Analytics Story: Data Protection

Description

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

Why it matters

Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect USB device insertion None TTP
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References


Source: GitHub | Version: 1