{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/external-device/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data exfiltration","machine learning","external device"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Data Exfiltration Detection integration, part of the Elastic Security suite, includes a machine learning job designed to detect anomalies in data transfer patterns to external devices. This job, named \u0026ldquo;ded_high_bytes_written_to_external_device,\u0026rdquo; identifies unusual increases in the amount of data written to external devices, which could indicate data exfiltration attempts. The system establishes a baseline of normal activity and flags deviations from that baseline, operating on a 15-minute interval and examining data from the preceding two hours. While this rule is intended to detect malicious data exfiltration, legitimate activities like backups, software updates, archiving, and media creation can trigger false positives. The rule is enabled via the Data Exfiltration Detection integration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system via compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates sensitive data on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker stages the data for exfiltration, possibly compressing or archiving it.\u003c/li\u003e\n\u003cli\u003eThe attacker connects an external device (e.g., USB drive) to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a large data transfer to the external device.\u003c/li\u003e\n\u003cli\u003eThe Data Exfiltration Detection machine learning job detects a significant increase in bytes written to the external device, triggering an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the external device containing the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the external device to access the stolen data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful data exfiltration event can result in the loss of sensitive information, potentially leading to financial losses, reputational damage, legal repercussions, and competitive disadvantage. Although the specific number of victims and targeted sectors are not specified, the potential impact is broad, affecting any organization that stores sensitive data on systems accessible to malicious actors. The severity depends on the nature and volume of the exfiltrated data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and tune the Data Exfiltration Detection integration\u0026rsquo;s configuration, specifically the \u0026ldquo;ded_high_bytes_written_to_external_device\u0026rdquo; machine learning job, to reduce false positives related to legitimate data transfer activities.\u003c/li\u003e\n\u003cli\u003eImplement and enforce data transfer policies to restrict the unauthorized use of external devices and ensure compliance with organizational security standards.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices, as recommended in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Spike in Bytes Sent to an External Device\u0026rdquo; rule (rule_id: \u0026ldquo;35a3b253-eea8-46f0-abd3-68bdd47e6e3d\u0026rdquo;) to determine the legitimacy of the data transfer and take appropriate action.\u003c/li\u003e\n\u003cli\u003eConsult the investigation guide provided in the rule\u0026rsquo;s notes section to aid in the triage and analysis of potential data exfiltration incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-high-bytes-written-to-external-device/","summary":"A machine learning job has detected a spike in bytes written to an external device, which is anomalous and can signal illicit data copying or transfer activities, potentially leading to data exfiltration.","title":"Unusual Spike in Bytes Written to External Device Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2026-04-high-bytes-written-to-external-device/"}],"language":"en","title":"CraftedSignal Threat Feed — External Device","version":"https://jsonfeed.org/version/1.1"}