Breaching a network is only half the attacker’s job. The real payoff comes from getting data out without being detected. And the techniques available for silent data exfiltration have become disturbingly effective.
Most security monitoring focuses on preventing initial access and detecting lateral movement. Far fewer organisations have controls that would detect data leaving the network through legitimate-looking channels.
Blending in With Normal Traffic
The simplest exfiltration techniques are often the most effective because they use protocols and services your network already allows. Uploading data to a personal cloud storage account over HTTPS looks identical to normal browsing traffic. Sending files through authorised collaboration tools like Teams or Slack leaves the network through expected channels.
Attackers don’t need to build custom tunnels when your organisation already permits outbound connections to hundreds of cloud services that could serve as data drop points.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “Data exfiltration testing is something most organisations never request, but it’s one of the most revealing things we do. When we demonstrate that we can extract gigabytes of data through DNS tunnelling, HTTPS connections to cloud storage, or even ICMP without triggering a single alert, it fundamentally changes how clients think about their monitoring capabilities.”
Steganography and Encoded Channels
More sophisticated attackers hide data inside legitimate-looking files. Steganography embeds information within images, documents, or audio files in ways that are invisible to casual inspection. An attacker can exfiltrate sensitive documents as pixel data embedded in JPEG images posted to social media.
DNS exfiltration encodes data within DNS queries and responses. ICMP tunnelling hides data within ping packets. These channels bypass most data loss prevention tools because they operate at protocol layers that DLP solutions don’t inspect.
Testing Your Detection Capabilities
Both internal network penetration testing and external network penetration testing should include exfiltration testing to evaluate whether your monitoring tools and team can detect data leaving your network through various channels.
The findings from exfiltration testing are often eye-opening. Organisations that invested heavily in perimeter security discover that once an attacker is inside, there’s nothing stopping them from walking out with whatever they find.
Building Better Detection
Deploy data loss prevention at the endpoint and network level. Monitor DNS traffic for anomalies. Implement cloud access security brokers to control what cloud services employees can transfer data to. Alert on large file transfers and unusual data volumes leaving the network.
Perfect detection is impossible, but raising the difficulty and the risk of detection for an attacker changes the equation in your favour. The goal is to make exfiltration hard enough and risky enough that an attacker can’t operate freely, not to prevent every possible technique.
