Triggers
- Pre-exfiltration behaviors have been observed on a host that has received abnormally high amounts of data from one or more hosts within a short period of time.
Possible Root Causes
- An attacker has pivoted to a host to use for dumping/staging data prior to exfiltrating, likely taking advantage of the trusted nature of this host to bypass security controls and evade detection.
- A malicious insider is collecting data they intend to steal from a position of trust.
- A user has joined a new team, changed organizational roles, or otherwise been given reason to significantly depart from their typical data access and retrieval activities.
- An application has been observed on an unusual or infrequent backup or update cycle.
Business Impact
- Failure to identify and respond to pre-exfiltration activities in an organization increases the likelihood of data loss.
- When successful, data exfiltration places an organization at the risk of the loss of intellectual property, financial data, or other regulated or sensitive data sources.
Steps to Verify
- Verify if the data gathered supports valid and authorized business activities.
- Investigate the host and associated accounts for other signs of compromise.