- What exactly is data exfiltration, and why should organizations be concerned about it?
Data exfiltration is the movement or migration of company-owned trade secrets or intellectual property outside of the enterprise. It can either be unintentional or transacted with bad intent. The risks are pretty obvious since the company can lose control of its “secret sauce” on how it does business or, more importantly, who it is doing business with.
- Many people assume that exfiltration primarily comes from former employees—how much of a risk do current employees pose, and why?
One of my pet peeves is hearing people describe this analysis as a “Departed Employee” analysis. I think this is big mistake and an oversimplification of the risks at hand. Almost all exfiltration or migration occurs while the employee works for the enterprise and not after they have left their employ. Further, exfiltration can be ongoing and active for quite some time before an employee becomes a suspect due to their announcement of departure. Other cases exist where a team of people leave the employ of the enterprise, but leave behind a “mole” whose sole purpose is to continue to feed the NEWCO entity important company secrets.
- What are the most common methods employees use to exfiltrate data, whether intentionally or unintentionally?
Historically, this was a pretty easy answer (USB connected devices). USBs allow for mass movement of a large amount of data onto a conduit that would move outside of the organization. Nowadays, many companies disable access to USB drives mitigating the use of thumb drives and flash drives as avenues of exfiltration. This has led to the replacement of USB connectivity with migration via online repositories (OneDrive, iCloud, DropBox, etc.) attachments to emails or texts, or cloning of entire systems that are then unpacked at secondary locations.
- What role does behavioral analysis play in identifying potential threats to IP and trade secrets?
Forensic imaging of the underlying computer systems in question opens the door to a significant number of forensic artifacts that could otherwise go unchecked. Browsing history is one of the best artifact categories that can exhibit someone’s intentions or interests. Much like law enforcement finding searches for “How to Build a Bomb” in a terrorist investigation, we can uncover searches that outline what an individual is thinking of or what tools & techniques that are considering relating to data movement.
- Beyond USB devices, what other channels are commonly used for exfiltration, and how can organizations track them?
IT & security staff should be considering items beyond USBs such as data migrating via email (sending attachments to home email addresses), text messages, connections to online repositories and entire backups or syncs of the subject computer system.
- How does Purpose Legal’s exfiltration analysis help organizations detect and prevent data theft before it happens?
Purpose Legal has developed our own proprietary exfiltration investigation model that isolates and analyzes USB connectivity, transmission of attachments via email & text, mass movement of data via repositories, deletion of data, installation of anti-forensic software and underlying behavior analysis. We provide the end client with an executive summary report of our findings as well as the support forensic schedules with the raw data that has been analyzed.
- What are some real-world examples of exfiltration targets that businesses should be aware of?
From a data standpoint, companies should be concerned with losing anything that creates a competitive disadvantage as compared to others in the marketplace. Examples of data categories might be drawings, plans, operational documents, financial documents, recipes, customer lists, board & management meeting notes, emails, text messages or presentation materials.
- What steps can companies take to safeguard their intellectual property and trade secrets from internal threats?
The first step in this process is the answer to the question above. What data matters to you and what could be damaging to the organization if this data got out in the open market. Secondly, companies must cross the bridge of discussing data exfiltration with their staff long before the idea ever germinates in an employee’s head. Employment agreements should outline the risks associated with the practice of migrating data outside the company and the fact that the business will pursue all available remedies to the extent data is accessed or moved for nefarious purposes.
- How do emerging technologies like AI and cloud storage impact data exfiltration risks, and how should businesses adapt?
The introduction of remote work and online repositories has led to data moving away from the corporate mothership and into the hands of employees and their workstations at their remote locations. This allows for the easy transmission of data outside the secure geofence of the enterprise and into less secure locations. This makes migration and exfiltration all that more convenient for ill-intentioned employees.
- If a company suspects exfiltration has occurred, what immediate actions should they take to investigate and mitigate the damage?
If a company suspects that data exfiltration has occurred, they should immediately preserve any available physical devices that might shed light on the movement of the data. Items such as employee computers and tablets should be imaged to protect the forensic artifacts that could tell the story of what has occurred. Company issued phones should also be collected and no hardware should be repurposed unless a full forensic image or extraction has been performed on the underlying asset. Finally, any corporate email should be investigated and a full domain analysis should be performed so that any evidence of data movement to personal email addressees is uncovered.
