Data Exfiltration is one of the most challenging and complicated investigations for security teams. There are different techniques to detect an intruder before exfiltration, but it is extremely difficult to identify the insider exfiltrating the organization’s sensitive data for malicious purposes. It puts the organization’s confidentiality, integrity, and reputation at risk.
In this critical case, it is necessary to identify the privileges of the adversary and respond at an early stage to reduce the risks at stake. If the adversary is an insider, the situation becomes even more severe as the insider could be anyone in the organization’s hierarchy having least to most access to the resources and trust relations in the organization.
The Data Exfiltration case has the following activities at each step of the Cyber Kill Chain:
Data exfiltration attempts are detected via alerts from Data Loss Prevention (DLP) control. Moreover, the behavior of outbound emails and network traffic such as C2 connections, protocol abuse, abnormal data transfer, and cloud storage attempts are monitored for possible detections.
Data size limits should also be monitored in a certain time interval. Analysts should also observe the usage of unauthorized applications like “WeTransfer” as well as Internal Staging (WMI calls, windows bits).
DLP, EDR, and Active directory alerts would help to enrich the artifacts of the incident. Information at risk, process details, and user data can be fetched from these controls, respectively.
Secondly, IoC enrichment should be performed for reputation checking, using multiple OSINT and threat intelligence sources. SIEM logs can also be cross-validated for additional correlation if the IoCs are detected previously.
Considering the criticality of the stolen data and the privilege sensitivity of the compromised/involved user, decide the severity and the counteractions of the incident as per the hierarchy of the organization. If the insider is found suspicious, the input of the in-line manager may also be required before taking certain containment actions.
There are multiple acts of remediation to choose from, depending on the vector of data exfiltration. One of the possible actions is blocking unauthorized communication channels and IoCs on perimeters. Depending on the mode of exfiltration, a group policy may be applied to revoke user access, USB and Bluetooth. In addition, whitelisting and blacklisting of applications on Edge firewall/endpoints can also be considered. Moreover, it is advisable to enable data encryption both in rest and in transit. It is also important to make sure to back up processes. Furthermore, educating employees regarding the best practices of data security is always a recommendation to ensure data protection.
SOAR platforms can help automate many of the tasks involved in remediating a data exfiltration incident. SOAR platforms help organizations in dealing with data exfiltration efficiently in an effective time interval. SIRP playbooks are capable of automating the incident response steps and counter the incident timely reducing the possible impact and risk.
Now, let’s have a look at the SIRP automation playbook workflow for the Exfiltration case.
SIRP supports different solutions for the collection of alerts and offenses. Some of the popular solutions are listed below:
SIRP supports different solutions for the collection of artifacts.
SIRP supports the following Threat Intelligence portal and OSINT platforms:
SIRP supports many remediation actions. Depending on the controls placed in the environment, you can set up automated responses. Following are some response actions:
SIRP integrates with 100+ popular security tools out of the box, allowing 450+ actions to be completed or automated directly from the platform. SIRP also enables cross-platform integration, so complex, multi-tool processes can be completed in seconds with a single click.
New integrations are available within 72 hours at no additional charge. A complete list of available integrations can be found here: https://www.sirp.io/integrations/