Triggers
- An internal host is acquiring a large amount of data from one or more internal servers and is subsequently sending a significant amount of data to an external system
Possible Root Causes
- A host infected with malware as part of a targeted attack or a malicious insider may be acquiring and exfiltrating company data
- While acquiring and transmitting a large quantity of data to the outside within a short period of time may be pure coincidence, the outbound data transfer is significant enough to warrant further examination
Business Impact
- The detection signals possible exfiltration of company data
- The internal servers from which the data was retrieved provides some indication of the data which was acquired; if those servers contain valuable information and the external service to which data was uploaded is not an IT- sanctioned service, the potential business risk is high
Steps to Verify
- Decide whether this may be a malicious insider or an infected host
- If the signs point to an infected host, contact the user to inquire if they initiated the uploading behavior in question
- For potential malicious insiders, perform a complete analysis of recent behavior
- Look up the external system IP addresses and domain names on sites that maintain reputation lists as this may provide a clear indication that the internal host is infected; such lookups are supported directly within the UI