Signs of Smash and Grab
- A host transmits unusually large volumes of data to destinations which are not considered normal for this network
- The threat score is driven by the number of IPs the destination domain maps to and if this host is on a public IP also takes into account whether the destination is in another country
- The certainty score is driven by the rate of data being exfiltrated
Possible root causes of Smash and Grab
- An attacker is rapidly exfiltrating large volumes of data from your network
- The host is sending large volumes of data to destinations that have not been previously usedfor large data transfers
Business Impact of a Smash and Grab
- The detection signals possible exfiltration of company data
- The host from which the data was sent, the destination to which the data was sent and the volume of data transmitted may provide some clues to what data was transmitted
- If the external service to which data was uploaded is not an IT-sanctioned service, the potential business risk is high
How to Investigate Smash and Grabs
- Check to see if the destination IP or domain to which data was moved is an entity you trust for your network
- Ask the user of the host whether they have any knowledge of the data transfer
- If the data transfer is unexplained and your endpoint security solution logs such things, determine what software on the host was responsible for the data transfer
