Potential Data Exfiltration Activity to an Unusual Destination Port

A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/09/22"
  3integration = ["ded", "endpoint", "network_traffic"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 75
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are
 12outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.
 13"""
 14from = "now-6h"
 15interval = "15m"
 16license = "Elastic License v2"
 17machine_learning_job_id = "ded_high_sent_bytes_destination_port"
 18name = "Potential Data Exfiltration Activity to an Unusual Destination Port"
 19references = [
 20    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 21    "https://docs.elastic.co/en/integrations/ded",
 22    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
 23]
 24risk_score = 21
 25rule_id = "ef8cc01c-fc49-4954-a175-98569c646740"
 26setup = """## Setup
 27
 28The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
 29
 30### Data Exfiltration Detection Setup
 31The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
 32
 33#### Prerequisite Requirements:
 34- Fleet is required for Data Exfiltration Detection.
 35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 36- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
 37- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 38- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 45"""
 46severity = "low"
 47tags = [
 48    "Use Case: Data Exfiltration Detection",
 49    "Rule Type: ML",
 50    "Rule Type: Machine Learning",
 51    "Tactic: Exfiltration",
 52    "Resources: Investigation Guide",
 53]
 54type = "machine_learning"
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Potential Data Exfiltration Activity to an Unusual Destination Port
 61
 62Machine learning models analyze network traffic to identify anomalies, such as data transfers to uncommon destination ports, which may suggest exfiltration via command and control channels. Adversaries exploit these channels to stealthily siphon data. This detection rule leverages ML to flag deviations from normal traffic patterns, aiding in early identification of potential threats.
 63
 64### Possible investigation steps
 65
 66- Review the network traffic logs to identify the source IP address associated with the unusual destination port activity. Determine if this IP is known or expected within the organization's network.
 67- Analyze the destination port and associated IP address to assess whether it is commonly used for legitimate purposes or if it is known for malicious activity. Cross-reference with threat intelligence databases if necessary.
 68- Examine the volume and frequency of data transferred to the unusual destination port to identify any patterns or anomalies that deviate from normal behavior.
 69- Investigate the user or system account associated with the source IP to determine if there are any signs of compromise or unauthorized access.
 70- Check for any recent changes or updates in the network configuration or security policies that might explain the anomaly.
 71- Correlate this event with other security alerts or logs to identify any related suspicious activities or patterns that could indicate a broader threat.
 72
 73### False positive analysis
 74
 75- Routine data transfers to external services using uncommon ports may trigger false positives. Identify and document these services to create exceptions in the monitoring system.
 76- Internal applications that use non-standard ports for legitimate data transfers can be mistaken for exfiltration attempts. Regularly update the list of approved applications and their associated ports to minimize false alerts.
 77- Scheduled data backups to cloud services or remote servers might use unusual ports. Verify these activities and configure the system to recognize them as non-threatening.
 78- Development and testing environments often use non-standard ports for various operations. Ensure these environments are well-documented and excluded from exfiltration alerts when appropriate.
 79- Collaborate with network administrators to maintain an updated inventory of all legitimate network activities and their corresponding ports, reducing the likelihood of false positives.
 80
 81### Response and remediation
 82
 83- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.
 84- Conduct a thorough analysis of the network traffic logs to identify the scope of the exfiltration and determine if other systems are affected.
 85- Block the identified unusual destination port at the network perimeter to prevent further unauthorized data transfers.
 86- Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to block similar exfiltration attempts in the future.
 87- Notify the incident response team and relevant stakeholders about the potential data breach for further investigation and escalation.
 88- Perform a comprehensive scan of the affected system for malware or unauthorized software that may have facilitated the exfiltration.
 89- Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1041"
 94name = "Exfiltration Over C2 Channel"
 95reference = "https://attack.mitre.org/techniques/T1041/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0010"
100name = "Exfiltration"
101reference = "https://attack.mitre.org/tactics/TA0010/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Data Exfiltration Activity to an Unusual Destination Port

Machine learning models analyze network traffic to identify anomalies, such as data transfers to uncommon destination ports, which may suggest exfiltration via command and control channels. Adversaries exploit these channels to stealthily siphon data. This detection rule leverages ML to flag deviations from normal traffic patterns, aiding in early identification of potential threats.

Possible investigation steps

  • Review the network traffic logs to identify the source IP address associated with the unusual destination port activity. Determine if this IP is known or expected within the organization's network.
  • Analyze the destination port and associated IP address to assess whether it is commonly used for legitimate purposes or if it is known for malicious activity. Cross-reference with threat intelligence databases if necessary.
  • Examine the volume and frequency of data transferred to the unusual destination port to identify any patterns or anomalies that deviate from normal behavior.
  • Investigate the user or system account associated with the source IP to determine if there are any signs of compromise or unauthorized access.
  • Check for any recent changes or updates in the network configuration or security policies that might explain the anomaly.
  • Correlate this event with other security alerts or logs to identify any related suspicious activities or patterns that could indicate a broader threat.

False positive analysis

  • Routine data transfers to external services using uncommon ports may trigger false positives. Identify and document these services to create exceptions in the monitoring system.
  • Internal applications that use non-standard ports for legitimate data transfers can be mistaken for exfiltration attempts. Regularly update the list of approved applications and their associated ports to minimize false alerts.
  • Scheduled data backups to cloud services or remote servers might use unusual ports. Verify these activities and configure the system to recognize them as non-threatening.
  • Development and testing environments often use non-standard ports for various operations. Ensure these environments are well-documented and excluded from exfiltration alerts when appropriate.
  • Collaborate with network administrators to maintain an updated inventory of all legitimate network activities and their corresponding ports, reducing the likelihood of false positives.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.
  • Conduct a thorough analysis of the network traffic logs to identify the scope of the exfiltration and determine if other systems are affected.
  • Block the identified unusual destination port at the network perimeter to prevent further unauthorized data transfers.
  • Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to block similar exfiltration attempts in the future.
  • Notify the incident response team and relevant stakeholders about the potential data breach for further investigation and escalation.
  • Perform a comprehensive scan of the affected system for malware or unauthorized software that may have facilitated the exfiltration.
  • Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity.

References

Related rules

to-top