InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
The most important way to counter insider threats is
to look for them. In many cases, indicators of compromise (IoCs) are there and may even seem obvious in hindsight following major incidents. This piece explains common data exfiltration examples and recommends ways to help detect and prevent organizations from falling victim to data exfiltration.
Finding unauthorized insider activity has its challenges, and chief among them is the fact that insiders have authorized access to business systems that hold sensitive proprietary information. How do you tell the difference between authorized and unauthorized
access to the same information? One approach is to take steps to ensure the proprietary information is “locked down” and not easy to remove.
Let’s begin with a brief understanding of insider threat categories:
Individuals steal information from their employers for many reasons. It’s not uncommon for the perpetrator to try and rationalize and thus, justify, what is otherwise clearly immoral and illegal behavior. Insider threat motivations can include,
but may not be limited to:
Consider volume and impact as well. Not all insider theft requires massive amounts of data to be exfiltrated. A single diagram of a proprietary design may well be sufficient for some insiders’ purposes, and not everyone seeks to exfiltrate a huge
database of customer records. The impact of each theft hinges largely on the intrinsic value of the information to the employer as well as to the insider.
Imagine, for example, an airline employee who steals the private contact information of the company’s top 100 or so customers. While it’s small in volume, a competing airline would find those customers to be hugely valuable.
With those insider threat motivations in mind, let’s examine several data exfiltration examples.
Now that we've highlighted common data exfiltration examples, below we provide guidance on how to prevent data exfiltration in the methods cited along with advice on how to detect each instance as well.
This is problematic. Without an invasive program of inspecting employees’ personal effects when they arrive or leave the facility, there is little that can feasibly be done.
Preventing photos from being taken is also problematic, because it would require an enforced policy of not allowing personal electronics, including smartphones, into the workplace. Polarizing screen filters may help prevent such actions, but they are
generally easy to remove by the perpetrator. If all personal devices are managed with a mobile device management (MDM) product, it is possible to disable access to hardware features such as the camera, although these steps are inevitably circumventable
by a determined and adequately resourced adversary.
Preventing USB drives from being used to exfiltrate information can be achieved through numerous techniques, ranging from gluing the physical ports to disabling them in managed configuration profiles. More invasive processes like employee searches can
also be used.
Rigorous network access controls can prevent exfiltration via online storage services, but they can be deeply inconvenient and invasive for enterprises where storage services are permitted already. Policies should clearly delineate what is permitted and
what is not, but they can’t actually prevent the illicit actions in the first place.
Preventing email from being used is not trivial, but many techniques are available to do so. Many companies block outgoing email from containing attachments, for example. Some companies also only permit email to be sent to certain pre-approved destination
domains or use other blocking techniques. DLP tools can also be employed to screen outgoing messages.
In combination with the most common data exfiltration techniques, more knowledgeable individuals posing an insider threat may use:
The point here is that techniques for hiding illicit data are available, are not science fiction or new, and can be utilized by criminals intent on stealing. Stopping everything is simply not realistic.
Malicious insiders have a range of tools at their disposal to exfiltrate information and determined adversaries can be very difficult to detect. The most important defense is to regularly monitor for common data exfiltration techniques so that anomalous
access attempts and suspicious downloads are caught and stopped early.
Organizations should consider the following data exfiltration best practices to secure company data:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.