Elastic
Start free trial
Loading

Potential Data Exfiltration Activity to an Unusual Region

Elastic Stack Serverless Security

A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-6h (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Data Exfiltration Detection
  • Rule Type: ML
  • Rule Type: Machine Learning
  • Tactic: Exfiltration
  • Resources: Investigation Guide

Version: 5

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

Triage and analysis

[TBC: QUOTE]
Investigating Potential Data Exfiltration Activity to an Unusual Region

Machine learning models analyze network traffic patterns to identify anomalies, such as data transfers to atypical regions. Adversaries exploit command and control channels to exfiltrate data to these regions, bypassing traditional security measures. This detection rule leverages ML to flag unusual geo-locations, indicating potential exfiltration activities, thus aiding in early threat identification.

Possible investigation steps

  • Review the geo-location details flagged by the alert to determine if the region is indeed unusual for the organization’s typical network traffic patterns.
  • Analyze the network traffic logs associated with the alert to identify the volume and type of data being transferred to the unusual region.
  • Cross-reference the IP addresses involved in the data transfer with threat intelligence databases to check for any known malicious activity or associations.
  • Investigate the user accounts and devices involved in the data transfer to assess if they have been compromised or are exhibiting other suspicious behaviors.
  • Check for any recent changes in network configurations or security policies that might have inadvertently allowed data transfers to atypical regions.
  • Collaborate with the organization’s IT and security teams to verify if there are legitimate business reasons for the data transfer to the flagged region.

False positive analysis

  • Legitimate business operations involving data transfers to new or infrequent regions may trigger false positives. Users should review and whitelist these regions if they are part of regular business activities.
  • Scheduled data backups or transfers to cloud services located in atypical regions can be mistaken for exfiltration. Identify and exclude these services from the rule’s scope.
  • Remote work scenarios where employees connect from different regions might cause alerts. Maintain an updated list of remote work locations to prevent unnecessary alerts.
  • Partner or vendor data exchanges that occur outside usual geographic patterns should be documented and excluded if they are verified as non-threatening.
  • Temporary projects or collaborations with international teams may result in unusual data flows. Ensure these are accounted for in the rule’s configuration to avoid false positives.

Response and remediation

  • Isolate the affected systems immediately to prevent further data exfiltration. Disconnect them from the network to stop ongoing communication with the unusual geo-location.
  • Conduct a thorough analysis of the network traffic logs to identify the scope of the exfiltration and determine which data was accessed or transferred.
  • Revoke any compromised credentials and enforce a password reset for affected accounts to prevent unauthorized access.
  • Implement geo-blocking measures to restrict data transfers to the identified unusual region, ensuring that only approved regions can communicate with the network.
  • Review and update firewall and intrusion detection system (IDS) rules to detect and block similar command and control traffic patterns in the future.
  • Escalate the incident to the security operations center (SOC) and relevant stakeholders, providing them with detailed findings and actions taken for further investigation and response.
  • Conduct a post-incident review to assess the effectiveness of the response and identify any gaps in the security posture, implementing necessary improvements to prevent recurrence.

Setup

Setup

The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).

Data Exfiltration Detection Setup

The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic’s Anomaly Detection feature.

Prerequisite Requirements:

  • Fleet is required for Data Exfiltration Detection.
  • To configure Fleet Server refer to the documentation.
  • Network events collected by the Elastic Defend or Network Packet Capture integration.
  • To install Elastic Defend, refer to the documentation.
  • To add the Network Packet Capture integration to an Elastic Agent policy, refer to this guide.

The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:

  • Go to the Kibana homepage. Under Management, click Integrations.
  • In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
  • Follow the instructions under the Installation section.
  • For this rule to work, complete the instructions through Add preconfigured anomaly detection jobs.

Framework: MITRE ATT&CKTM