Skip to main content

General Documents

Proactive Detection and Response to Data Exfiltration Attacks

Abstract

Download PDF

Cyware's solutions provide a robust playbook that combines with DLP tools to proactively detect and respond to data exfiltration attacks.

Category: Analytics and SIEM, Data Enrichment and Threat Intelligence, Forensic and Malware Analysis, Endpoint, Data Loss and Prevention.

Cyware Products Used:

  • Cyware Fusion and Threat Response (CFTR)

  • Orchestrate (CO)

  • Cyware Threat Intelligence eXchange (CTIX)

  • Cyware Situational Awareness Platform (CSAP)

Third-Party Integrations Used:

  • ProofPoint DLP: Brings together email, cloud and endpoint DLP alerts to protect your organization against data loss.

  • Splunk SIEM: SIEM solution to identify hits to the IOCs and retrieve DLP alerts.

  • Crowdstrike Falcon Endpoint Detection and Response: Endpoint Detection and Response solution to retrieve asset details and block malicious IOCs.

  • Active Directory: CMDB database to retrieve user details.

Problem Statement

Organizations often find it challenging to gain visibility into their data, especially when it is dispersed across multiple systems, applications, and networks. The lack of visibility makes it difficult for security teams to detect and respond to data exfiltration attacks. Hence, organizations must have a plan that can significantly enhance their ability to identify and mitigate data exfiltration threats, protecting valuable data assets and minimizing the potential impact of a breach.

Solution

Security teams require a multi-layered approach that combines continuous monitoring, indicator enrichment, robust incident response procedures, and proper communication with the teams that are working to mitigate the threats. Cyware’s solution provides a robust playbook that combines with data loss prevention (DLP) tools to proactively detect and respond to data exfiltration attacks.

Proactive_Detection_and_Response_to_Data_Exfiltration_Attacks.svg

How do we solve this problem?

  1. Retrieve DLP Alerts from SIEM: The playbook starts by retrieving the DLP alerts received from the Proofpoint enterprise DLP application.

  2. Fetch User/Asset Details: The playbook parses the DLP alert received from Proofpoint and filters important information such as user details, asset details, and more.

  3. Create Incident: The playbook now creates an incident in CFTR and adds the alert details to the incident. After onboarding the incident, the playbook also performs enrichment.

  4. Enrichment: The playbook performs the following enrichment activities and updates the details of the CFTR incident.

    1. Enrich User Details: The identified user details are sent to a CMDB database such as Active Directory to retrieve more details such as business unit, details of the user’s supervisor, organization, etc.

    2. Enrich Indicators: The malicious indicators identified in the alert are sent to CTIX for enrichment. CTIX provides details such as object relations, confidence scores, and more. If the indicators are not present in CTIX, the playbook also sends the indicators to the OSINT database for enrichment.

    3. Enrich Asset Details: The identified asset details are sent to the EDR tool to retrieve asset details such as hostname, serial number, IP address, activity logs, etc.

  5. Retrieve SIEM Logs: The playbook sends the asset details to SIEM and retrieves the event logs from SIEM for the identified asset and updates the details to the CFTR incident.

  6. Malicious or Non-Malicious: Based on the details retrieved from the enrichment, the playbook analyzes if the hash is malicious or not.

    1. Non-Malicious: If the hash is identified as non-malicious, then the playbook updates the comments to the Learnings and Closure section of the CFTR incidents. Analysts can manually review the details and close the incident. After the CFTR incident is closed, the DLP alert from Proofpoint is also closed.

    2. Malicious: If the hash is identified as malicious, then the playbook automatically performs the following actions.

      1. Quarantines the impacted asset.

      2. Blocks the malicious IOCs on proxy and firewall.

  7. Notify User: After performing the response actions, the playbook now sends a CSAP alert to the impacted user about the data exfiltration attack and remediation steps. However, if the user has not responded to the alert, the playbook sends a CSAP alert to the supervisor of the impacted user.

  8. Update CFTR Incident: The remediation and response actions are updated to the CFTR incident and tracked as separate actions. After completion, analysts can take the incident for manual review and closure.

Benefits

Identify Threat Early

The solution allows organizations to proactively identify data exfiltration attempts before significant damage occurs. This helps security teams to prevent data loss, limit the impact of a breach, and minimize potential financial and reputational damage.

Timely Incident Response

Proactive detection enables organizations to initiate a rapid incident response process. This includes isolating affected systems, investigating the breach, and taking immediate steps to contain and mitigate the attack. A timely response can minimize the duration of the breach, reduce data exposure, and prevent further compromise.

Going Beyond Incident Investigation

The playbook not only ‌helps the organization respond to specific data exfiltration attacks but also helps capture the learnings from the incidents to put in place long-term strategic controls. Additionally, the playbook also notifies security teams and the affected users.