Exfiltration
What is Exfiltration?
ExfiltrationThe MITRE ATT&CK tactic (TA0010) covering techniques used to transfer stolen data out of a victim network to an attacker-controlled location.
Exfiltration (MITRE ATT&CK tactic TA0010) groups techniques used to move collected data outside the victim's environment. Common channels include exfiltration over command and control protocols, transfer to web services such as Dropbox, Mega, or rclone-to-cloud destinations, DNS tunneling, HTTPS POSTs to attacker-controlled domains, scheduled transfers to blend with business hours, and physical media. Adversaries throttle bandwidth, chunk archives, and use TLS to make detection harder. Defenders deploy DLP, egress filtering, TLS inspection at the perimeter, monitoring for large or unusual outbound flows, alerts on rclone/megacmd binaries, and identity-based controls on cloud storage. In ransomware double-extortion, exfiltration often precedes encryption to gain leverage.
● Examples
- 01
Using rclone to copy a multi-gigabyte archive of internal documents to a Mega.io account.
- 02
DNS-tunneling stolen secrets out of an air-gapped segment via long TXT queries.
● Frequently asked questions
What is Exfiltration?
The MITRE ATT&CK tactic (TA0010) covering techniques used to transfer stolen data out of a victim network to an attacker-controlled location. It belongs to the Defense & Operations category of cybersecurity.
What does Exfiltration mean?
The MITRE ATT&CK tactic (TA0010) covering techniques used to transfer stolen data out of a victim network to an attacker-controlled location.
How does Exfiltration work?
Exfiltration (MITRE ATT&CK tactic TA0010) groups techniques used to move collected data outside the victim's environment. Common channels include exfiltration over command and control protocols, transfer to web services such as Dropbox, Mega, or rclone-to-cloud destinations, DNS tunneling, HTTPS POSTs to attacker-controlled domains, scheduled transfers to blend with business hours, and physical media. Adversaries throttle bandwidth, chunk archives, and use TLS to make detection harder. Defenders deploy DLP, egress filtering, TLS inspection at the perimeter, monitoring for large or unusual outbound flows, alerts on rclone/megacmd binaries, and identity-based controls on cloud storage. In ransomware double-extortion, exfiltration often precedes encryption to gain leverage.
How do you defend against Exfiltration?
Defences for Exfiltration typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Exfiltration?
Common alternative names include: Data exfiltration, TA0010.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 199
Collection (MITRE Tactic)
The MITRE ATT&CK tactic (TA0009) covering techniques used to gather information of interest before it is exfiltrated.
- network-security№ 344
DNS Tunneling
A covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration.
- privacy№ 278
Data Loss Prevention (DLP)
A set of technologies and policies that detect and block unauthorized exfiltration of sensitive data across endpoints, networks, email, and cloud services.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
● See also
- № 275Data Breach