Stage 6: Data Exfiltration

Stage 6 of the cyberattack lifecycle: Data Exfiltration. The attacker has reached their primary objective — stealing valuable data before triggering ransomware or disappearing from the network entirely.

Attacker Goal

Locate, stage, and transfer sensitive data including customer records, financial information, and intellectual property.

MITRE ATT&CK Techniques

T1041T1048T1052T1567T1029T1020

Stage Description

The attacker has reached their primary objective — stealing valuable data before triggering ransomware or disappearing from the network entirely.

Common Entry Vectors

• Compressing and encrypting data to avoid detection
• Using cloud services like Dropbox or Google Drive for transfer
• Slow data transfer to avoid triggering bandwidth alerts
• Using legitimate tools like FTP or cloud sync for exfiltration
• Staging data in temporary locations before final transfer

Typical Attacker Actions

• Identifies and collects high-value data across the network
• Compresses and encrypts files to hide content from DLP tools
• Transfers data slowly over time to avoid detection
• Uses legitimate cloud services to blend with normal traffic
• Deletes logs and evidence after successful transfer

What Purim NetGo Delivers at This Stage

• Pre-Exfiltration Detection — catch data theft before it happens
• Sensitive Data Monitoring — protect your most valuable information
• Access Alerts — know the moment sensitive files are touched
• Content Intelligence — understand exactly what was accessed
• Last Line of Defense — stop exfiltration at the source