan mentioned above. In an automated attack, a hacker designs their exfiltration software to target systems that have sensitive data. The software then sends the stolen data to a server or computer operated by the hacker or an organization they work with.
Data exfiltration, also known as data extrusion, is a particularly dangerous threat because company data is often its most valuable—and sensitive resource. Knowing this, hackers seek to steal it so they can sell it to others, embarrass the organization by releasing it, or leverage it in either a cyber espionage or sabotage attack. In fact, a recent report by The Hacker News identified data exfiltration as a greater risk than ransomware, particularly due to the value of the confidential information that many companies store.
A data leak prevention (DLP) cybersecurity solution lets administrators stop certain kinds of data from exiting a company’s network. Each piece of data stored inside a computer comes with meta-information indicating which area of the machine it resides in. DLP examines this meta-data. If the data comes from an area that shouldn’t be sending data, DLP prevents the data from being transferred.
In this way, DLP acts like a highway checkpoint, stopping each passing data “vehicle” to see whether it’s allowed to proceed. Any data that an admin has labeled as immovable gets stopped at the DLP “checkpoint.”
Encrypting data is an effective way of ensuring that if an attacker can get their hands on some data, they won’t be able to read or use it. Encryption works by putting all data through an algorithm, which produces a jumbled arrangement of characters. Also, you can’t figure out how to crack the encryption even if you have both the original data and what it looks like after the algorithm has processed it.
Therefore, even though the encryption itself may not prevent a hacker from stealing data, it stops them from being able to use or sell it. Instead of wasting time trying to work around the algorithm, an attacker is far more likely to move on to another organization that’s an easier target.
Password hardening makes it extremely difficult for someone to access a restricted area using a password. This approach prevents data exfiltration because a malicious user may not be able to log in even if they have password-guessing software or already know a legitimate user’s password.
For example, you can:
- Enforce strong passwords across your organization. These would typically consist of random letters, numbers, and characters that would be virtually impossible for someone to guess.
- Use scrambled keyboards. Scrambled keyboards mix up the letters, numbers, and characters and force the user to click them on a screen while logging in. This prevents keylogger attacks, which record users’ keystrokes as they access a sensitive area.
Roll-based access control (RBAC) ensures only those who need sensitive data to do their jobs can access it. For example, a high-ranking manager in the human resources department would most likely never need access to customer payment data, regardless of their position in the organization. The same could be said of the CEO and even the CTO. On the other hand, the accounts department may need to periodically see customer payment information.
By making it impossible for anyone who doesn’t need this information to access it, you can significantly decrease the chances of being stolen—either by other people in your organization or those that steal their login credentials.
Even though some insider attacks can be challenging to prevent, you may be able to catch many attempts at data exfiltration with email monitoring. One of the primary reasons email monitoring is such an effective preventative measure is that it’s relatively easy for an IT administrator to see the sizes of the emails each user sends.
In a data exfiltration attack, at least several gigabytes of information typically get transferred outside your organization’s network. So if you set the email monitoring system to flag email activity that involves sending messages larger than 300 MB, you may be able to prevent exfiltration attacks.
Cybersecurity by GSI can provide you with the data exfiltration prevention you need to keep your data out of attackers’ control. GSI cybersecurity services provide your organization with comprehensive protection against data extrusion and a range of other cyber threats. With GSI’s cybersecurity experts on your side, you can invest less time in worrying about data thieves and more time growing your business. Learn how by connecting with GSI today.