Data Protection

Try in Splunk Security Cloud

Description

Fortify your data-protection arsenal–while continuing to ensure data confidentiality and integrity–with searches that monitor for and help you investigate possible signs of data exfiltration.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Change, Change_Analysis, Network_Resolution
• Last Updated: 2017-09-14
• Author: Bhavin Patel, Splunk
• ID: 91c676cf-0b23-438d-abee-f6335e1fce33

Narrative

Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.

Detections

Name	Technique	Type
Detect USB device insertion		TTP
Detect hosts connecting to dynamic domain providers	Drive-by Compromise	TTP
Detection of DNS Tunnels	Exfiltration Over Unencrypted Non-C2 Protocol	TTP

Reference

• https://www.cisecurity.org/controls/data-protection/
• https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022
• https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/

source | version: 1