The great data escape: the rise of exfiltration

Joseph Carson at Delinea  explores the changing motives of ransomware attackers and what this means for organisations in protecting their systems and data

 

Comparing cyber-security to the defence of a castle has long been a favourite analogy in the security industry. But, while the idea of building strong external defences to keep out attackers was once an apt comparison, it’s an increasingly poor fit against current modern cyber-threats.  

 

Rather than an overt, frontal assault, today’s cyber-attackers are often more like thieves, trying to go unnoticed through the castle defences, maybe posing as one of the fortress’ inhabitant and escaping before the alarm is raised.

 

In the case of ransomware attacks – which still pose one of the greatest risks to organisations globally – the era of attackers striking, declaring themselves and demanding payment is moving on. Organisations have invested heavily in increasing ransomware resiliency with a strong data backup and recovery strategy as well as improved access controls. 

 

Adversaries are now more likely to breach the network in order to steal data and threaten to sell this on the dark web as a bargaining chip. This shift marks a critical evolution in the threat landscape putting additional pressure on organisations especially when customer or sensitive data is stolen. 

 

Ransomware is on the rise – and so is exfiltration 

Delinea’s State of Ransomware 2024 report highlights an alarming increase in ransomware attacks – more than half of companies reported being hit in 2023, compared to just 25% the year before. 

 

But our research also casts a light on changing strategies, revealing that 64% of organisations reported incidents of data exfiltration over the last 12 months, a significant rise from 46% the previous year.

 

This evolution demands a similar transformation in our defence strategies. 

 

How attacks are evolving to suit their targets

The success of disruptive attacks like ransomware relies on shock and awe, with the attackers aiming to make as big an impact as possible. Threat actors may take their time getting everything into position, but once the ransomware is executed, the victim will know about it very quickly – although likely still not fast enough to stop it. 

 

By contrast, data exfiltration works best when the victims are kept in the dark. The threat actors ideally want to make a clean getaway with as much valuable data as possible. From here, they will often use the threat of leaking or selling the stolen data as leverage in extortion demands or may use it to fuel further attacks. A stealthy theft leaves the organisation on the backfoot, potentially unsure of when and how their data was stolen, as well as exactly what was taken. 

 

Both approaches rely on a low-and-slow initial attack, but while ransomware gangs will usually shout about it once the attack has been carried out, exfiltration may go on quietly in the background for months. 

 

The research also noted changes in preferred attack vectors, with a significant decrease in the use of email as the primary method for launching attacks, down from 52% to 37% of attacks. Instead, attackers are increasingly targeting cloud services and compromised applications. The widespread use of cloud infrastructure allows attackers to move smoothly, more easily and gain continuous access to systems and data, ramping up the potential for damage when they choose to strike.

 

Defending against stealthier attacks 

The best approach for organisations is a multi-layered security strategy to make it as difficult as possible for attackers to breach the network undetected, minimising their chances of accessing and exfiltrating data. 

 

Central to this approach is the early detection of anomalous activities, which relies on solutions capable of identifying potential threats before they become breaches. Alongside this, strong identity security capabilities are critical in stopping attackers aiming to bypass through defences under the disguise of authorised users.

 

The enforcement of the principle of ‘Least Privilege’ is one of the most fundamental strategies to minimise the attack surface. By ensuring that users have access only to the resources necessary for their roles, organisations can significantly reduce the potential impact of an attack. 

 

Taking this a step further, Privileged Access Management (PAM) is especially important for strengthening access control mechanisms to mitigate the risk of unauthorised access, even when credentials are compromised.

 

Additionally, the development of robust incident response plans is essential for mitigating the impact of attacks and ensuring rapid recovery. This has become more important as the likelihood of being attacked continues to climb. These plans should detail specific actions to be taken in the event of a breach and assign clear roles and responsibilities. They should also be regularly updated to reflect the evolving threat landscape. 

 

A shift in ransomware techniques

Implementing the capabilities to combat these shifting cyber-threats can be challenging. We found that companies were less likely to increase their cyber-security spending after an attack last year, potentially due to economic uncertainty or an overall tightening of spending.  

 

However, with 91% of respondents indicating specific budget allocations for ransomware defence, up from 68% in 2022, it’s clear that executive and board-level concern about ransomware is growing. This concern must translate into actionable strategies that prioritise cyber-security as a critical component of organisational resilience.

 

Similarly, as threat groups switch up their tactics to focus on data exfiltration alongside encryption, security investments need to follow suit. 

 

For organisations attempting to keep ahead in this challenging environment, it is imperative to adopt a multi-faceted and proactive security strategy. This includes enhancing detection capabilities and implementing robust access management.

 

By prioritising these strategies, businesses can not only defend against the current wave of ransomware threats but also build a resilient foundation to withstand future cyber-security challenges.

 

---

 

Joseph Carson is Chief Security Scientist (CSS) & Advisory CISO at Delinea  

 

Main image courtesy of iStockPhoto and vchal