What is Data Exfiltration?

What is data exfiltration

Data exfiltration is a type of security breach that occurs when a company or individual’s data is retrieved, transferred, or copied from a server or computer without authorisation. Cybercriminals are usually responsible for data exfiltration by stealing data from corporate or personal devices, such as mobile phones or computers, using various data exfiltration attack methods. 

Another definition of data exfiltration can be defined as data extrusion or exportation, data theft or data leakage, which can pose serious issues for organisations worldwide. Failing to control information security within in any business, big or small can lead to data loss which could cause financial and reputational damage to an organisation, adding up to the immense costs of a data breach.

Let’s take a closer look at data exfiltration and how you can prevent it.  

5 types of data exfiltration 

The exfiltration of data can occur in a number of ways or through various attack methods. Exfiltration typically occurs on a corporate network or over the internet. The techniques cybercriminals use to exfiltrate data from systems or networks are becoming increasingly more sophisticated which helps them avoid detection. These include anonymising connections to servers, Hypertext Transfer Protocol (HTTP), Domain Name System (DNS), and Hypertext Transfer Protocol Secure (HTTPS) tunnelling, fileless attacks, direct Internet Protocol (IP) addresses and remote code execution.  

What is DNS data exfiltration?

DNS data exfiltration can be used to exchange data between two computers without a direct connection. The data is exchanged through DNS protocol on intermediate DNS servers. 

The most common data exfiltration techniques include the following: 

Phishing attacks 

Phishing attacks and social engineering attacks are a common network attack vector used to trick people into downloading malware and/or revealing their account credentials. Phishing attacks are designed to imitate legitimate emails and often appear to have been sent from trusted senders. The emails will include a malicious attachment that injects the user’s device with malware or a link to a website that looks eerily similar to a legitimate website to steal the login credentials of users when entered. Some attacks, called spear phishing are geared towards a specific user within an organisation to steal their information and infiltrate a system. 


Malicious actors often use emails to exfiltrate data on an organisations’ outbound email systems, such as databases, images, calendars, or planning documents. If not protected properly, this data can be stolen from email systems via text messages and emails or through file attachments.  

Downloading files to insecure devices 

Downloading files to insecure devices is a common data exfiltration method and often an accidental insider threat. The perpetrator accesses sensitive corporate information on a trusted device, then transfers it onto an insecure device (often without criminal intent). Insecure devices that are not protected by corporate security policies could include external drives, cameras, or a personal smartphone. 

Uploading to external devices 

Uploading to external devices typically comes from malicious insiders. Data can be exfiltrated by downloading information from a secure device, then uploading it to an external device, such as a smartphone, tablet, laptop, or thumb drive. 

Accessing the cloud via an unsecured way 

The cloud presents a significant number of data exfiltration risks. For example, when cloud services are accessed by an authorised user in an insecure way, they enable a bad actor to deploy and install malicious code, make changes to virtual machines, and submit malicious requests to cloud services. What’s more, the appropriate protections may no longer be in place which indicates that procedural issues and/or human error could be in play, that’s why a cloud security posture management has to be implemented. 

What tools are used for data exfiltration? 

Malicious actors often use exfiltration tools to steal data. For example, CovalentStealer has been designed to identify file shares on a system, categorise the files, and upload them to a remote server. 

How can you spot a data exfiltration? 

Data exfiltration can only occur in two ways, via insider threats or outsider attacks. Both pose equal amounts of risk which means organisations must ensure their cybersecurity measures are at optimum to detect and prevent data exfiltration at all times.  

What kind of data can be leaked? 

Personally Identifiable Information (PII), Protected Health Information (PHI), Credit Card or Payment Card Industry (PCI) Information, Controlled Unclassified Information (CUI) or any other sensitive data are at risk. 

Network traffic analysis is key to spotting and preventing data exfiltration. A multi-dimensional analysis can be used to increase the efficacy of security operations. Let’s take a closer look: 

  1. SIEM 

By using a Security Information and Event Management System (SIEM), you can monitor network traffic in real-time. Some SIEM solutions are even able to detect malware being used to communicate with command and control servers. 

  1. Monitor network protocols  

Monitor all open port traffic to detect abnormal volumes of traffic. This should lead to a more targeted analysis because they could just be legitimate business-related connections.  

  1. Monitor for foreign IP addresses 

Cybersecurity teams should keep a minute-by-minute log of all approved IP addresses to compare against all new connections. Connections to uncommon IP addresses could be a sign of data exfiltration. 

  1. Monitor for outbound traffic patterns 

Malware must regularly communicate with command and control servers to maintain a consistent connection. This communication, known as beaconing, presents an opportunity for detecting data exfiltration within ports like HTTPS:443 and HTTP:80. 

How to prevent a data exfiltration 

Due to the fact that data exfiltration relies on social engineering techniques to gain access to protected networks, a key preventative measure is to stop users from downloading suspicious or unknown applications. However, it can be difficult to filter out malicious applications compared to the ones users actually need to access. 

Malware must be able to communicate externally with a command or control server to exfiltrate data and to receive instructions. Therefore, detecting and blocking unauthorised communication becomes a viable method for preventing data exfiltration. 

Endpoint protection is also a critical component of data exfiltration prevention. Due to data exfiltration focusing on retrieving, transferring, and copying data on endpoints, organisations must look at comprehensive endpoint detection solutions to prevent data exfiltration. 

Further reading on cyber attacks 

RiskXchange can help organisations of all sizes reduce the risk of data breaches by monitoring, tracking and mitigating risk across an entire attack surface around the clock. RiskXchange can ensure robust endpoint security on all systems which can then be constantly monitored and managed by the IT department or external security operations team.  

Let’s take a closer look at some of the benefits of working with RiskXchange: 

Attack Surface Management Benefits 

  • Identify vulnerabilities in your attack surface and mitigate potential risks. 
  • Categorises your digital assets and monitors the attack surface more effectively. ​ 
  • Automates your cybersecurity with an easy-to-use platform
  • Builds an environment for a more secure supply chain. ​ 
  • Benefit from robust reporting capabilities, making it easier for security teams to send detailed reports to business stakeholders.  
  • Reduce ongoing compliance costs with a single source of truth, automated compliance data collection and real-time compliance status. 

Attack Surface Management Key Features 

  • Continuous Monitoring of your Attack Surface: Continuous 24/7 assessment of your attack surface in real time. 
  • Asset Inventory: We accurately identify your internet assets across your attack surface and that of your third-party supply chain. 
  • Real-time Alerts: The platform has a real-time alert system that will alert you about new cyberattacks. 
  • Complete Visibility: Complete visibility into everything you own, including IP addresses, domains, certificates, and cloud assets.  
  • Security Automation: Create alerts for new anomalies and automate key cybersecurity risk management functions. 
  • Trace your Digital Footprint: Monitor all activities taking place in your infrastructure, including your vendor’s. 
  • Extensive Data Sources: We refresh your data every 24 hours from DNS Records, Netblocks, Domain registrars, Honeypots, Business registration databases and other sources. 

What is data exfiltration? Get in touch with RiskXchange to find out more about data exfiltration and how best to protect your business.