Spike in Bytes Sent to an External Device via Airdrop
A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3integration = ["ded", "endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8anomaly_threshold = 75
9author = ["Elastic"]
10description = """
11A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical
12operational setting, there is usually a predictable pattern or a certain range of data that is written to external
13devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer
14activities.
15"""
16from = "now-2h"
17interval = "15m"
18license = "Elastic License v2"
19machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop"
20name = "Spike in Bytes Sent to an External Device via Airdrop"
21references = [
22 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
23 "https://docs.elastic.co/en/integrations/ded",
24 "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
25]
26risk_score = 21
27rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849"
28setup = """## Setup
29
30The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
31
32### Data Exfiltration Detection Setup
33The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
34
35#### Prerequisite Requirements:
36- Fleet is required for Data Exfiltration Detection.
37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
38- File events collected by the Elastic Defend integration.
39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
40
41#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
42- Go to the Kibana homepage. Under Management, click Integrations.
43- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
44- Follow the instructions under the **Installation** section.
45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
46"""
47severity = "low"
48tags = [
49 "Use Case: Data Exfiltration Detection",
50 "Rule Type: ML",
51 "Rule Type: Machine Learning",
52 "Tactic: Exfiltration",
53 "Resources: Investigation Guide",
54]
55type = "machine_learning"
56note = """## Triage and analysis
57
58> **Disclaimer**:
59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
60
61### Investigating Spike in Bytes Sent to an External Device via Airdrop
62
63Airdrop facilitates seamless file sharing between Apple devices, leveraging Bluetooth and Wi-Fi. While convenient, adversaries can exploit it for unauthorized data exfiltration by transferring large volumes of sensitive data. The detection rule employs machine learning to identify anomalies in data transfer patterns, flagging unusual spikes in bytes sent as potential exfiltration attempts, thus aiding in early threat detection.
64
65### Possible investigation steps
66
67- Review the alert details to identify the specific device and user involved in the data transfer. Check for any known associations with previous incidents or suspicious activities.
68- Analyze the volume of data transferred and compare it to typical usage patterns for the device and user. Determine if the spike is significantly higher than usual.
69- Investigate the time and context of the data transfer. Correlate with other logs or alerts to identify any concurrent suspicious activities or anomalies.
70- Check the destination device's details to verify if it is a recognized and authorized device within the organization. Investigate any unknown or unauthorized devices.
71- Contact the user associated with the alert to verify the legitimacy of the data transfer. Gather information on the nature of the files transferred and the purpose of the transfer.
72- Review any recent changes in the user's access privileges or roles that might explain the increased data transfer activity.
73
74### False positive analysis
75
76- Regular large file transfers for legitimate business purposes, such as media companies transferring video files, can trigger false positives. Users can create exceptions for specific devices or user accounts known to perform these tasks regularly.
77- Software updates or backups that involve transferring large amounts of data to external devices may be misidentified as exfiltration attempts. Users should whitelist these activities by identifying the associated processes or applications.
78- Educational institutions or creative teams often share large files for collaborative projects. Establishing a baseline for expected data transfer volumes and excluding these from alerts can reduce false positives.
79- Devices used for testing or development purposes might frequently send large data volumes. Users can exclude these devices from monitoring by adding them to an exception list.
80- Personal use of Airdrop for transferring large media files, such as photos or videos, can be mistaken for suspicious activity. Users can mitigate this by setting thresholds that account for typical personal use patterns.
81
82### Response and remediation
83
84- Immediately isolate the affected device from the network to prevent further data exfiltration.
85- Verify the identity and permissions of the user associated with the anomalous Airdrop activity to ensure they are authorized to transfer data.
86- Conduct a forensic analysis of the device to identify any unauthorized applications or processes that may have facilitated the data transfer.
87- Review and revoke any unnecessary permissions or access rights for the user or device involved in the incident.
88- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the activity is part of a larger threat campaign.
89- Implement additional monitoring on the affected device and similar devices to detect any further anomalous Airdrop activities.
90- Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers."""
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1011"
95name = "Exfiltration Over Other Network Medium"
96reference = "https://attack.mitre.org/techniques/T1011/"
97
98
99[rule.threat.tactic]
100id = "TA0010"
101name = "Exfiltration"
102reference = "https://attack.mitre.org/tactics/TA0010/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Spike in Bytes Sent to an External Device via Airdrop
Airdrop facilitates seamless file sharing between Apple devices, leveraging Bluetooth and Wi-Fi. While convenient, adversaries can exploit it for unauthorized data exfiltration by transferring large volumes of sensitive data. The detection rule employs machine learning to identify anomalies in data transfer patterns, flagging unusual spikes in bytes sent as potential exfiltration attempts, thus aiding in early threat detection.
Possible investigation steps
- Review the alert details to identify the specific device and user involved in the data transfer. Check for any known associations with previous incidents or suspicious activities.
- Analyze the volume of data transferred and compare it to typical usage patterns for the device and user. Determine if the spike is significantly higher than usual.
- Investigate the time and context of the data transfer. Correlate with other logs or alerts to identify any concurrent suspicious activities or anomalies.
- Check the destination device's details to verify if it is a recognized and authorized device within the organization. Investigate any unknown or unauthorized devices.
- Contact the user associated with the alert to verify the legitimacy of the data transfer. Gather information on the nature of the files transferred and the purpose of the transfer.
- Review any recent changes in the user's access privileges or roles that might explain the increased data transfer activity.
False positive analysis
- Regular large file transfers for legitimate business purposes, such as media companies transferring video files, can trigger false positives. Users can create exceptions for specific devices or user accounts known to perform these tasks regularly.
- Software updates or backups that involve transferring large amounts of data to external devices may be misidentified as exfiltration attempts. Users should whitelist these activities by identifying the associated processes or applications.
- Educational institutions or creative teams often share large files for collaborative projects. Establishing a baseline for expected data transfer volumes and excluding these from alerts can reduce false positives.
- Devices used for testing or development purposes might frequently send large data volumes. Users can exclude these devices from monitoring by adding them to an exception list.
- Personal use of Airdrop for transferring large media files, such as photos or videos, can be mistaken for suspicious activity. Users can mitigate this by setting thresholds that account for typical personal use patterns.
Response and remediation
- Immediately isolate the affected device from the network to prevent further data exfiltration.
- Verify the identity and permissions of the user associated with the anomalous Airdrop activity to ensure they are authorized to transfer data.
- Conduct a forensic analysis of the device to identify any unauthorized applications or processes that may have facilitated the data transfer.
- Review and revoke any unnecessary permissions or access rights for the user or device involved in the incident.
- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the activity is part of a larger threat campaign.
- Implement additional monitoring on the affected device and similar devices to detect any further anomalous Airdrop activities.
- Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers.
References
Related rules
- Potential Data Exfiltration Activity to an Unusual Destination Port
- Potential Data Exfiltration Activity to an Unusual IP Address
- Potential Data Exfiltration Activity to an Unusual ISO Code
- Potential Data Exfiltration Activity to an Unusual Region
- Spike in Bytes Sent to an External Device