Data Exfiltration: Insider Threat Detection & Prevention Tactics

The most important way to counter insider threats is to look for them. In many cases, indicators of compromise (IoCs) are there and may even seem obvious in hindsight following major incidents. This piece explains common data exfiltration examples and recommends ways to help detect and prevent organizations from falling victim to data exfiltration.

Insider Threat Categories

Finding unauthorized insider activity has its challenges, and chief among them is the fact that insiders have authorized access to business systems that hold sensitive proprietary information. How do you tell the difference between authorized and unauthorized access to the same information? One approach is to take steps to ensure the proprietary information is “locked down” and not easy to remove.

Let’s begin with a brief understanding of insider threat categories:

• Unintentional. Accidents happen, and they can often be the root cause of sensitive data spillage from a company. In this piece, we’ll assume the insider intends to exfiltrate sensitive data, but accidental data spillages should not be underestimated.
• Casual. Some insiders may well be violating policy, but their intent isn’t to cause major harm. Consider these the equivalent of stealing a paper clip. It’s wrong, and likely illegal, but the impact just does not matter. Here too, we’ll assume these are largely beyond our scope of consideration.
• Criminal. This is where our interest lies. These insiders know they are violating policy and quite possibly the law and are likely to lose their job – and perhaps face criminal charges – if caught.

Insider Threat Motivations

Individuals steal information from their employers for many reasons. It’s not uncommon for the perpetrator to try and rationalize and thus, justify, what is otherwise clearly immoral and illegal behavior. Insider threat motivations can include, but may not be limited to:

• Entitlement. “The company owes me this information. I’ve worked here for 25 years and was among the first few people hired.”
• Ownership. “I wrote this report, so it is mine.”
• Financial difficulty. “If I just sell this one set of data, I can pay the mortgage this month.”
• Changing employment. “I’m moving to a competitor, and this information will be helpful to me in my new job.”
• Theft of trade secrets. “I’m going to launch my own competing company and this product design will save me tons of time and energy. Besides, I know all this stuff anyway.”

Consider volume and impact as well. Not all insider theft requires massive amounts of data to be exfiltrated. A single diagram of a proprietary design may well be sufficient for some insiders’ purposes, and not everyone seeks to exfiltrate a huge database of customer records. The impact of each theft hinges largely on the intrinsic value of the information to the employer as well as to the insider.

Imagine, for example, an airline employee who steals the private contact information of the company’s top 100 or so customers. While it’s small in volume, a competing airline would find those customers to be hugely valuable.

READ: Insider Data Exfiltration - Threats and New Challenges

Data Exfiltration Examples

With those insider threat motivations in mind, let’s examine several data exfiltration examples. 

• Paper. Never to be underestimated, printouts stuffed into briefcases or bags are low on the technology spectrum, but they can be exceedingly difficult to detect, especially if perpetrators routinely print such information as part of their job. The good news is printouts are restricting to the insider. Large amounts of data (e.g., the entire source code to a major project) are difficult to move, although documents can be removed in small amounts over time. Paper documents are also awkward to use once removed. They can be scanned, digitized, etc., but that adds a level of difficulty in the process. Nonetheless, for relatively small amounts of high value information, printouts offer the perpetrator a relatively easy and safe means of removing data.
• Screenshot photos. Also, on the low end of the technology spectrum, photos of screens are easy to take, particularly with large, high-resolution screens being ubiquitous in the workplace these days. The good news is that screen shots tend to only be useful for small amounts of data, but if that data is highly valuable to the perpetrator, that may not be a major issue. Even taking dozens or hundreds of screenshots, such as individual customer records in a database, may be feasible over time.
• Removable media, including USB sticks. For perpetrators seeking to exfiltrate large amounts of data, removable media offers a lot more capability than paper or screenshots. USBs can store vast amounts of data these days and the data can be moved at a very high bandwidth, particularly with today’s USB-3 and other technologies deployed widely. As of this writing, USB thumb drives in the several hundred gigabyte range can be purchased rather inexpensively.
• Online storage. Online cloud storage services like Dropbox and Box are easy, inexpensive, and fast – and can be used to exfiltrate large amounts of data quickly and easily. In terms of speed and capacity, they rival USB drives. From the perpetrator’s perspective, they can also be attractive because they do not require physically carrying any printouts, USB drives, etc.
• Email. This threat can vary from a simple blind carbon copy (bcc) of an email containing sensitive data to an external address, through to sending email attachments of sensitive files. Like online storage services, this is attractive to many perpetrators because it is generally not blocked by most companies and can be used to move data quietly and quickly.

