Potential Data Exfiltration Activity to an Unusual Region

  1[metadata]
  2creation_date = "2023/09/22"
  3integration = ["ded", "endpoint", "network_traffic"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 75
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to
 12geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
 13and control channels.
 14"""
 15from = "now-6h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "ded_high_sent_bytes_destination_region_name"
 19name = "Potential Data Exfiltration Activity to an Unusual Region"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/ded",
 23    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
 24]
 25risk_score = 21
 26rule_id = "bfba5158-1fd6-4937-a205-77d96213b341"
 27setup = """## Setup
 28
 29The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
 30
 31### Data Exfiltration Detection Setup
 32The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Data Exfiltration Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
 38- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 39- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 40
 41#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Data Exfiltration Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Exfiltration",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Potential Data Exfiltration Activity to an Unusual Region
 62
 63Machine learning models analyze network traffic patterns to identify anomalies, such as data transfers to atypical regions. Adversaries exploit command and control channels to exfiltrate data to these regions, bypassing traditional security measures. This detection rule leverages ML to flag unusual geo-locations, indicating potential exfiltration activities, thus aiding in early threat identification.
 64
 65### Possible investigation steps
 66
 67- Review the geo-location details flagged by the alert to determine if the region is indeed unusual for the organization's typical network traffic patterns.
 68- Analyze the network traffic logs associated with the alert to identify the volume and type of data being transferred to the unusual region.
 69- Cross-reference the IP addresses involved in the data transfer with threat intelligence databases to check for any known malicious activity or associations.
 70- Investigate the user accounts and devices involved in the data transfer to assess if they have been compromised or are exhibiting other suspicious behaviors.
 71- Check for any recent changes in network configurations or security policies that might have inadvertently allowed data transfers to atypical regions.
 72- Collaborate with the organization's IT and security teams to verify if there are legitimate business reasons for the data transfer to the flagged region.
 73
 74### False positive analysis
 75
 76- Legitimate business operations involving data transfers to new or infrequent regions may trigger false positives. Users should review and whitelist these regions if they are part of regular business activities.
 77- Scheduled data backups or transfers to cloud services located in atypical regions can be mistaken for exfiltration. Identify and exclude these services from the rule's scope.
 78- Remote work scenarios where employees connect from different regions might cause alerts. Maintain an updated list of remote work locations to prevent unnecessary alerts.
 79- Partner or vendor data exchanges that occur outside usual geographic patterns should be documented and excluded if they are verified as non-threatening.
 80- Temporary projects or collaborations with international teams may result in unusual data flows. Ensure these are accounted for in the rule's configuration to avoid false positives.
 81
 82### Response and remediation
 83
 84- Isolate the affected systems immediately to prevent further data exfiltration. Disconnect them from the network to stop ongoing communication with the unusual geo-location.
 85- Conduct a thorough analysis of the network traffic logs to identify the scope of the exfiltration and determine which data was accessed or transferred.
 86- Revoke any compromised credentials and enforce a password reset for affected accounts to prevent unauthorized access.
 87- Implement geo-blocking measures to restrict data transfers to the identified unusual region, ensuring that only approved regions can communicate with the network.
 88- Review and update firewall and intrusion detection system (IDS) rules to detect and block similar command and control traffic patterns in the future.
 89- Escalate the incident to the security operations center (SOC) and relevant stakeholders, providing them with detailed findings and actions taken for further investigation and response.
 90- Conduct a post-incident review to assess the effectiveness of the response and identify any gaps in the security posture, implementing necessary improvements to prevent recurrence."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1041"
 95name = "Exfiltration Over C2 Channel"
 96reference = "https://attack.mitre.org/techniques/T1041/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0010"
101name = "Exfiltration"
102reference = "https://attack.mitre.org/tactics/TA0010/"