Is Data Theft the Exception or the Rule?



A recent study of malicious activity finds data exfiltration is less common than you think – but still a big problem.

Hackers compromise your network, set up shop and then steal all your data, right? That’s the narrative we all have in our heads, and it seems to be borne out by the headlines. After all, the news these days is all about the Office of Personnel Management – the U.S. Government’s main human resources agency, from which hackers made off with sensitive personnel files on an estimated 18 million federal employees.

But a recent study by the firm Vectra networks suggests that data theft is one of the least common malicious activities observed following a network compromise. The question: is that really true, or are we just looking in the wrong places?

The second annual Vectra Post-Intrusion Report presents the findings of an analysis of 40 compromised networks and 46,000 incidents spread across almost 250,000 hosts. The report found that incidents of data exfiltration were rare – just 3% of threat detections across all industries were characterized as “data exfiltration.” Looked at another way: just half of 1% of infected hosts across all industry verticals exhibited data exfiltration behavior. By comparison, command and control behavior and lateral movement within compromised networks were observed in about 6% of hosts on compromised networks, Vectra reported.

True: in certain industries, the likelihood of data exfiltration being a part of an incident was much higher. 34% of attacks on healthcare organizations and 25% of all attacks on technology firms included data exfiltration as a component of the attack, according to the report. Around 2% of hosts in compromised energy firms exhibited data exfiltration behavior, according to the report.

But incidents of data exfiltration were lower across the board than other categories of malicious activity on compromised networks, such as “lateral movement” between systems. Why?

Seen in a certain light this makes sense: many – even most – malicious cyber incidents aren’t targeted attacks executed with a specific set of data in mind. Many are merely byproducts of cyber criminal campaigns such as spam e-mail or denial of service attacks. Corporate endpoints may end up as part of botnets that are being used for such activities, but that doesn’t mean that the corporation in question or its data is of interest to the malicious actors. That helps explain why botnet command and control activity far outstrips data exfiltration in Vectra’s data.

And measuring the impact of a malicious activity by how many hosts exhibit that behavior is misleading. True: data theft is less frequently detected on compromised networks than other behaviors. But data exfiltration is also a far more costly and worrying activity, suggesting malicious actors have canvassed the target network, identified sensitive (saleable) information and taken steps to ferret it out of the organization. The fact that all those things have happened without IT becoming aware of the behavior doesn’t auger well for the organization in question.

The other possibility, of course, is that data exfiltration is more common than the data suggests, but is being missed by detection tools. The Post-Intrusion Report notes that attackers are hiding stolen data in common network traffic such as HTTP, Secure HTTP (HTTPS) and DNS, not to mention encrypted communications tools like TOR.

But it is also possible that attackers are using as-yet undiscovered avenues to remove data, whether those are so-called “shadow IT” deployments like DropBox or by way of as-yet undetected malware.

There’s at least anecdotal evidence for this. A recent data dump on cyber criminal networks believed to be linked to the Office of Personnel Management, for example, was discovered to be from Unicor, a U.S. Government-owned corporation that manages the use of penal labor for the Federal Bureau of Prisons. The incident in question actually occurred in 2013, when Unicor discovered “unauthorized access to its public Web site.” No public notice of that was made at the time, and it is unclear whether Unicor knew that its data had been stolen.

I note also this report on the Stegoloader Trojan, which uses techniques such as steganography to disguise command and control traffic. Is data exfiltration a rarefied behavior? Certainly. Are organizations missing exfiltration activity? Absolutely.

Paul F. Roberts is the Editor in Chief of The Security Ledger.

Paul Roberts

Please post your comments here

Data Protection Vendor Evaluation Toolkit

The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.

Download Now

Related Articles
How Dirty are Your Data Security Habits? Take our Interactive Quiz to Find Out

Just in time for the holiday shopping frenzy and corresponding spike in cybercrime, we have released our latest interactive challenge to assess your data security hygiene.

The Digital Guardian Blog's Top 10 Articles of 2015

Happy 2016, readers! 2015 was a big year for the Digital Guardian blog, with over 250 articles published and nearly 200,000 readers. Here’s a look back at the top 10 articles published on this blog last year.

5 Tips for Protecting Sensitive Data at the Law Firm

Recent highly publicized cyber attacks at large law firms such as Mossack Fonseca, Cravath, and Weil Gotschal have made apparent the widespread shortcomings in security safeguards in the legal industry. Here are 5 tips on how law firms can address these concerns and protect sensitive data.