Uncovering data exfiltration

While proactively reviewing outbound traffic, the security team discovers activity that indicates a potential attempt to exfiltrate data.

Workflow

After discovering unusually high outbound utilization in the Explore > Exporters > By Interface view, run a Report to narrow down the scope of traffic that needs to be reviewed (e.g., Destination Countries with AS):

  1. Run a new report for the Exporters/devices exhibiting suspicious behavior, and select Countries with AS (under the Destination Reports category) as the report type. This will output a list of autonomous systems, along with the countries each one is associated with.

Note

Class A, B, and C addresses are always classified as Uncategorized and will often include internal network addresses. In this scenario, these are likely associated with responses to internal destinations through outbound interfaces.

  1. Narrow down the scope of the report by dragging rows associated with expected traffic to the Exclude drop zone to the left and clicking Apply in the Filters tray.

  2. After the report has been re-run with the additional exclusions, review the list for traffic bound for unusual destinations.

  3. Once a more manageable subset of data (e.g., countries your organization does not transact with) has been achieved, refine the report to gain more insight:

    • “Zoom out” to look for activity patterns by changing the time frame covered by the report.

    • Inspect activity associated with the host, country, or autonomous system by clicking on it and pivoting to a different report type from the tray.

    • Leverage additional tools (under the Other Options category in the tray) to obtain additional information.

For further investigation, continue to modify the settings of the report to gain visibility into hosts, traffic, etc. that remain suspicious.