What is Insider Data Exfiltration?
Data exfiltration refers to the unauthorized copying, transfer, or retrieval of data from a company computer or server. It can be performed by a variety of actors: by outsiders through malware or phishing attacks that can lead to data breaches, by malicious insiders looking to inflict harm on an organization for their own or other entities’ gain, or by careless insiders who leak data by accident. Most often, data exfiltration is a deliberate attempt to appropriative sensitive and valuable data.
According to the 2020 Securonix Insider Threat report, which analyzed over 300 confirmed security incidents involving insiders, 60% of insider threats involved employees planning to leave the company. Individuals looking to move on tended to begin stealing data two to eight weeks before departing an organization.
The highest number of insider security incidents, accounting for 28.3%, involved pharmaceutical companies, followed closely by financial institutions with 27.7%. Intellectual property, which may be sought after by competitors and nation-state actors, was highlighted as being of particularly high value and vulnerable in these industries. 62% of malicious activity perpetrated by insiders involved the exfiltration of sensitive data, defined as confidential or business-critical data. Privilege misuse accounted for a further 19%, data aggregation for 9.5%, and infrastructure sabotage for 5.1%.
Types of Data Exfiltration
There are several ways in which data is exfiltrated on-site by malicious insiders. The most common method, accounting for 44% of the cases investigated by Securonix in their report, is outbound emails. Legitimate users attach files containing sensitive data to emails and send them to their personal email accounts. They can also copy-paste sensitive information directly into the body of emails or forward confidential internal communications to their own or competitors’ email addresses.
The second most popular data exfiltration method is uploading sensitive data to cloud storage websites. Information can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured services. Misconfiguration in particular is a common cause for data leakage when uploaded files are accidentally left exposed to the public. Malicious insiders may also intentionally misconfigure services to give access to unauthorized third parties or make files accessible to themselves from a personal device. Uploading sensitive information to personal cloud drives from company computers is also a frequently used data exfiltration technique.
Another common data exfiltration method is the use of unauthorized removable devices to copy confidential files. Insiders can download sensitive data from the corporate network and store it locally on their work device. Those files can then easily be copied onto USBs or other removable devices connected to the computer. This technique allows employees to steal data without requiring internet or network connection. In fact, by taking their devices offline, insiders can sometimes bypass security policies in place against this type of data theft.
Preventing Data Exfiltration
Sensitive data classification is essential for effective data exfiltration threat detection. While most organizations will flag categories of data such as personally identifiable information (PII) safeguarded under data protection legislation such as GDPR, HIPAA, or CCPA as sensitive, they often disregard other categories of data that could be deemed sensitive in the context of their industry.
It is therefore important that companies evaluate the data they produce and identify which categories are critical to their business operations and which need to be protected to vouchsafe their competitive advantage. Once these types of data are discovered, organizations can put security controls in place to protect them.
Data Loss Prevention (DLP) solutions, that allow sensitive data to be defined based on a company’s needs, can be used as part of cybersecurity strategies to ensure data security. DLP tools come with predefined profiles for common types of protected information such as PII and intellectual property but also allow for customizable policies to suit a particular organization’s requirements. Once sensitive data is defined, DLP solutions monitor and control its transfer and use.
By monitoring sensitive data and logging any attempts to violate policies, DLP tools allow security teams to spot suspicious user activity and identify employees acting with malicious intent. DLP technology is particularly useful against the two most popular data exfiltration techniques: it can block files containing sensitive information from being transferred to personal email addresses or cloud storage services and even prevents confidential information from being copy-pasted into the body of an email.
When applied on the endpoint, DLP solutions such as Endpoint Protector can also ensure that its policies remain active on a work computer whether it is in the office, used remotely, and regardless of whether it is connected to the internet or not.
Insider data exfiltration is a real threat to company data security and organizations wishing to protect their most valuable data must look for ways to mitigate it. While this can prove a daunting task because it involves insiders with privileged access to confidential information, tools such as DLP solutions can help companies avoid data theft through exfiltration.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.