The act of data exfiltration\u2014moving sensitive data like intellectual property or payment card information out of a target environment and into a separate location under the control of the adversary\u2014is the ultimate goal of many cyber attacks.\n\nDespite the wide array of technologies that promise to detect and prevent data theft, many breaches are reported in the news every year. The financial impact, regulatory fines, and overall scope of these breaches are enormous.\n\nThis blog post will explore why current, status quo mechanisms for monitoring sensitive data movement and stopping breaches aren't working, and offer a way to improve the efficacy of sensitive data monitoring using network detection and response.\n\nWhen and How Do Attackers Move Sensitive Data?\n\nTo catch sensitive data movement at critical junctures during an attack, you need to understand what an attacker is trying to do with the data. Attackers will:\n\nThat toehold is only useful if they can eventually expand it and use it to steal data. Monitoring sensitive data movement offers a key opportunity to catch an adversary during the late stages of an attack, but before they exfiltrate data.\n\nWith admin privileges in hand and persistence established, the attacker will conduct more intensive internal reconnaissance. This can result in several clear signals that sensitive data is at risk. Some signs of this attack stage are:\n\nOnce an attacker has located sensitive data and attained the credentials needed to access it, they probably aren't going to move it off all at once. They also probably can't just dump it directly from its (hopefully more secure) primary location to their own server somewhere else on the internet.\n\nThey'll need to gradually move the data to a machine they control, and then trickle it out through some obscure channel. That might be the same channel by which they established a command and control link when they first compromised the network. This phase of the attack can generate several strong signals of an attack in progress, but only if you're watching for them.\n\nWhy the Status Quo for Sensitive Data Monitoring Doesn't Work\n\nLike we said before, there are many technologies that promise to monitor sensitive data and prevent breaches. So why do breaches keep happening? You could argue that hackers are always developing new, sophisticated ways to steal data, but the truth is that most data breaches don't make use of some fancy, brand new zero day.\n\nAttackers use tried and true mechanisms like brute force attacks to access privileged accounts, network scanning to map out the territory, and standard protocols like HTTP\/S, DNS, or even FTP to exfiltrate the data. The breach of a major U.S. bank, in which over 30GB of customer financial records were stolen, used well-known and detectable mechanisms to find and exfiltrate the highly sensitive data. How did that happen, and how can you prevent it from happening to you?\n\nAsk yourself, how would you detect sensitive data being moved in small pieces to a less sensitive location within your own network? Common answers might be:\n\nThese approaches, while valid, share a few challenges, including:\n\nWhy Network Detection and Response Is Better for Sensitive Data Monitoring\n\nNetwork detection and response platforms like ExtraHop Reveal(x) passively observe and analyze network traffic in real time to detect risky or unauthorized data movement. This approach offers certain benefits:\n\nIn today's large dynamic environments, this kind of always-on visibility that covertly watches every transaction, and can even capture packets for forensics, is the only way to assure complete visibility with 100% coverage of sensitive data in a network.\n\nTo see how Reveal(x) monitors sensitive data better than other methods, try out a demo of Reveal(x) for yourself!