Configure the Data Exfiltration Use Case

Configure Exabeam Security Operations Platform to protect your environment against the Data Exfiltration use case. Ensure that you collect the right data, set up investigation tools, enable response mechanisms, and import relevant Data Lake reports.

To protect against a use case, you might follow an end-to-end workflow that looks like:

Collect – Ensure that you bring in the correct logs for the use case and that all fields populate.
Detect – Use out-of-the-box rules and models to identify suspicious activity.
Investigate – Ask important questions about the data from log sources, rules, and models.
Respond – Isolate, neutralize, eliminate, and mitigate any threats you find.
Report – Gather all the evidence in a report so you can share your investigation with others or use for compliance purposes.

Let's configure everything you need to successfully follow each stage of this workflow.

Collect

Collect the data needed to investigate the Data Exfiltration use case and ensure all context tables are populated correctly.

Ensure that you contacted Exabeam Customer Success and they helped you onboard and validate the log sources needed to implement the Data Exfiltration use case.
Ensure that you have the is_dynamicdns_domain out-of-the-box context table.
Ensure that users and assets have the correct labels based on the context tables. For example, if a user is in the user_is_privileged context table, navigate to the user's profile to verify they have the privileged label.

Detect

Ensure you have all mechanisms in place, like rules, models, watchlists, and Threat Hunter searches, to successfully identify suspicious activity.

Rules and models

Validate out-of-the-box rules and models to ensure you accurately detect anomalous activity.

Import the latest content packages on the Exabeam Community. These content packages contain the latest rules and models, which aren't available to install in Content Updates settings. You must download them from the Exabeam Community, then import them.
Ensure that related rules and models are triggering correctly.

Threat Hunter searches

To quickly search for events that may indicate an attacker is exfiltrating data, create and save the suggested Threat Hunter search queries.

Threat Hunter search	Search criteria
Users who moved a lot of data out of the organization	Reasons: A-WEB-DLP-A WEB-GBytes-A-FS WEB-GBytesSum-EWD WEB-New-File-20 WEB-OBytes-A-FS WEB-OBytesSum-EWD WEB-UBytesSum-EWD WEB-UBytesSum-Out-FS WEB-UDLP-A WEB-UDLP-A-FS WEB-URank-DLP Dates – Last 7 days
Users who triggered DLP alerts	Reasons: A-DLP-AN-ALERT-A A-DLP-AN-ALERT-F A-DLP-HN-ALERT-A A-DLP-HN-ALERT-F A-DLP-OA-ALERT-A A-DLP-OA-ALERT-F A-DLP-ON-ALERT-A A-DLP-ON-ALERT-F A-DLP-ZN-ALERT-A A-DLP-ZN-ALERT-F DLP-GA-F DLP-GBp-F DLP-GP-A DLP-GP-F DLP-MPolicy DLP-MProtocol DLP-OA-F DLP-OBp-F DLP-OG-ALERT-A DLP-OG-ALERT-F DLP-OP-A DLP-OP-F DLP-OU-ALERT-A DLP-PT-F DLP-UA-F DLP-UBp-F DLP-UPolicy-A DLP-UPolicy-F DLP-UProtocol-A DLP-UProtocol-F Dates – Last 7 days
Users who triggered DLP alerts and abnormally moved data	Activity Types – DLP Activity Reasons: A-DLP-AN-ALERT-A A-DLP-AN-ALERT-F A-DLP-HN-ALERT-A A-DLP-HN-ALERT-F A-DLP-OA-ALERT-A A-DLP-OA-ALERT-F A-DLP-ON-ALERT-A A-DLP-ON-ALERT-F A-DLP-ZN-ALERT-A A-DLP-ZN-ALERT-F DLP-GA-F DLP-GBp-F DLP-GP-A DLP-GP-F DLP-MPolicy DLP-MProtocol DLP-OA-F DLP-OBp-F DLP-OG-ALERT-A DLP-OG-ALERT-F DLP-OP-A DLP-OP-F DLP-OU-ALERT-A DLP-PT-F DLP-UA-F DLP-UBp-F DLP-UPolicy-A DLP-UPolicy-F DLP-UProtocol-A DLP-UProtocol-F Dates – Last 7 days
Users or devices that uploaded more than 500MB of data	Data Upload – 500 Dates – Last 7 days
Users or devices exhibiting MITRE ATT&CK^® Exfiltration tactics, techniques, and procedures (TTPs)^[a]	Rule Tags: Exfiltration Over Alternative Protocol Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Automated Exfiltration Exfiltration Over C2 Channel Dates – Last 7 days
Users who triggered rare DLP alerts	Reasons: A-DLP-AN-ALERT-A A-DLP-AN-ALERT-F A-DLP-HN-ALERT-A A-DLP-HN-ALERT-F A-DLP-OA-ALERT-A A-DLP-OA-ALERT-F A-DLP-ON-ALERT-A A-DLP-ON-ALERT-F A-DLP-ZN-ALERT-A A-DLP-ZN-ALERT-F Dates – Last 7 days
Confidential file shares that uploaded a lot of data to the internet	Reasons: A-WEB-DLP-A WEB-GBytes-A-FS WEB-GBytesSum-EWD WEB-New-File-20 WEB-OBytes-A-FS WEB-OBytesSum-EWD WEB-UBytesSum-EWD WEB-UBytesSum-Out-FS WEB-UDLP-A WEB-UDLP-A-FS WEB-URank-DLP EM-Confidential-File Dates – Last 7 days
^[a]MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.

Configure Settings to Search for Data Lake Logs in Advanced Analytics

If you have an on-premises deployment, ensure that you configure certain Advanced Analytics settings so you can search for Data Lake logs from a Smart Timelines™ event.

