Data Exfiltration – Do You Know Where Your Stolen Data is Going?

No business wants to fall victim to a data breach, but cybercriminals gaining unauthorized access to networks and successfully exfiltrating data is a threat every business needs to prepare for.

While the best form of defense is to prevent hackers from breaching your perimeter in the first place, this isn’t always possible. New zero-day vulnerabilities that criminals can take advantage of are being discovered all the time, and even if firms do have robust perimeter defenses such as firewalls in place, human error or careless employee behavior can often enable hackers to bypass these.

Once inside, the primary goal is often to exfiltrate valuable data. This can cause businesses a wide range of problems, from the loss of valuable trade secrets to customers’ and employees’ personally identifiable information ending up in the hands of fraudsters.

Cybercrime is now a global business, and this is illustrated clearly when we trace unauthorized exfiltrated data to its destination. For instance, BlackFog’s research indicates that a fifth of exfiltrated data ends up in Russia. The last few years have also seen a notable increase in the amount of data going to Chinese servers.

Some of the most high-profile cyberattacks and data exfiltration efforts have geopolitical factors. The Colonial Pipeline attack is thought to have originated in Russia, for example, while many of 2021’s other big malware attacks have been traced to Iran.

Whether directly state-sponsored or not, these types of cybercriminal gangs often aim to disrupt operations and cause chaos, as well as make money. For instance, one of the most high-profile foreign hacking attacks was targeted at Sony Pictures back in 2014 by hackers believed to be in North Korea – supposedly in retaliation for a comedy film about the country’s leader. 

In this case, careful leaking of embarrassing documents such as internal emails caused severe reputational damage and led to the resignation of the company’s chair. This highlights how it may not always be the information you might think – such as intellectual property or trade secrets – that can prove the most harmful.

The vast majority of stolen data is used for financial gain, and more often than not it ends up for sale  on the dark web. Historically, this has been especially true for data that would be of use to fraudsters and identity thieves, such as credit card details and Social Security numbers. 

However, as the sheer volume of stolen data available online grows, this has become less lucrative than in the past. Data may therefore also be used as blackmail material, where the threat of being released is enough to persuade a firm to pay a ransom demand.

Other data can end up directly in the hands of competitors. In fact, serving the needs of unscrupulous rivals has become something of an industry in itself. For example, there is now a dark web marketplace called Industrial Spy where hackers specifically market their stolen data to other businesses. 

Costs for this can range from millions of dollars for ‘premium’ multi-gigabyte packages that would give a firm a clear advantage, to as little as $2 for individual low-tier files such as certification or audit finding, which may still prove useful for activities like corporate espionage.

Once stolen data is in the wild, the damage is done and it’s too late to put the cork back in the bottle. Therefore, the best way to prevent this threat is to put technologies in place that can prevent unauthorized data from leaving the business.

There are often a few telltale signs that criminal actors from overseas are looking to steal data. For instance, monitoring the IP addresses that devices within your network are connecting to can raise red flags. This could be done by comparing these destinations to known malware command and control centers. Anti data exfiltration (ADX) software is able to do this for you automatically, with no human intervention needed to block the transfer of data. 

Anti data exfiltration technology also provides geo-blocking features that deny the transfer of data to certain countries. Few businesses will have legitimate reasons to be sending data to servers in Russia or North Korea, for example, so this can be implemented without running the risk of disrupting genuine activity.

Being able to identify anomalies in your traffic, whether this is suspicious data transfer volumes, odd destinations or activities outside normal working hours, is a crucial part of any cybersecurity strategy. With the right anti-data exfiltration tools, you can secure your data and easily keep an eye on every part of your network to ensure you’re not falling victim to cybercriminals. 

Learn more about how BlackFog protects enterprises from the threats posed by data exfiltration.