• An internal host is acquiring a large amount of data from one or more internal servers and is subsequently sending a significant amount of data to an external system

Possible Root Causes

  • A host infected with malware as part of a targeted attack or a malicious insider may be acquiring and exfiltrating company data
  • While acquiring and transmitting a large quantity of data to the outside within a short period of time may be pure coincidence, the outbound data transfer is significant enough to warrant further examination

Business Impact

  • The detection signals possible exfiltration of company data
  • The internal servers from which the data was retrieved provides some indication of the data which was acquired; if those servers contain valuable information and the external service to which data was uploaded is not an IT- sanctioned service, the potential business risk is high

Steps to Verify

  1. Decide whether this may be a malicious insider or an infected host
  2. If the signs point to an infected host, contact the user to inquire if they initiated the uploading behavior in question
  3. For potential malicious insiders, perform a complete analysis of recent behavior
  4. Look up the external system IP addresses and domain names on sites that maintain reputation lists as this may provide a clear indication that the internal host is infected; such lookups are supported directly within the UI