Data Exfiltration Investigation

When You See This

1. 1

   DLP alert for sensitive files being uploaded to personal cloud storage (Google Drive, Dropbox, OneDrive personal)

2. 2

   Firewall logs show unusually large outbound data transfers (GB+) to external IPs, especially during off-hours

3. 3

   Archive file creation (7zip, RAR, WinRAR) detected on servers containing sensitive data

4. 4

   DNS query logs show high-volume queries with encoded data in subdomains (DNS tunneling pattern)

5. 5

   Abnormal database query volumes or bulk export operations from data warehouses

Investigation Steps

1. 1

   Quantify the data transfer

   Determine exactly how much data left the network, when it started, and where it went. Check firewall logs for total bytes transferred to each external destination. Compare against baselines for the source systems. Data exfiltration is often staged; the attacker collects data internally first, then transfers it in bulk.

   FirewallSIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=firewall action=allowed direction=outbound | stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_port | where total_bytes > 500000000 | eval GB=round(total_bytes/1073741824,2) | sort -total_bytes

   index=firewall src_ip="suspect_host" direction=outbound | timechart span=1h sum(bytes_out) as bytes_out_hourly | where bytes_out_hourly > 100000000

2. 2

   Identify the exfiltration method

   Determine HOW the data left. Common methods: direct HTTPS upload to cloud storage, FTP/SFTP to attacker infrastructure, DNS tunneling (encoded data in DNS queries), email with attachments, or physical USB media. Each method requires different log sources to investigate.

   SIEMFirewall

   Splunk SPLMicrosoft KQLElastic Lucene

   index=proxy dest_domain IN ("drive.google.com","dropbox.com","mega.nz","transfer.sh","pastebin.com") src_ip="suspect_host" | stats sum(bytes_out) as uploaded by dest_domain | sort -uploaded

   index=dns query_type=TXT src_ip="suspect_host" | stats count, avg(len(query)) as avg_query_length by query_domain | where avg_query_length > 50 AND count > 100

   Decision Point

   If: Data was sent to known cloud storage or file sharing services

   Yes → Check if the destination is a personal account vs corporate. Attempt to identify or recover the data via cloud provider cooperation (legal hold/warrant may be needed).

   No → Data went to attacker-controlled infrastructure. Focus on identifying what data was taken and assess regulatory impact.

3. 3

   Determine what data was accessed and staged

   Trace back from the exfiltration to determine what the attacker accessed. Check database query logs, file access audits, and archive creation events. In the MOVEit attacks, Cl0p used SQL injection to extract data directly from the database. Look for bulk file access patterns that differ from normal user behavior.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint dest_host="data_server" process_name IN ("7z.exe","rar.exe","zip.exe","tar.exe") | table _time, user, command_line, file_path | sort _time

   index=database user="suspect_account" | stats count as queries, sum(rows_returned) as total_rows by table_name, query_type | where total_rows > 10000 | sort -total_rows

4. 4

   Assess regulatory and legal impact

   Determine if the exfiltrated data includes PII, PHI, financial records, or intellectual property. Different data types trigger different regulatory reporting requirements (GDPR 72-hour notification, HIPAA breach notification, SEC disclosure for public companies). Work with legal and compliance teams to assess obligations.

   SIEM
5. 5

   Contain, preserve evidence, and notify

   Block the exfiltration destination at the firewall. Preserve all logs and evidence for forensic analysis and potential legal proceedings. If this is a double-extortion ransomware scenario, the stolen data may be published on a leak site; prepare the communications response. Coordinate with legal on breach notification timelines.

   FirewallSIEM

Common Mistakes

1. 1

   Focusing only on the volume of data transferred without determining WHAT data was taken; 1GB of customer PII has different impact than 1GB of marketing materials

2. 2

   Not checking for data staging (archive creation) on internal systems before exfiltration; this reveals the attackers intent and scope

3. 3

   Assuming exfiltration stopped because you blocked one channel; sophisticated attackers maintain multiple exfiltration methods

4. 4

   Delaying legal/compliance notification; GDPR requires notification within 72 hours of discovery

Escalation Criteria

• Any confirmed unauthorized data transfer to external destinations

• PII, PHI, or regulated data confirmed in the exfiltrated dataset

• Evidence of database dumps or bulk file access preceding the exfiltration

Frequently Asked Questions

What was the MOVEit breach and how does it relate to exfiltration?

In May-June 2023, the Cl0p ransomware group exploited a zero-day vulnerability in MOVEit Transfer (CVE-2023-34362) to mass-exfiltrate data from over 2,600 organizations affecting 77 million individuals. They automated SQL injection to extract data without deploying ransomware; pure data theft for extortion. It demonstrated that exfiltration can be industrial-scale and completed in hours.

How can I detect DNS tunneling?

DNS tunneling encodes data in DNS query subdomains. Look for: unusually long DNS queries (>50 characters), high query volume to a single domain, TXT record queries from non-mail systems, and domains with high entropy in subdomain names. Normal DNS queries are short and predictable; tunneling queries look like random strings.

How do I practice exfiltration investigations?

SOCSimulator includes multi-stage scenarios with data exfiltration phases. Practice correlating firewall, SIEM, and DLP alerts to trace data movement. Start free forever.