If you have a cloud-delivered product offering, ensure that you configure Data Lake as a log source.

Investigate

Ensure you have the tools you need, like tasks and incident types, to investigate the evidence you collect from log sources, rules, and models.

Case Manager Incident Type

In Case Manager, ensure that you have the out-of-the-box Data Exfiltration incident type, or create one if it isn't available out-of-the-box in your Exabeam version. Ensure the incident type has all corresponding incident fields.

Case Manager Tasks and Phases

In Case Manager, define a clear response plan to ensure everyone across your organization responds to a Data Exfiltration incident consistently. Under each phase, prescribe the relevant tasks for investigating, containing, and remediating a Data Exfiltration incident.

The out-of-the-box Data Exfiltration incident type comes with suggested phases and tasks. If you don't have the out-of-the-box Data Exfiltration incident type, create the following suggested phases and tasks for your custom Data Exfiltration incident type.

Phase: Detection & Analysis

Task name – Identify suspicious activity
Task instruction:
- Determine how the data was leaked; for example, through web, email, network, or physical device.
- Identify what the user accessed; for example, application, file, or database.
- Identify the files the user accessed.
Task name – Review user and asset Smart Timelines™ and profiles
Task instruction:
- Review all user Smart Timelines for anomalies.
- Review all user profiles and what's considered normal for the user.
- Review all asset Smart Timelines for anomalies.
- Review all asset profiles and what's considered normal for the asset.
Task name – Analyze and scope
Task instruction:
- Determine if the threat is ongoing.
- Identify relevant third-party alerts and link them to the incident.
- Identify and collect relevant Indicators of Compromise (IOCs).
- Enrich the IOC data with information from reputable sources.
- Identify the credentials initially used to access the exfiltrated data.
- Identify all user accounts associated with the affected credentials.
- Identify the initial attack vector.
- Identify what class of data was leaked.
- Identify any methods used to persist in the environment.
- Identify any hosts used to stage the exfiltrated data.
Task name – Retrospectively search for anomalous activity
Task instruction:
- Determine if logs from potentially impacted systems were sent to your centralized SIEM or log aggregation platform.
- Determine if there was any additional anomalous activity, like if the account accessed new applications, triggered security alerts, or exfiltrated data.
- Determine if any new processes were executed or software was installed. Investigate if the processes or software were used nefariously.
- Determine if the user disabled security tools on the endpoint, like Endpoint Detection and Response (EDR), Endpoint Protection Platfrom (EPP), or Data Loss Prevention (DLP) tools.
- Identify any suspicious outbound network traffic.
- Find evidence that the user connected a known malicious IP address or domain.
- Determine if the user abnormally connected to networks at abnormal times.
- Determine if the country the user connected to was abnormal.
- Determine if the user connected to or from abnormal ports.
- Determine if the user made unusual DNS requests.
- Determine if there was an unusual amount of outbound network traffic.
Task name – Proactively monitor impacted users and systems
Task instruction – Add the systems and users to a watchlist to proactively monitor them.
Task name – Reassess the severity of the incident
Task instruction – If appropriate, edit the incident priority.

Phase: Containment

Task name – Tell the SOC Manager about the incident
Task instruction:
- If needed, inform your SOC Manager of the incident and include the incident's expected start and end date.
- Determine whether additional team members or teams, like HR, Legal, or Physical Security, must get involved.
Task name – Determine adequate response measures to contain the threat
Task instruction:
- Disable the accounts that made unauthorized changes.
- Quarantine systems to prevent anybody from accessing them. Inform any business and asset owners as needed.
- For any suspicious accounts, ensure their access is disabled, including access to VPN or SSO.

Phase: Eradication

Task name – Preserve logs for impacted systems and users
Task instruction:
- Retrieve and preserve Data Lake logs associated with the user from the expected start to the present.
- Upload the Data Lake logs to the incident.
- If there's possible nefarious intent, obtain a forensic image of the system or isolate the physical machine from the network.
- Obtain a copy of the exfiltrated data.
Task name – Remediate
Task instruction:
- If necessary, reduce the user's network access; for example, block ports or restrict web access.
- Remove all persistence methods.
- Ensure any code pushes or infrastructure as code (IaC) is free of persistence methods.
- As necessary, deploy new patches.

Phase: Recovery

Task name – Proactively check systems
Task instruction:
- Reset all affected credentials
- Restore disabled credentials as necessary,
Task name – Implement relevant global security measures
Task instruction:
- Change permissions and access levels as appropriate.
- Implement new Data Loss Prevention (DLP) security rules as necessary.

Phase: Post-Incident Activity

Task name – Update documentation
Task instruction:
- Ensure the incident contains documentation of all relevant events and actions taken.
- Identify methods to improve the team’s response to future incidents.
Task name – Hold post-mortem meeting
Task instruction:
- Meet with your team. Review the incident and lessons learned.
- Document and track administrative and technical gaps identified during the incident.

Case Manager Incident Email Communication

To collaborate on an incident with people across your organization, ensure that you configure incident email communication.

Respond

Enable response mechanisms you need to isolate, neutralize, eliminate, and mitigate any threats you find.

In Incident Responder, create triggers for all turnkey playbooks.

Report

To share your investigation with others or for compliance purposes, ensure you have the relevant out-of-the-box Data Lake reports:

Exabeam - Data Loss Prevention Activity - Host Based
Exabeam - Data Loss Prevention Activity - User Based
Exabeam - Data Loss Prevention Activity Summary

Use CasesConfigure Threat Detection, Investigation, and Response (TDIR) Use Case Categories

Table of ContentsTable of Contents