Discover the best practices for detecting and preventing data exfiltration attacks on your business or organization.

Protecting your data is an important component of your cyber risk management plan, and one that involves a certain level of preparedness for an event like a data breach. Even the best cybersecurity efforts, however, will still fail at some point — when attackers abscond with your organization’s confidential data, either to resell it on the dark web or to post it for all the world to see.

That is data exfiltration, and trying to prevent it is perhaps the paramount duty a cybersecurity program has. Attackers getting into your network (infiltration) and rifling through your data is bad enough; but even more important is thwarting their ability to take the data out.

What Is Data Exfiltration?

When data is stolen (as opposed to leaked by an insider), that is data exfiltration. While data leaks are the inadvertent exposure of sensitive information to unapproved parties, data exfiltration is the deliberate act of moving sensitive data from inside an organization’s security perimeter to the outside, without permission.

Also known as data theft, data expiration, data extrusion, and data exfil, data exfiltration typically happens through hacking, malware, or social engineering attack. It can involve the theft of many types of information, including:

  • Usernames, passwords, and other log-in credentials.
  • Confidential enterprise data including intellectual property or internal strategy documents.
  • Personal data about customers, employees, or clients.
  • Decryption keys for encrypted information.
  • Financial data such as credit card numbers and bank account details.
  • Software or proprietary algorithms.

It’s difficult to say how often data exfiltration is successful, but we do know that the methods used to carry out data exfiltration are on the rise. Phishing in particular is becoming a ubiquitous method to steal organization’s data.

Phishing was the leading cause of complaints to the FBI in 2020; the agency also says that phishing incidents more than doubled from the previous year. The number of recorded personal data breaches increased from around 38,000 to more than 45,000.

Generally, companies with more than 1,000 employees are more likely to experience data exfiltration; but attacks against smaller companies, while less frequent, are much more successful.

A data exfiltration attack is a security breach that occurs when your company’s data is copied, transferred, or retrieved from a computer or server without authorization. Such attacks are difficult to detect, as they involve the transfer or moving of data within and outside your company’s network, and they usually mimic typical network traffic.

Oftentimes this close resemblance means that incidents go unnoticed until after the data exfiltration succeeds, which means they can result in substantial data losses. The best way to prevent data exfiltration is to understand the most common data exfiltration techniques so you can better prepare your organization against them.

Most Common Data Exfiltration Techniques

There are countless motives and methods for data exfiltration, but most attempts can be grouped into two categories: data exfiltration by someone inside your organization, and data exfiltration by someone outside your organization.

Data exfiltration by insiders occurs when company data has been shared by a member of your company with people or organizations outside your company. In many cases, these insiders have easy access to your company data, know workarounds to access your data, or have the technical know-how to infiltrate your secure systems to steal your data.

Data exfiltration by outsiders occurs when company data has been stolen by someone from outside your organization. These attacks are usually carried out remotely, but can encompass several techniques that we will now explore.


Email is the number one threat vector for most organizations. It’s a treasure trove of information, and it’s a resource that’s often used in data exfiltration attempts.

Insiders executing a data exfiltration attack can use email to send data to their own personal or third-party accounts. Outsiders can use email to target employees with phishing, spear phishing, or ransomware attacks. In fact, 96 percent of phishing attacks begin via email.

Phishing attacks consist of emails designed to look legitimate and appear to be from trusted senders. Phishing emails contain either a malicious attachment that infects the user’s device with malware, or a link to a website that looks similar to a legitimate website but is spoofed to steal login credentials entered by the user.

Some attackers also launch targeted phishing attacks that aim to steal data from a specific user, such as senior company executives or high-worth individuals such as celebrities or politicians. Cybercriminals can also use email to exfiltrate any data that sits on organizations’ outbound email systems, such as calendars, databases, images, and planning documents.

Remote Access

Another data exfiltration technique is to gain remote access to a server, device, or cloud storage platform via remote access.

An attacker can gain remote access to your company’s data assets using several methods, including:

  • Hacking to exploit access vulnerabilities.
  • Using a brute force attack to determine passwords.
  • Installing malware, whether via phishing or another method.
  • Using stolen credentials, whether obtained via phishing or purchased on the dark web.

Most of the time, remote access data exfiltration incidents involve brute force techniques or compromised user credentials. Data exfiltration is most successful when systems rely on vendor-set, common, or easy-to-crack passwords. For this reason, it’s important that you keep your company passwords strong and safe.

Advanced persistent threats (APTs) are a form of cyberattack in which data exfiltration is the primary goal. APTs target specific companies or organizations with the goal of accessing or stealing their restricted data while remaining undetected.

No matter the attack method, once an attacker has gained access to your network or systems, he or she will need to execute the actual transfer of data. The most common method for this practice is to establish a shell — a communication channel that enables remote interaction between the compromised host and the attacker’s server.

