Data Exfiltration

After a security incident, it is vital to assess whether data has actually been taken from the business – data loss is known as exfiltration – taking it outside the network

Sensitive files might include the database of the patient management system, databases of imaging systems, word or pdf documents which identify patients.

Ransomware attacks are usually crude and do not attempt to exfiltrate data.  Nevertheless, it is important to have evidence that no exfiltration has occurred.

Exfiltration can occur via many different protocols for example http, https, ftp, tftp, smtp, pop, scp, sftp or any of these protocols within a tunnel such as ssh

A Next Generation Firewall gives the opportunity for some granular control over this.  A policy might, for example prevent the server hosting the sensitive data to contact the internet at all except for windows update.  The policy can log data traffic volume so you can be sure that a 1Gb file has not been sent from the server.   The NGFW can prevent the above protocols going out from the server and individual files can be fingerprinted or watermarked.

Having  these measures in place gives support to asserting that no data was lost and can justify not reporting a ransomware infection to the regulatory authorities.