What is Data exfiltration?

Updated

The act of stealing data out of a compromised system. Often the final stage of an attack chain — the attacker has gained access, located the valuable data, and is now moving it to attacker-controlled infrastructure. Detected by anomalies in outbound traffic and database query patterns.

Full explanation

Data exfiltration is the harm-realization phase of most data-breach incidents. After initial access (via phishing, RCE, leaked credentials, or BOLA / RLS bypass), the attacker enumerates accessible data, then moves it out of the organization's network. Common channels: HTTP POST to attacker-controlled endpoints, DNS tunneling, encrypted egress to cloud storage, exfiltration through legitimate services (Slack webhooks, Discord, GitHub gists, paste sites). Defense layers: network egress restrictions, query-volume anomaly detection, DLP scanning on outbound traffic, and most importantly — preventing the initial access that makes exfiltration possible.

Example

An attacker exploits a BOLA bug to enumerate 100,000 user records via /api/users/[id]. The 100,000 sequential requests show as an anomalous burst in the application logs — same client IP, sequential IDs, high request rate, large total response size. A monitoring system that watches outbound-data-volume per session can detect this even when the individual requests look like normal API calls.

Related

Guide
Broken Object-Level Authorization (BOLA) in Next.js apps
Guide
Session security — revocation, idle timeout, rotation

FAQ

Does Securie detect exfiltration?

Securie's Ring 1 prevents the bugs that enable exfiltration (BOLA, RLS bypass, broken auth). Ring 3 runtime detection (L13 SDP) correlates anomalous patterns to PR findings — when the runtime sees an exfiltration burst, it can map back to the specific finding that enabled it. Detection-only without prevention is reactive; the goal is preventing the underlying bug.

How do I make exfiltration harder if a bug is exploited?

Defense in depth: rate limit at the API gateway (per-IP, per-session, per-endpoint), monitor outbound bytes per session, implement honeytokens (Securie L29) — fake records the attacker pulls that trigger an immediate alert, segregate sensitive tables behind extra auth checks even within authenticated sessions.