Potential Data Exfiltration Activity to an Unusual ISO Code

  1[metadata]
  2creation_date = "2023/09/22"
  3integration = ["ded", "endpoint", "network_traffic"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 75
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to
 12geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
 13and control channels.
 14"""
 15from = "now-6h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code"
 19name = "Potential Data Exfiltration Activity to an Unusual ISO Code"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/ded",
 23    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
 24]
 25risk_score = 21
 26rule_id = "e1db8899-97c1-4851-8993-3a3265353601"
 27setup = """## Setup
 28
 29The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
 30
 31### Data Exfiltration Detection Setup
 32The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Data Exfiltration Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
 38- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 39- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 40
 41#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Data Exfiltration Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Exfiltration",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Potential Data Exfiltration Activity to an Unusual ISO Code
 62
 63Machine learning models analyze network traffic patterns to identify anomalies, such as data transfers to unexpected geo-locations. Adversaries exploit command and control channels to exfiltrate data to these unusual regions. The detection rule leverages ML to flag deviations from normal traffic, indicating potential exfiltration activities, thus aiding in early threat identification.
 64
 65### Possible investigation steps
 66
 67- Review the alert details to identify the specific unusual ISO code and geo-location involved in the data transfer.
 68- Analyze network logs to determine the volume and frequency of data transfers to the identified geo-location, comparing it against baseline traffic patterns.
 69- Investigate the source IP addresses and devices involved in the data transfer to assess whether they are legitimate or potentially compromised.
 70- Check for any recent changes or anomalies in user behavior or access patterns associated with the source devices or accounts.
 71- Correlate the alert with other security events or logs, such as authentication logs or endpoint detection alerts, to identify any related suspicious activities.
 72- Consult threat intelligence sources to determine if the unusual geo-location is associated with known malicious activities or threat actors.
 73
 74### False positive analysis
 75
 76- Legitimate business operations involving data transfers to new or infrequent geo-locations may trigger false positives. Users should review these activities and whitelist known safe destinations.
 77- Regularly scheduled data backups or transfers to international offices or cloud services can be mistaken for exfiltration. Implement exceptions for these routine operations by updating the model's baseline.
 78- Temporary projects or collaborations with partners in unusual regions might cause alerts. Document these activities and adjust the detection parameters to accommodate such temporary changes.
 79- Changes in business operations, such as expansion into new markets, can alter normal traffic patterns. Update the model to reflect these changes to prevent unnecessary alerts.
 80- Use historical data to identify patterns of benign traffic to unusual regions and adjust the model's sensitivity to reduce false positives while maintaining security vigilance.
 81
 82### Response and remediation
 83
 84- Immediately isolate the affected systems from the network to prevent further data exfiltration.
 85- Conduct a thorough analysis of the network traffic logs to identify the source and destination of the unusual data transfer, focusing on the specific geo-location flagged by the alert.
 86- Block the identified IP addresses or domains associated with the unusual ISO code in the organization's firewall and intrusion prevention systems.
 87- Review and update access controls and permissions to ensure that only authorized personnel have access to sensitive data, reducing the risk of unauthorized data transfers.
 88- Restore any compromised systems from clean backups, ensuring that all security patches and updates are applied before reconnecting to the network.
 89- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data were affected.
 90- Implement enhanced monitoring and alerting for similar anomalies in network traffic to improve early detection of potential exfiltration activities in the future."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1041"
 95name = "Exfiltration Over C2 Channel"
 96reference = "https://attack.mitre.org/techniques/T1041/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0010"
101name = "Exfiltration"
102reference = "https://attack.mitre.org/tactics/TA0010/"