📘CompTIA Security+ (SY0-701)
Exfiltration is when an attacker steals or moves sensitive data out of your network without authorization. Understanding exfiltration is crucial for Cisco security because it helps you detect and prevent data breaches.
Attackers are clever—they hide data inside normal network traffic to avoid detection. This is why knowing the techniques matters.
Here are the main methods:
1. DNS Tunneling
- What it is: DNS (Domain Name System) is normally used to translate website names to IP addresses.
- How attackers use it: They hide data inside DNS requests or responses. For example, every time a user requests
something.example.com, a part of that request contains stolen data. The attacker’s server decodes it. - Why it works: Most networks allow DNS traffic, so attackers can sneak data past firewalls.
- Key points for exam:
- Often used for small amounts of data, because DNS packets are small.
- Can bypass traditional security monitoring.
- Detection can involve monitoring for unusual DNS requests or large volumes of DNS traffic.
2. HTTPS (Hypertext Transfer Protocol Secure)
- What it is: HTTPS is encrypted web traffic. Normally, it’s secure for legitimate web browsing.
- How attackers use it: They send stolen data over HTTPS to a server they control. Encryption hides the content, so security systems may not see the data.
- Why it works: Many companies allow HTTPS to any website, so attackers exploit this to sneak out large files.
- Key points for exam:
- Hard to detect because traffic is encrypted.
- Often used in combination with web uploads, cloud storage, or secure web services.
3. Email Exfiltration
- What it is: Using email to send stolen data outside the organization.
- How attackers use it: They may attach files to emails or hide data in email body text.
- Why it works: Email is widely allowed in networks, and attackers can create accounts to send data unnoticed.
- Key points for exam:
- Look for unusual attachments or large email volumes.
- Can be automated using scripts.
- Outbound email monitoring is a key defense.
4. FTP, SSH, SCP, SFTP
- FTP (File Transfer Protocol): Unencrypted file transfer. Attackers can upload or download sensitive files.
- SCP (Secure Copy), SFTP (SSH File Transfer Protocol): Secure methods using encryption. Attackers can still use them to move files but are harder to detect because traffic is encrypted.
- SSH (Secure Shell): Provides a secure remote connection; attackers can use it to transfer files.
- Key points for exam:
- FTP is easy to detect because it’s plaintext.
- SCP/SFTP/SSH are harder to monitor due to encryption.
- Watch for unauthorized connections or transfers to unknown servers.
5. ICMP (Internet Control Message Protocol)
- What it is: ICMP is normally used for network tools like ping.
- How attackers use it: They hide data inside ICMP messages (like ping replies) to communicate with an external server.
- Why it works: ICMP is often allowed through firewalls for troubleshooting, so it can be a hidden channel.
- Key points for exam:
- Known as ICMP tunneling.
- Usually low-bandwidth (small data transfers).
- Detection involves monitoring unusual ICMP traffic patterns.
6. Messenger / Chat Applications
- What it is: Attackers can use instant messaging apps (like Slack, Teams, or older Messenger services) to send data.
- How attackers use it: They may encode files or sensitive information in chat messages.
- Why it works: Organizations often allow chat apps, so traffic looks normal.
- Key points for exam:
- Look for unauthorized apps or unusual file sharing patterns.
- Exfiltration is low visibility but can move sensitive data quickly.
7. IRC (Internet Relay Chat)
- What it is: IRC is an old chat protocol, but attackers still use it to move data and control infected systems.
- How attackers use it: They create channels to send commands or exfiltrate small amounts of data from compromised systems.
- Why it works: Lightweight and often ignored in modern monitoring tools.
- Key points for exam:
- Mostly used in botnets and malware.
- Monitor for unusual outbound connections on IRC ports (usually TCP 6667).
8. NTP (Network Time Protocol)
- What it is: NTP is used to synchronize system clocks.
- How attackers use it: They hide data inside NTP requests or responses.
- Why it works: NTP traffic is often allowed and overlooked by security tools.
- Key points for exam:
- Only small data transfers are feasible.
- Detection requires analyzing unexpected NTP traffic patterns.
Summary Table for Exam
| Technique | How it Works | Detection Difficulty | Key Tip |
|---|---|---|---|
| DNS tunneling | Hide data in DNS queries | Medium | Watch for unusual requests |
| HTTPS | Encrypted web traffic | High | Monitor destination servers |
| Send data as attachments/text | Medium | Monitor unusual email patterns | |
| FTP/SFTP/SCP/SSH | File transfer | Medium-High | Watch for unauthorized transfers |
| ICMP | Hide data in ping messages | Medium | Monitor unusual ICMP traffic |
| Messenger/Chat | Send data through chat apps | Medium | Monitor apps & file sharing |
| IRC | Chat channels for data & commands | Medium | Watch for connections to unknown IRC servers |
| NTP | Hide data in time sync messages | Low-Medium | Look for unusual NTP traffic |
Exam Tips
- Know the types of exfiltration channels: DNS, HTTPS, email, FTP/SCP/SFTP, ICMP, Messenger, IRC, NTP.
- Understand why attackers use each: mostly because the traffic is allowed and/or encrypted.
- Remember detection methods: unusual traffic volume, unknown destinations, unauthorized apps, or encrypted channels.
- Keep in mind bandwidth limitations: DNS, ICMP, NTP are mostly for small data; HTTPS, FTP, email can move large files.
