The Importance of Anti Data Exfiltration Tools for Protecting Your Business

The last few years have seen ransomware become one of the biggest cybersecurity challenges any business faces. However, the profile of these attacks has changed significantly since they first hit the headlines and if you still associate ransomware only with encrypting data, you could well be missing the most dangerous threats.

In many cases, the biggest issues aren’t caused by hackers encrypting data or systems to make them inaccessible. If firms have prepared properly for this eventuality and have comprehensive backups, this can often be a relatively minor inconvenience, with disruption limited to the time taken to restore data and clear any malicious software from the system.

Instead, the major challenge comes from ransomware that has a second element – data exfiltration. The vast majority of attacks now seek to steal data as well as encrypt it, and once data is in their possession, they can sell it on to the highest bidder or demand money not to publish.

For many companies, this can be a much harder situation to deal with than a traditional ransomware attack. As such, prevention is much better than cure, and to do this firms need anti data exfiltration, or ADX, technology.

Data exfiltration is now the primary moneymaker for many ransomware groups. In fact, our research revealed that in 2022, almost nine out of ten ransomware attacks (89 percent) exfiltrated data from the victim. This was an increase of nine percent year-on-year. Once cybercriminals have sensitive data in their hands, they can use this in a number of ways to cause further harm to a business or make money.

Data exfiltration refers to any unauthorized attempt to remove company-owned data from a business. This could be anything from proprietary information or financial details to confidential employee or customer data. All that matters is that it will have value to someone, somewhere.

It’s also important to differentiate intentional data exfiltration from accidental data leakage. While both can cause problems, deliberate theft of sensitive data can have much more serious implications. It can be used as collateral to extort money directly from businesses, expose trade secrets or future plans to competitors, or result in your customers suffering from fraud.

In the case of deliberate data exfiltration – either by hackers or from people within the business – those responsible will usually know exactly what information to target in order to do the most harm or have the best chance of making money. This means they will be able to strategize accordingly in order to gain access to and then exfiltrate the most relevant and valuable information.

Data breaches that compromise sensitive information are always serious, but not every data loss event is equal. Sometimes, the loss of data may be accidental – such as if a laptop is left on a train for instance. Businesses should have mitigation steps in place for such cases, such as ensuring all data is encrypted and that all portable devices have tools to wipe data remotely in order to ensure the risk of serious damage is low.

A deliberate, unauthorized data exfiltration, on the other hand, always has a purpose. The perpetrator may want to blackmail a business by holding the data to ransom, plan to sell it on directly to a competitor, or simply damage the firm’s reputation by releasing it publicly.

Either way, this type of data breach is planned and usually the first step in targeting a business. Firms must therefore do everything possible to prevent it from happening, as once data has been exfiltrated from a business, it’s too late.

A ransomware attack that also exfiltrates data is known as a double extortion attack, because it gives hackers two opportunities to demand money from the victim. They can still permanently corrupt or delete data unless paid, but they can also use the threat of public disclosure as an extra motivating factor to convince victims to pay up.

According to Verizon, ransomware was a factor in around one in four data breaches last year. And as BlackFog’s research shows, the majority of these are likely to have included data exfiltration as a motivator. Therefore, it’s a threat every firm needs to take seriously.

The ‘why’ of data exfiltration is clear. It gives hackers powerful leverage over businesses and increases the chances of receiving a payout from their victims. While businesses can choose not to pay – and this is highly recommended by law enforcement agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) – by the time a demand is received, the damage is already done.

Therefore, businesses must be able to stop data exfiltration before it occurs. And to do this, it’s important to understand how these incidents occur.

Failing to recognize and plan for a data exfiltration attack can be very costly, regardless of whether or not businesses end up paying a ransom. Even if hackers keep their word (which is far from guaranteed) businesses will still be required to report any stolen data to the relevant regulators, leading to the potential for large fines and reputational damage.

This is especially the case if sensitive customer personal data was compromised in the breach. Under the EU’s GDPR, for instance, firms can be fined up to €20 million or four percent of global turnover. For large firms, this can quickly become a huge figure. This is before costs such as data recovery and forensics, system hardening, lost business and reputational harm are taken into account.

While there are many methods a threat actor can use to exfiltrate data, among the most dangerous are techniques such as fileless malware. This can be particularly hard to stop as it aims to bypass traditional signature-based detection methods. Also known as ‘zero-footprint’ attacks, these leave very little trace, which means even post-incident investigations can fail to identify exactly how a firm was breached.

