Unusual Spike in Bytes Written to External Device Detected by Machine Learning

The Data Exfiltration Detection integration, part of the Elastic Security suite, includes a machine learning job designed to detect anomalies in data transfer patterns to external devices. This job, named “ded_high_bytes_written_to_external_device,” identifies unusual increases in the amount of data written to external devices, which could indicate data exfiltration attempts. The system establishes a baseline of normal activity and flags deviations from that baseline, operating on a 15-minute interval and examining data from the preceding two hours. While this rule is intended to detect malicious data exfiltration, legitimate activities like backups, software updates, archiving, and media creation can trigger false positives. The rule is enabled via the Data Exfiltration Detection integration.

Attack Chain

1. The attacker gains initial access to a system via compromised credentials or other means.
2. The attacker enumerates sensitive data on the compromised system.
3. The attacker stages the data for exfiltration, possibly compressing or archiving it.
4. The attacker connects an external device (e.g., USB drive) to the system.
5. The attacker initiates a large data transfer to the external device.
6. The Data Exfiltration Detection machine learning job detects a significant increase in bytes written to the external device, triggering an alert.
7. The attacker removes the external device containing the exfiltrated data.
8. The attacker uses the external device to access the stolen data.

Impact

A successful data exfiltration event can result in the loss of sensitive information, potentially leading to financial losses, reputational damage, legal repercussions, and competitive disadvantage. Although the specific number of victims and targeted sectors are not specified, the potential impact is broad, affecting any organization that stores sensitive data on systems accessible to malicious actors. The severity depends on the nature and volume of the exfiltrated data.

Recommendation

• Review and tune the Data Exfiltration Detection integration’s configuration, specifically the “ded_high_bytes_written_to_external_device” machine learning job, to reduce false positives related to legitimate data transfer activities.
• Implement and enforce data transfer policies to restrict the unauthorized use of external devices and ensure compliance with organizational security standards.
• Deploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices, as recommended in the rule’s response and remediation guidance.
• Investigate any alerts generated by the “Spike in Bytes Sent to an External Device” rule (rule_id: “35a3b253-eea8-46f0-abd3-68bdd47e6e3d”) to determine the legitimacy of the data transfer and take appropriate action.
• Consult the investigation guide provided in the rule’s notes section to aid in the triage and analysis of potential data exfiltration incidents.