How to Prevent Data Exfiltration

Now that we've highlighted common data exfiltration examples, below we provide guidance on how to prevent data exfiltration in the methods cited along with advice on how to detect each instance as well.

Prevent Paper Data Exfiltration

This is problematic. Without an invasive program of inspecting employees’ personal effects when they arrive or leave the facility, there is little that can feasibly be done.

• Detection: Detecting paper exfiltration is only slightly more feasible than prevention. It is possible to monitor for employees accessing information they are not authorized to access, and to alert on statistical anomalies, such as accessing authorized information at unusual times. It is also helpful to have a policy in place prohibiting this activity, and clearly stating the penalties that can and will be enforced.

Prevent Screenshot Photo Data Exfiltration

Preventing photos from being taken is also problematic, because it would require an enforced policy of not allowing personal electronics, including smartphones, into the workplace. Polarizing screen filters may help prevent such actions, but they are generally easy to remove by the perpetrator. If all personal devices are managed with a mobile device management (MDM) product, it is possible to disable access to hardware features such as the camera, although these steps are inevitably circumventable by a determined and adequately resourced adversary.

• Detection: Detecting screen photos on personal devices requires invasive and draconian steps, such as monitoring or inspecting personal devices.

Prevent Removable Media Data Exfiltration

Preventing USB drives from being used to exfiltrate information can be achieved through numerous techniques, ranging from gluing the physical ports to disabling them in managed configuration profiles. More invasive processes like employee searches can also be used.

• Detection: Most endpoint protection products these days can log all USB drive mounts, unmounts and data copies. Similarly, data loss prevention (DLP) products can be used to examine the data being copied for specific keywords, etc.

Prevent Online Storage Data Exfiltration

Rigorous network access controls can prevent exfiltration via online storage services, but they can be deeply inconvenient and invasive for enterprises where storage services are permitted already. Policies should clearly delineate what is permitted and what is not, but they can’t actually prevent the illicit actions in the first place.

• Detection: This can be challenging. Determined perpetrators may still be able to “fly under the radar” by using lesser-known services, and they may further be able to evade detection by using SSL/TLS, SSH, etc. (more on this below).

Prevent Email Data Exfiltration

Preventing email from being used is not trivial, but many techniques are available to do so. Many companies block outgoing email from containing attachments, for example. Some companies also only permit email to be sent to certain pre-approved destination domains or use other blocking techniques. DLP tools can also be employed to screen outgoing messages.

• Detection: First, we suggest warning employees and helping make them aware of having no expectation of privacy in their official business-related emails. Emails can then be examined, perhaps on a random basis, for unauthorized content. Outgoing attachments can also be examined for malware, viruses, and such, but also for unauthorized content.

Additional Data Exfiltration Techniques

In combination with the most common data exfiltration techniques, more knowledgeable individuals posing an insider threat may use:

• Encryption. Encrypting data prior to exfiltration can be easy for certain individuals to accomplish. Myriad tools, both free and commercial, are available to encrypt data. Once encrypted, DLP and other screening techniques would likely be unable to observe the contents of the data being exfiltrated. Also, consider the impact of TLS/SSL on network connections to sites like Dropbox. Network encryption is used there to secure the site and to keep customer data private, after all.
• Obfuscation. A determined and resourced adversary is likely to hide incriminating information in ways that are exceedingly difficult to notice. A ZIP archive containing otherwise authorized information, for example, can be used to hide (in plain sight) unauthorized information. In addition, techniques such as steganography have been used to hide data in the white space of seemingly innocuous files. Steganographic tools have been available in the public domain for decades.

The point here is that techniques for hiding illicit data are available, are not science fiction or new, and can be utilized by criminals intent on stealing. Stopping everything is simply not realistic.

Data Exfiltration Prevention Best Practices

Malicious insiders have a range of tools at their disposal to exfiltrate information and determined adversaries can be very difficult to detect. The most important defense is to regularly monitor for common data exfiltration techniques so that anomalous access attempts and suspicious downloads are caught and stopped early.

Organizations should consider the following data exfiltration best practices to secure company data:

• Determining typical behavior baselines and alerting on anomalies.
• Blocking where it’s feasible and doesn’t affect business productivity, e.g., blocking USB ports, prohibiting email attachments, using DLP, etc.
• Focusing on IoCs other than large data transfers. Even small transfers of customer data or other critical information can be problematic.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.