The most common form of this attack is to exploit vulnerabilities in PowerShell. Indeed, BlackFog’s research found that last year, 87 percent of ransomware attacks used this method, an increase of seven percent from the previous year.

There are two types of insider threat that can result in data exfiltration – accidental and intentional. Accidental data exposures are often the result of careless or negligent behavior by employees, such as losing devices or falling victim to phishing attacks like business email compromise or social engineering. Effective employee training and traffic monitoring is usually the best way of dealing with these issues.

Intentional insider threats are far harder to stop, as the perpetrators will usually be taking active steps to cover their tracks. There can be a range of motivations for this. They may feel disgruntled at a perceived slight and want revenge, they could have been bribed or blackmailed by third parties, or they could be looking for financial gain themselves.

However, no matter what their reasons are, these individuals can do a lot of damage. They will typically know exactly what data is most valuable and what security measures are in place to protect them.

A malicious insider may even have legitimate access to the data, which can make it even harder to spot if they are trying to remove it from the business. As such, an insider risk management strategy that can cover both technical and behavioral aspects is vital.

One of the most common tools businesses turn to for help with preventing data exfiltration is endpoint detection and response (EDR) solutions. These are designed to identify threats on business’ endpoints, such as servers, laptops and mobile devices – all of which may be used by cybercriminals as avenues to exfiltrate data.

However, there are several problems with these tools when it comes to data loss prevention. Firstly, they are often designed to primarily look outwards to guard against incoming threats, leaving them blind to data leaving the network.

They are also reactive solutions, relying on methods such as signature detection to identify threats and cybersecurity personnel to respond to these events. This not only involves human intervention, but leaves them unable to spot the most dangerous risks, such as zero-day threats and fileless malware.

Indeed, tests have shown few EDR tools can successfully detect every threat. Therefore, if firms are serious about protecting their operations from the latest generation of ransomware threat, dedicated anti data exfiltration tools are a must.

Being able to constantly monitor outgoing data traffic for any usual activity that may be a sign of data exfiltration is essential. Ransomware threats don’t act in the same way legitimate users do – they scan for ports, connect and exchange keys with foreign servers, and move laterally through networks in ways that genuine users don’t. This means with the right tools, you can detect them.

A good threat intelligence and ADX solution will be able to constantly monitor data traffic and other activity within your network in order to identify and flag suspicious activity, and then automatically block the traffic without the need for human intervention. Some common elements they will look out for include:

• Outbound connections to unknown destinations – especially those overseas
• Increased volume of traffic into unusual IP addresses
• Mass downloading of files from databases
• Activity at unusual times of the day or week
• Repeated requests to access sensitive data

If you don’t have the right tools to spot this behavior, any data security breach could be exfiltrating data undetected for months, greatly increasing the seriousness of an incident. Indeed, IBM notes that in 2022, firms that do not have advanced tools such as artificial intelligence and automation took an average of 323 days to detect and contain a breach.

In addition to monitoring tools, other essential elements of an anti data exfiltration strategy include strong access control solutions, with the use of multifactor authentication a vital step in reducing the risk of hackers gaining unauthorized access to applications or databases.

Strong encryption is also a critical requirement in order to reduce the risk of data being misused, even if a hacker is able to successfully exfiltrate it, while comprehensive user education must be another key pillar of any good anti data exfiltration strategy.

However, these tools alone can’t offer complete protection. In order to support internal tools and act as a last line of defense against data theft, dedicated software solutions that can be added to your endpoints and block data exfiltration at the point of exit are needed.

ADX software is a lightweight endpoint solution that monitors activity in real-time, without the need to decrypt sensitive data or send it back to a centralized cloud server for analysis. This not only ensures that the technology can react more quickly, but improves overall data security.

Without this, businesses will be particularly exposed to the risks posed by double extortion ransomware and all the various legal, financial and reputational damage that can come with it if confidential data is stolen.

Because they do not require large amounts of resources or processing power to run, they can also be installed on any endpoint, including mobile devices. This makes them particularly useful for businesses that have adopted practices such as hybrid and remote working, which can otherwise be exploited by hackers as weak points in a business’ perimeter.

Learn more about how BlackFog protects enterprises from the threats posed by data exfiltration.