Here are some of the protocols that attackers commonly use to transfer data during data exfiltration:

  • Hypertext Transfer Protocol (HTTP): a protocol allowing users to communicate data over the internet. HTTP is common on most networks, so it’s a perfect choice for attackers. In the high volume of HTTP traffic flowing through enterprise networks, the malicious transfer of sensitive data usually goes unnoticed, allowing the attacker to stay undetected for the duration of the attack.
  • File Transfer Protocol (FTP): a protocol used to communicate and transfer files between a client and a server over the internet, and a reliable protocol for transferring large files. An attacker must authenticate to an external FTP server from within an organization’s server to exfiltrate data using this method. Because most enterprise networks are focused on preventing inbound traffic, a lack of firewall rules to moderate outbound connections means that attackers can easily connect back to their own servers and transfer data.
  • Domain Name System (DNS): a protocol that translates human-readable domain names into IP addresses. DNS tunneling is a process that transmits data using DNS queries and responses and works by creating DNS records that point queries for a specific domain name to a server under the attacker’s control. This method can be used to transfer files from a compromised host, and DNS tunneling is especially effective in environments where other protocols are more closely monitored.

Physical Access

Physically stealing data from a business requires physical access to a server or device. Hence this method of data exfiltration is most commonly associated with current or former employees.

Research suggests that 15 percent of all insiders who exfiltrate data from organizations do so via portable USB drives, and 8 percent of outsiders do the same. Similarly, 11 percent of all insiders reported exfiltrating data via laptops/tablets and 13 percent of outsiders reported the same.

Sometimes, data exfiltration can be a result of accidental insider threats. When employees download data to insecure devices, they are inadvertently giving malicious actors the opportunity to access sensitive corporate information.

Now that we’ve introduced some of the main types of data exfiltration techniques, let’s take a look at some of the ways to detect data exfiltration.

Ways to Detect Data Exfiltration

Depending on the type of attack method used, detecting data exfiltration can be a difficult task. Cyberattacks using techniques that are more difficult to detect are often mistaken for regular network traffic, which means they can go unnoticed until the damage has already been done.

The best way to prevent data exfiltration is to detect it as soon as an attack is launched. Some things you can do to detect data exfiltration and protect your organization’s data include:

  • Perform a risk assessment. This will help you identify all valuable data assets and make an inventory of all the endpoints where this data resides. You should also estimate the business effect of potential exfiltration for each of the data assets you identify.
  • Create a data breach incident response policy. This is one information security control your organization can use to detect, stop, and recover from a cybersecurity incident. It should not only specify your methods of eliminating data security threats, but also detail who will carry out these actions. Altogether, your data breach incident response policy should cover: stakeholder support, an inventory of sensitive data, and clear communication channels.
  • Train your employees. Most business leaders already know the importance of their employees understanding information security. Employee training can help your staff spot some of the less sophisticated phishing attacks and learn the protocols for reporting a data breach. Staff training is important, but it alone is not enough to prevent data exfiltration.
  • Consider blocking or blacklisting. Some organizations block or blacklist certain domains or activities to prevent data exfiltration attempts. This approach involves blocking certain email providers or software that are associated with cyberattacks. That said, blacklisting often fails to account for the dynamic nature of modern work, where employees need to work with many different stakeholders via a wide range of mediums.
  • Label and tag sensitive data. Another data loss prevention (DLP) strategy is to label and tag sensitive data. DLP software will notice any tagged data moving outside of your company’s network and can either flag or prevent the activity. While promising, this approach relies on employees tagging data correctly to be effective. Ultimately, the manual process of tagging data isn’t scalable since employees could label data incorrectly or not label sensitive data at all.
  • Employ email data loss prevention (DLP). As mentioned, email is a crucial communication method for almost every business. But it’s also a key way for cybercriminals to gain access to your company’s valuable data. Email DLP can help filter out phishing attempts or other data exfiltration methods before your employees even get the chance to view or open any attachments or links.
  • Establish endpoint protection. Data exfiltration focuses on retrieving, transferring, and copying data on endpoints, and endpoints have historically provided one of the easiest access points for hackers. Comprehensive endpoint detection solutions can be a first-line defense against threats like data exfiltration.

Ultimately, preventing data exfiltration is possible with security solutions that ensure data loss and leakage prevention.

Protect Your Data with ZenGRC

How your organization chooses to protect itself from data exfiltration depends on the nature of your business, the information systems you use, and the federal and state laws you must comply with.

Between regulatory compliance and constantly changing threats to your data, the process of risk and compliance management can quickly become unmanageable — particularly when you’re developing the preventative systems that will protect you against security incidents.

That’s where ZenGRC from Reciprocity can help.

ZenGRC is a governance, risk management, and compliance (GRC) platform that enables businesses to automate the self-auditing process necessary to document security controls and prepare for formal compliance audits.

Zen’s easy-to-use dashboard provides an integrated view of your compliance stance across multiple frameworks, including HIPAA, NIST, SOX, and GDPR. It shows you where gaps exist in your documentation and processes, and how to fill them.

Learn how ZenGRC can help you ease the burden of data exfiltration detection by scheduling a demo today. That’s worry-free compliance and incident response planning — the Zen way.