Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

The last line of defense against data exfiltration

By Shawn Taylor
cyber-protection-freepik1170x658v47.jpg

Image via Freepik

September 19, 2022

If a highly-sophisticated and motivated adversary wants into your network, then they will find a way. Proactive protection and a defense-in-depth approach to cybersecurity are imperative, but we must never forget the mantra, “assume compromise.”

Pragmatically, this ideal is most often put into practice through authentication, authorization and network segmentation. However, detecting data exfiltration is one of many anomalies that can be identified when looking through the lens of assumed compromise.

There are so many vectors for cyberattacks that it would be an exercise in futility to try to list them all. That is why it is so unbelievable when a cybersecurity solution claims to be the last line of defense. Cyberattacks will always focus on the weakest link. Once an initial compromise occurs, there are a variety of tactics, techniques and procedures (TTPs) that cyberattacks use to establish persistence, elevate privileges and move laterally across the network.

There are nearly as many motives for a cyberattack as there are modes of operating, but we’re seeing more and more of them culminate in some sort of data exfiltration — techniques that adversaries may use to steal data from your network. Even ransomware attacks are now stealing away data before encrypting systems on the networks.

Once an adversary collects the data they want, they often package it to avoid detection while removing it. This includes compression and encryption. The techniques for exfiltrating data out of a compromised network include transferring it through a command and control (C2) channel to a server they control out on the internet. Sophisticated attackers know to limit the size of their transmission, so they may break it into several smaller packages.

Data exfiltration also leverages backdoors to bypass authentication and encryption controls. Backdoors have built-in upload and download functionality similar to Remote Access Trojans (RATs). They often use ports such as 80 and 443 (for HTTP or HTTPS) to obfuscate their traffic, effectively bypassing the connection restriction every time they use HTTP to transmit data.

Network Monitoring Detects Data Exfiltration

A working knowledge of the techniques described above is required to identify data exfiltration. Here is one example of how a security operations center (SOC), incident response (IR) or threat hunting team could discover data exfiltration through the use of network monitoring.

As a prerequisite to the investigation, one must first establish a network baseline to ensure that the analysis understands the context of the operational environment. This baseline should include items like IP ranges, ports, protocols and services, traffic volume, remote access permissions and any specialized software.

Network monitoring can establish this baseline by gaining visibility into every connected device, device behaviors, connections and communications patterns. Recording this typical behavior becomes the baseline. Next, set rules and policies in place that will monitor for deviations from the baseline.

Once a baseline is established, a network traffic sensor should be deployed to monitor and capture live network telemetry. That telemetry should then be ingested by a monitoring solution or SIEM to look for anomalous behavior that deviates from the baseline.

For example, a review of outbound ports could reveal the use of a port (e.g., port 8888) that was not identified as being associated with a legitimate use during baselining. Upon detection of the anomalous traffic, a rule can be created to generate an alert that more quickly identifies this type of anomalous behavior. 

Introducing automated enforcement action, such as disconnecting the system performing the exfiltration, significantly reduces the risk posed by human error or unnecessary delays in taking action. In turn, the risks associated with data exfiltration can be minimized. The following steps provide an overview of how to introduce and properly leverage automation:

  • Establish baselines for normal network behavior via network monitoring.
  • Define when enforcement actions (i.e., alert, isolation, remediation) are triggered.
  • Implement network access control to isolate devices on demand.
  • Integrate with SOAR solutions to orchestrate actions based on a condition matching or an event.
  • Monitor for abnormal traffic deviations and automate mitigation actions to the greatest extent feasible.

Essentially, automation enables the creation of real-time if-then decision trees, which are logically executed to perform the requisite actions to mitigate these risks.

Automation shouldn’t be viewed as a panacea but as a critical component of the approach that achieves the larger objective — getting to the bottom of potential data exfiltration in a shorter period of time and freeing up a team’s ability to tackle the countless other assignments and areas that need evaluating to improve the enterprise’s security posture.

KEYWORDS: cyber security data protection information security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Shawn Taylor is Vice President of Threat Defense at Forescout.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • enterprise wide cybersecurity training

    The first line of defense: Why employees are the key to stronger cybersecurity

    See More
  • code-enews

    Don't Shift Left, Start Left: Why Developers Should Be the First Line of Defense

    See More
  • Understanding the Distinct and Dependent Roles of Data, Privacy and Cybersecurity Professionals

    Liberating network management: Your first line of cyber defense

    See More

Related Products

See More Products
  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing