Investigating Potential Data Exfiltration with the Observable Web Portal

Observable’s endpoint modeling system is good at detecting lots of types of security-related issues. It has multiple types of alerts in the “data loss prevention” category, which are aimed at identifying instances when a user (or an attacker) might have transferred files or data outside the local network without authorization.

The alert summary

One type of alert that might come up is “Extreme Outlier,” which looks for sudden shifts in behavior. When a machine on the local network transfers a record amount of data out using a particular service, this alert may show up:

Detailed observations

The observations for this alert show the record traffic was outbound (External bytes out), and furthermore almost all of that traffic was using a single profile (DropboxClient). So we have an over 12 GB of traffic going to Dropbox - the previous record was 100 MB:

Researching the event

If we click the Source dropdown, we can get more information on this local machine:

That will take us to the Device page for that machine, which shows clearly the record outbound traffic the alert is describing:

The summary for the day of the alert (2016-10-25) shows the top connections the local machine made - both internal (on the local network) and external (on the Internet). Here we see 16 GB coming from prod-db.local on the inside, and 12 GB doing to the Dropbox hosts (as the alert noted before):

Following up

This alert highlights how automation and human administration can work well together - the Observable system can highlight that there’s unusually large upload to the Dropbox service (and that the data probably came from a local database). However, the administrator will know whether that’s something to be concerned about (was it the user’s last day?) or not (were files being uploaded for a collaborative project?).

Before closing out this alert, the administrator should check whether this sort of transfer is consistent with company policy. If it’s not, the owner of the local machine can be contacted to determine whether the action was benign or not.

Detect Threats Faster – Start Your Free, No-Risk Trial