• Pre-exfiltration behaviors have been observed on a host that has received abnormally high amounts of data from one or more hosts within a short period of time.

Possible Root Causes

  • An attacker has pivoted to a host to use for dumping/staging data prior to exfiltrating, likely taking advantage of the trusted nature of this host to bypass security controls and evade detection.
  • A malicious insider is collecting data they intend to steal from a position of trust.
  • A user has joined a new team, changed organizational roles, or otherwise been given reason to significantly depart from their typical data access and retrieval activities.
  • An application has been observed on an unusual or infrequent backup or update cycle.

Business Impact

  • Failure to identify and respond to pre-exfiltration activities in an organization increases the likelihood of data loss.
  • When successful, data exfiltration places an organization at the risk of the loss of intellectual property, financial data, or other regulated or sensitive data sources.

Steps to Verify

  1. Verify if the data gathered supports valid and authorized business activities.
  2. Investigate the host and associated accounts for other signs of compromise.