name: hunting-for-data-exfiltration-indicators description: Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud storage uploads, and encrypted channel abuse. domain: cybersecurity subdomain: threat-hunting tags:

• threat-hunting
• mitre-attack
• data-exfiltration
• dlp
• network-analysis
• proactive-detection version: '1.0' author: mahipal license: Apache-2.0 atlas_techniques:
• AML.T0024
• AML.T0056 nist_ai_rmf:
• MEASURE-2.7
• MAP-5.1
• MANAGE-2.4 d3fend_techniques:
• File Metadata Consistency Validation
• Certificate Analysis
• Application Protocol Command Analysis
• Content Format Conversion
• File Content Analysis nist_csf:
• DE.CM-01
• DE.AE-02
• DE.AE-07
• ID.RA-05

Hunting for Data Exfiltration Indicators

When to Use

• When hunting for data theft in compromised environments
• After detecting unusual outbound data volumes or patterns
• When investigating potential insider threat data theft
• During incident response to determine what data was stolen
• When threat intel indicates data exfiltration campaigns targeting your sector

Prerequisites

• Network proxy/firewall logs with byte-level data transfer metrics
• DLP solution or CASB with cloud upload visibility
• DNS query logs for DNS exfiltration detection
• Email gateway logs for attachment monitoring
• SIEM with data volume anomaly detection capabilities

Workflow

1. Define Exfiltration Channels: Identify potential channels (HTTP/S uploads, DNS tunneling, email attachments, cloud storage, removable media, encrypted protocols).
2. Baseline Normal Data Flows: Establish baseline outbound data transfer volumes per user, host, and destination over a 30-day window.
3. Detect Volume Anomalies: Identify hosts or users transferring significantly more data than baseline to external destinations.
4. Analyze Transfer Destinations: Check destination domains/IPs against threat intel, identify newly registered domains, personal cloud storage, and foreign infrastructure.
5. Inspect Protocol Abuse: Look for DNS tunneling (large/frequent TXT queries), ICMP tunneling, or data hidden in allowed protocols.
6. Correlate with File Access: Link exfiltration indicators to file access events on sensitive file shares, databases, or repositories.
7. Report and Contain: Document findings with evidence, estimate data exposure, and recommend containment actions.

Key Concepts

Tools & Systems

Common Scenarios

1. Cloud Storage Exfiltration: User uploads sensitive documents to personal Google Drive or Dropbox via browser.
2. DNS Tunneling: Malware exfiltrates data encoded in DNS subdomain queries to attacker-controlled nameserver.
3. HTTPS Upload: Compromised system POSTs large data blobs to C2 server over encrypted HTTPS.
4. Email Attachment Exfiltration: Insider forwards sensitive documents to personal email accounts.
5. Staging and Compression: Adversary stages data in compressed archives before slow exfiltration to avoid detection.

Output Format

Hunt ID: TH-EXFIL-[DATE]-[SEQ]
Exfiltration Channel: [HTTP/DNS/Email/Cloud/USB]
Source: [Host/User]
Destination: [Domain/IP/Service]
Data Volume: [Bytes/MB/GB]
Time Period: [Start - End]
Protocol: [HTTPS/DNS/SMTP/SMB]
Files Involved: [Count/Types]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]