What is Data Exfiltration?

Exfiltration Techniques

Network Exfiltration

The most straightforward exfiltration method transmits data from the victim environment to attacker-controlled servers over the internet. Attackers use legitimate cloud services — Dropbox, Google Drive, OneDrive, Slack, GitHub — as exfiltration channels because traffic to these services blends with legitimate business activity and is often allowed through web filtering controls. DNS tunneling encodes data within DNS queries, which most network security tools inspect at a much lower fidelity than HTTP/HTTPS traffic. HTTPS exfiltration over port 443 is invisible to organizations that do not perform SSL/TLS inspection.

Staged Exfiltration

Sophisticated attackers stage data before exfiltration: identifying target data across multiple systems, copying it to a single staging location, compressing and encrypting the archive, and then transmitting it as a single large transfer that is easier to execute than multiple small transfers across many source systems. Ransomware operators routinely stage data in this manner, uploading compressed archives to file sharing services or their own C2 infrastructure before deploying ransomware.

Detecting Exfiltration

Data exfiltration detection requires monitoring data movement at multiple layers: network traffic volume monitoring detects unusual large outbound transfers; DNS monitoring identifies unusual query patterns associated with DNS tunneling; cloud access security broker monitoring detects unusual volumes of data being uploaded to cloud services; DLP tools monitor for sensitive data patterns in outbound traffic; and endpoint monitoring detects large file copy operations and staging behavior.

Volume-based detection is most reliable for large exfiltration events: an employee who uploads 50GB to a personal Dropbox account is exhibiting a clearly anomalous pattern. Low-and-slow exfiltration — small amounts of data transferred over extended periods — is much harder to detect through volume analysis and requires behavioral baselining and contextual analysis.

Prevention and Data Governance

Data loss prevention tools monitor outbound channels for sensitive data patterns — credit card numbers, Social Security numbers, health record patterns, proprietary document signatures — and block or alert on transfers matching those patterns. DLP effectiveness depends on accurate data classification: DLP cannot protect data it does not know is sensitive. Data classification programs that categorize organizational data by sensitivity and apply consistent labeling provide the foundation that DLP and other data protection controls require.

Network segmentation limits which systems can communicate externally, reducing the number of potential exfiltration pathways. An environment where only specific systems are permitted outbound internet access is easier to monitor for exfiltration than a flat network where every endpoint can directly communicate with any external destination.

Real-World Example: Cl0p Exfiltrates Before Encrypting — MOVEit 2023

The Cl0p ransomware group's MOVEit campaign is a landmark case in large-scale data exfiltration. Rather than deploying ransomware at all, Cl0p exploited the MOVEit zero-day to access and exfiltrate structured data from over 2,000 organizations' managed file transfer systems. The stolen data — which included HR records, payroll data, student records, and financial information — was threatened for publication on Cl0p's leak site unless victims paid ransom. The operation demonstrated that exfiltration alone, without encryption, provides sufficient extortion leverage when the data is sensitive enough.