Data Access versus Exfiltration: The Million (Plus) Dollar Cyberattack Question

October 29, 2020 | Article

By Jason Olson and Isaac De La Garza

When an organization is in the heat of the moment responding to a cyberattack, the organization and its legal counsel are looking for immediate answers.

  • What was the initial attack vector?
  • How long has the organization’s system(s) been compromised?
  • What type of attack occurred?
  • Are backups free from malicious software?
  • What can the organization do immediately to contain the current attack and mitigate the risk of a future attack?
  • Was data only accessed without authorization or was there data exfiltration?

All of these questions are important; however, the question of access versus exfiltration may be the most important of all, as it relates to potential legal liabilities of an organization.

Have you experience a potential data breach?

Data Access vs. Data Exfiltration
Data access is exactly what it sounds like. When a cyber attack occurs, an organization’s data is accessed without authorization.

Data exfiltration occurs when the company or individual data is copied, transferred or taken during the cyber attack from a computer or server without authorization.

The mere fact an organization’s data was accessed without authorization may not trigger notifications related to a privacy breach depending upon applicable statutes. However, unauthorized data exfiltration is almost guaranteeing notifications will required by an organization if unencrypted sensitive data such as Personally Identifiable Information (PII) or Protected Health Information (PHI) was potentially subject to the attack.

How to Know if Data Access or Data Exfiltration Occurred
When a data breach occurs, incident response professionals will begin to investigate not only how the breach occurred, but what happened to the data. This requires access to certain types of data:

Type of Data Why We Need It
Logs (e.g., email audit logs, firewall logs and System event logs) Allows for an investigation of anomalous login/traffic activity for a period of time.
NetFlows and DNS logs Provides a picture of the inbound and outbound traffic flow and volume.
Backups For data integrity purposes by scanning for potential malicious files.
Copy of the native email inbox for a phishing attack Allows review of email header information to understand the origins of attack.
Copy of the malicious file(s) For purposes of identifying the behavior of the file(s) such data exfiltration capabilities, deletions of volume shadow copies, access to multiple systems and encryption.
Copy of the ransomware note and sample of an encrypted file May allow a quick understanding of the variant of ransomware.
Copy of anomalous PowerShell scripts Provides insight as to the behavior of the script such as whether or not it attempts to make network contact with other hosts and if it runs with escalated privileges.

By having immediate access to this type of data, an incident response team can gain an understanding as to:

  • Whether the attack contained data exfiltration capabilities
  • Whether or not the attack included an attempt to “phone home”
  • Whether or not the attack included the ability to remotely access the system.

In addition, this information can determine the dwell time of the bad actor being in the organization’s system before detection.

Incident response teams will also collect forensic artifacts and full disk images for further analysis. The forensic artifacts and full disk images give a deeper forensic dive and the ability to look for other hacker tools such as credential harvesting software like Mimikatz. Credential harvesting tools are used by hackers to scrape systems for authorized credentials so they can be used to gain “authorized” access to an organization’s systems. This can then be used toescalate privileges, move laterally within the network, and execute malware with administrator privileges. By obtaining administrative privileges, the bad actor essentially has all the keys to the organization’s kingdom inclusive of its sensitive and proprietary data.

Major Roadblocks to Identifying Data Exfiltration
What are the major roadblocks to determining if data was exfiltrated? Typically, it boils down to these common themes:

  • Limited log retention
  • Misconfiguration of firewalls
  • Lack of timely response by an organization to engage forensic incident response to investigate
  • Improper preservation of cyber-attack artifacts before implementing remediation procedures
  • Misclassification of an incident as an event by an organization, which leads to an inadequate internal technology response

How to Prepare for a Potential Cyberattack
There are common steps that can be put in place at your organization so you are better prepared for a cyberattack. These include:

  • Having an Incident Response Plan in place. This does not have to be lengthy or overly complex. It should, at a minimum, define what an incident is and identify internal and external parties to assist and respond to an incident.
  • Properly documenting actions taken by all parties when an incident is identified. Upon identification of an incident, engage a forensic incident responder to ensure the data your organization will need is properly collected before remediation steps are taken.
  • Consider changing log retention policies across technologies for at least six months to one year. This is important as research shows that cybercriminals gain access to systems and perform reconnaissance while remaining undetected for months before engaging in malicious activity.

Certainly, having multiple layers of cybersecurity controls, solutions and ongoing employee awareness training is your organization’s best bet in mitigating the risk of a cyberattack. However, bad actors are constantly finding new ways to exploit vulnerabilities, so its imperative organizations plan for the worst-case scenario: an incident involving data exfiltration.

If your organization has experienced a cybersecurity incident, know that you are not alone.

Stay current on your favorite topics

SUBSCRIBE

Learn More

Take a deeper dive into this Insight’s subject matter.

Fraud & Forensic Advisory Cybersecurity