Research Article
Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, Review
@INPROCEEDINGS{10.1007/978-3-031-56580-9_3, author={Michael Mundt and Harald Baier}, title={Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, Review}, proceedings={Digital Forensics and Cyber Crime. 14th EAI International Conference, ICDF2C 2023, New York City, NY, USA, November 30, 2023, Proceedings, Part I}, proceedings_a={ICDF2C}, year={2024}, month={4}, keywords={Advanced Persistent Threat Data Exfiltration Universal Definition Cyber Threat Intelligence Systematic Review}, doi={10.1007/978-3-031-56580-9_3} }- Michael Mundt
Harald Baier
Year: 2024
Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, Review
ICDF2C
Springer
DOI: 10.1007/978-3-031-56580-9_3
Abstract
Whether it is an insider or an Advanced Persistent Threat (APT), sensitive data is being stolen. This year’s German Federal Office for Information Security (BSI) annual report (https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html) on the state of Information Technology’s (IT) Security in Germany points to the worsening situation. A key result of the BSI is that cyber extortion attempts have become the number-one threat due to leading cyber-attacker collectives expanding their strategy. They exfiltrate data unlawfully for offsite storage before encrypting it. This year, the organizations were also being extorted for hush money and faced with the threat of disclosure of sensitive, but stolen data. Data exfiltration has become a standard procedure in almost all cases of ransomware attacks. In our work, we take up this currently most dangerous threat. First, we provide a universal definition for the operation of data exfiltration. In the next step we evaluate three frequently used methods for cyber threat intelligence: Microsoft Threat Modeling Tool, the Malware Information and Sharing Platform (MISP), and the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT &CK) framework. Our evaluation goal is to find out whether these methods allow to investigate and describe data exfiltration in an appropriate way. In particular, we search for a suitable categorization structure and semantics in order to categorize data exfiltration approaches. Given this, we carry out a systematic research, where we consider recent peer-reviewed publications from theDigital Threats: Research and Practice (DTRAP)forum in the context of data exfiltration. We categorize data exfiltration techniques as they are described in the papers. This provides an excellent indication of the focus and distribution and allows us to specifically address deficiencies and further research needs related to data exfiltration categories. Finally, we identify and choose one relevant example of a category of data exfiltration and show interactions with detection and protection measures. Our work provides an excellent assessment of the subject matter, frequently used tools and current research priorities in the context of the threat of adversarial data exfiltration.
