What is data exfiltration?

Data exfiltration, also known as data theft or data exportation, is the transfer of sensitive data to unauthorized parties or destinations with the intent to cause malicious damage or reap financial gains.

Data exfiltration can be caused by malicious outsiders or insider threats due to:

•         External attacks that managed to penetrate a system

•         Unintentional or negligent data exposure by an employee

•         Threats caused by a malicious insider

·         Credential thefts

The majority of data exfiltration acts are caused by external malicious cybercriminals. However, according to the 2022 Cost of Insider Threats Global Report conducted by the Ponemon Institute, insider threats have increased in both frequency and cost over the past two years with credential thefts almost doubling in number since 2020. And according to the same study, 56% of incidents experienced by organizations represented in this research were due to negligence. The average annual cost to remediate these types of incidents was $6.6 million.

There are different ways an MSP can prevent data from being stolen from client systems, but the main ones are as follows:

1.       Implement a total cybersecurity solution to prevent, detect, and block attacks on business environments that aim to exfiltrate data. The solution should span across all stages of the NIST framework to ensure threats stay out of your client environments and allow you to efficiently remediate risk and recover any affected data.

2.       Harden the environment in the event the threat gets passed the detection mechanisms to ensure that sensitive data cannot be easily exfiltrated. You can accomplish this with a data loss prevention (DLP) technology that controls dataflows to prevent exfiltration via common network channels and peripheral devices.

3.       Use some type of identity access and management solution that provides rigorous rules to govern access to sensitive data and enable monitoring and reporting on who can access this data and when.

4.       Store sensitive data in secure locations, such as internal file sync and share solutions, so that access is limited.

5.       Keep all software applications continuously updated to close vulnerability gaps.

6.       Implement a zero-trust architecture for environments with highly sensitive data.

7.       Use VPN to limit the change of man-in-the-middle attacks while browsing.

Data corruption is sometimes confused with data exfiltration. Data corruption happens when there are unintentional changes to a file. This can happen in a variety of ways. For example, a hardware (e.g., disk crash) or software problem can corrupt a file if you are writing, editing, reading, storing, transmitting, or otherwise processing it.

Data can also be corrupted after it is exfiltrated as can be the case with ransomware attacks.

Data exfiltration is among the last stages of any attack so it is important to detect and stop these attacks before they harm your client environments. Here are a few of the most practical ways to detect whether your clients’ data is being extracted.

1.       Implement a cybersecurity solution that will monitor your client environments for suspicious events and block attacks. For a higher level of security, implement an EDR solution that gives you the capabilities to analyze suspicious events, rapidly respond to breaches and minimize the impact of any in-progress attacks or breaches.

2.       Implement a data loss prevention (DLP) solution to monitor the environment for any unauthorized sensitive data transfers.

3.       Implement a network firewall, SIEM, VPN

 Ransomware is one of the most common ways to exfiltrate data but email account takeovers, trojans and other types of malware can also exfiltrate data.  

Kaseya suffered a ransomware attack in 2021 where cybercriminals leveraged Kaseya VSA software and released a fake update that spread the malware to Kaseya’s managed service provider (MSP) clients and their downstream companies.

The problem with ransomware is that by the time you detect it, it can already be too late and the costs to recover can be high. Once the files are encrypted, you need to perform a full restore back to the latest known good state, and it can take time to recover. Alternatively, you can find ways to roll back the damage and recover only the damaged portion. However, the trouble with rollback is that the majority of solutions depend on Microsoft (MS) Volume Shadow Copy, which is the target of many ransomware attacks.

Ransomware is the easiest way to exfiltrate data via external attacks and it is also commoditized. For example, a cybercriminal can use ransomware as a service or purchase a ransomware variant cheaply. Ransomware is a malicious payload that enables encryption and the exfiltration of data and can be delivered via a variety of highly sophisticated attack techniques.

Acronis Cyber Protect Cloud enables you to keep a large variety of modern threats outside of client environments to prevent data exfiltration — with robust prevention, detection and blocking capabilities. It unites backup and disaster recovery, next-generation anti-malware enhanced with machine intelligence, and endpoint protection management in one solution. Integration and automation provide unmatched ease for service providers to reduce complexity while increasing productivity and decreasing operating costs.

At the same time, advanced packs, which extend the protection capabilities of Acronis Cyber Protect Cloud, enable you to monitor for and detect data exfiltration attempts that have bypassed your detection technologies and block or promptly respond to such events.

·         The Advanced Security pack offers advanced protection and unique cyber protection capabilities to lower risks for your clients. With enhanced anti-malware protection and remediation capabilities, it stops threats in real time, including those trying to exfiltrate data, and secures your clients’ endpoints from modern and zero-day threats while enabling recovery of malware-free data. You can also stay ahead of emerging threats with actionable threat intelligence coming from Acronis CPOCs.

·         The Advanced Email Security pack, based on Perception Point’s #1 technology in independent evaluations by SE Labs, blocks any email-borne threat, including spam, phishing, business email compromise (BEC), advanced persistent threats (APTs) and zero-days in seconds before they reach end-user Microsoft 365, Google Workspace, or any on-premise email server mailboxes. Leveraging a next-generation cloud-based email security solution, it provides the highest detection rates and lowest false positives, combining speed, scale, and agility.

·         Acronis Advanced DLP  delivers unmatched provisioning, configuration, and management simplicity to prevent data leakage from your clients’ endpoints and strengthen regulatory compliance. A unique behavior-based technology automatically creates and continuously maintains business-specific policies, without requiring months to deploy, teams to maintain or a Ph.D. in privacy law to understand.

·         With Advanced Security + Endpoint Detection and Response (EDR), you support your clients across the NIST framework to IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER from attacks that bypass other protection layers, while ensuring true business resilience and continuity. With guided attack interpretation, high levels of automation and comprehensive response actions, including recovery, you can provide a high-value and high-margin service that is scalable across multiple clients. 

If you have an interest in trying Acronis Cyber Protect Cloud, click here for a 30-day free trial.