Spike in Bytes Sent to an External Device via Airdrop

A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/09/22"
  3integration = ["ded", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 75
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical
 12operational setting, there is usually a predictable pattern or a certain range of data that is written to external
 13devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer
 14activities.
 15"""
 16from = "now-2h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop"
 20name = "Spike in Bytes Sent to an External Device via Airdrop"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/ded",
 24    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
 25]
 26risk_score = 21
 27rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849"
 28setup = """## Setup
 29
 30The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
 31
 32### Data Exfiltration Detection Setup
 33The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Data Exfiltration Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- File events collected by the Elastic Defend integration.
 39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 40
 41#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Data Exfiltration Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Exfiltration",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Spike in Bytes Sent to an External Device via Airdrop
 62
 63Airdrop facilitates seamless file sharing between Apple devices, leveraging Bluetooth and Wi-Fi. While convenient, adversaries can exploit it for unauthorized data exfiltration by transferring large volumes of sensitive data. The detection rule employs machine learning to identify anomalies in data transfer patterns, flagging unusual spikes in bytes sent as potential exfiltration attempts, thus aiding in early threat detection.
 64
 65### Possible investigation steps
 66
 67- Review the alert details to identify the specific device and user involved in the data transfer. Check for any known associations with previous incidents or suspicious activities.
 68- Analyze the volume of data transferred and compare it to typical usage patterns for the device and user. Determine if the spike is significantly higher than usual.
 69- Investigate the time and context of the data transfer. Correlate with other logs or alerts to identify any concurrent suspicious activities or anomalies.
 70- Check the destination device's details to verify if it is a recognized and authorized device within the organization. Investigate any unknown or unauthorized devices.
 71- Contact the user associated with the alert to verify the legitimacy of the data transfer. Gather information on the nature of the files transferred and the purpose of the transfer.
 72- Review any recent changes in the user's access privileges or roles that might explain the increased data transfer activity.
 73
 74### False positive analysis
 75
 76- Regular large file transfers for legitimate business purposes, such as media companies transferring video files, can trigger false positives. Users can create exceptions for specific devices or user accounts known to perform these tasks regularly.
 77- Software updates or backups that involve transferring large amounts of data to external devices may be misidentified as exfiltration attempts. Users should whitelist these activities by identifying the associated processes or applications.
 78- Educational institutions or creative teams often share large files for collaborative projects. Establishing a baseline for expected data transfer volumes and excluding these from alerts can reduce false positives.
 79- Devices used for testing or development purposes might frequently send large data volumes. Users can exclude these devices from monitoring by adding them to an exception list.
 80- Personal use of Airdrop for transferring large media files, such as photos or videos, can be mistaken for suspicious activity. Users can mitigate this by setting thresholds that account for typical personal use patterns.
 81
 82### Response and remediation
 83
 84- Immediately isolate the affected device from the network to prevent further data exfiltration.
 85- Verify the identity and permissions of the user associated with the anomalous Airdrop activity to ensure they are authorized to transfer data.
 86- Conduct a forensic analysis of the device to identify any unauthorized applications or processes that may have facilitated the data transfer.
 87- Review and revoke any unnecessary permissions or access rights for the user or device involved in the incident.
 88- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the activity is part of a larger threat campaign.
 89- Implement additional monitoring on the affected device and similar devices to detect any further anomalous Airdrop activities.
 90- Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1011"
 95name = "Exfiltration Over Other Network Medium"
 96reference = "https://attack.mitre.org/techniques/T1011/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0010"
101name = "Exfiltration"
102reference = "https://attack.mitre.org/tactics/TA0010/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Airdrop facilitates seamless file sharing between Apple devices, leveraging Bluetooth and Wi-Fi. While convenient, adversaries can exploit it for unauthorized data exfiltration by transferring large volumes of sensitive data. The detection rule employs machine learning to identify anomalies in data transfer patterns, flagging unusual spikes in bytes sent as potential exfiltration attempts, thus aiding in early threat detection.

  • Review the alert details to identify the specific device and user involved in the data transfer. Check for any known associations with previous incidents or suspicious activities.
  • Analyze the volume of data transferred and compare it to typical usage patterns for the device and user. Determine if the spike is significantly higher than usual.
  • Investigate the time and context of the data transfer. Correlate with other logs or alerts to identify any concurrent suspicious activities or anomalies.
  • Check the destination device's details to verify if it is a recognized and authorized device within the organization. Investigate any unknown or unauthorized devices.
  • Contact the user associated with the alert to verify the legitimacy of the data transfer. Gather information on the nature of the files transferred and the purpose of the transfer.
  • Review any recent changes in the user's access privileges or roles that might explain the increased data transfer activity.
  • Regular large file transfers for legitimate business purposes, such as media companies transferring video files, can trigger false positives. Users can create exceptions for specific devices or user accounts known to perform these tasks regularly.
  • Software updates or backups that involve transferring large amounts of data to external devices may be misidentified as exfiltration attempts. Users should whitelist these activities by identifying the associated processes or applications.
  • Educational institutions or creative teams often share large files for collaborative projects. Establishing a baseline for expected data transfer volumes and excluding these from alerts can reduce false positives.
  • Devices used for testing or development purposes might frequently send large data volumes. Users can exclude these devices from monitoring by adding them to an exception list.
  • Personal use of Airdrop for transferring large media files, such as photos or videos, can be mistaken for suspicious activity. Users can mitigate this by setting thresholds that account for typical personal use patterns.
  • Immediately isolate the affected device from the network to prevent further data exfiltration.
  • Verify the identity and permissions of the user associated with the anomalous Airdrop activity to ensure they are authorized to transfer data.
  • Conduct a forensic analysis of the device to identify any unauthorized applications or processes that may have facilitated the data transfer.
  • Review and revoke any unnecessary permissions or access rights for the user or device involved in the incident.
  • Escalate the incident to the security operations center (SOC) for further investigation and to determine if the activity is part of a larger threat campaign.
  • Implement additional monitoring on the affected device and similar devices to detect any further anomalous Airdrop activities.
  • Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers.

References

Related rules

to-top