Data exfiltration techniques: how attackers steal your sensitive data
Rob Murawski CERT Coordination Center
Data exfiltration, or the unauthorized transmission of data from a system, is a large
problem affecting many organizations. After a system is compromised by malicious code,
the removal of the malware is only one step in mitigating the threat - confidential data
may already have been stolen from the infected system. Depending on the data that has
been exfiltrated, there may even be legal requirements to disclose the intrusion.
Analysis on collected samples of malicious code with exfiltration capabilities has
uncovered several common techniques for performing data exfiltration. This paper
describes the current techniques commonly seen to exfiltrate data from a system. This
includes techniques to transmit the data back to the attacker, tactics to obfuscate the
data so it is difficult to detect, and how the data is selected to be exfiltrated. Finally,
these exfiltration techniques will be compared against common network monitoring practices
to determine which defences are effective.