@inproceedings{, author = {Mundt, Michael; Baier, Harald}, title = {Enhancing Incident Management by an improved Understanding of Data Exfiltration : Definition, Evaluation, Review}, editor = {}, booktitle = {International Conference on Digital Forensics and Cyber Crime (14., 2023, New York, NY)}, series = {}, journal = {}, address = {}, publisher = {}, edition = {}, year = {2023}, isbn = {}, volume = {}, number = {}, pages = {28}, url = {}, doi = {}, keywords = {Advanced Persistent Threat ; Data Exfiltration ; Universal Definition ; Cyber Threat Intelligence ; Systematic Review}, abstract = {Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double or even multiple extortion [59] ransomware now exfiltrates the data first, before encrypting it. In particular, valuable business assets must be checked for unauthorized access and need to be protected [56]. This year’s Federal Office for Information Security (BSI) annual report4 on the state of Information Technology’s (IT) Security in Germany confirms that cyber extortion attempts have become the number-one threat due to leading cyber-attacker collectives, who expand their strategy. As a key element of incident management institutions often implement their cyber security strategy by releasing an Information Security Management Systems (ISMS). This approach provides robust protection against fundamental threats from cyber-attackers. Institutions are increasingly focusing on holistic protection of their own IT and are activating professional defense mechanisms such as Extended Detection and Response (XDR). It is about the consideration of an overall process. First of all, as far as possible, all data sources are used. The goal is seamless monitoring of the data sources. Incoming data is analyzed immediately with the aim of initiating coordinated defense processes. In addition, XDR approaches pursue the goal of continuously optimizing these autonomous security processes. Knowledge of the threats posed by cyber-attackers is constantly increasing. The technical, legal and procedural possibilities for sharing information about cyber threats are constantly improving. Experts are emerging who are specifically addressing these cyber threats and making their skills available to others as a service. However, such protection mechanisms are often considered late and sometimes only after a successful cyber-attack. Companies’ livelihoods fail when their intellectual property is stolen. Often, modern protection measures are being adapted too hesitantly. In addition, cyber-attackers have also become more professional and specialized. Very sophisticated techniques for data exfiltration, such as steganography, are increasingly being used. Professionals develop these technologies and offer them as a service to other criminals. As a result the BSI recommendation for incident management of data exfiltration (and presumable subsequent disclosure of data) is a recommendation for a systematic and rulebased approach to monitor data transfers. That is the way to identify unusually large outbound flows of data and terminates them in good time. Definition and Review . We provide an universal definition of data exfiltration. Thus, we manifest an initial anchor point. We start from this content anchor point and review existing literature. Then, at its core, this work involves a systematic literature review. Our goal is to find out what methods and techniques for hostile extraction of data have been scientifically studied in the period 2020- 2022. We attempt to list the variety of methods and techniques and evaluate what skills are needed by an attacker in order to use them and hence - in the scope of incident management - to defend them. The result is an initial evaluation matrix. Evaluation .We explore three frequently used frameworks. Here, we select the Microsoft Threat Modeling Tool5 , the Malware Information Sharing Platform (MISP)6 , and the MITRE ATT&CK framework7 . First, we review the level of detail in which data exfiltration can be structured and described using each of these methods. With a view to the categorization to be conducted later, we select one method which fits best for our purpose to describe threats of data exfiltration in categories structurally and semantically. The selection criteria are the maturity, the simplicity of application and finally the international recognition. Based on this, we assign all the methods and techniques studied in the given categories. Through this we gain knowledge, on the one hand about known attack-vectors and on the other hand about techniques for data exfiltration. Furthermore, we figure out the current focus of the considered scientific community in this way. Structure of the paper . The rest of this paper is structured as follows: after the short motivation in this introduction we turn to related work in Section 2. In Section 3 we provide our definition of data exfiltration and evaluate the beforenamed frameworks. Next Section 4 contains our systematic review and the categorization. One chosen sample case study follows in Section 5. Finally we conclude our paper in Section 6 and point to future work.}, note = {}, institution = {Universität der Bundeswehr München, Fakultät für Informatik, INF 6 - Institut für Systemsicherheit, Professur: Baier, Harald}, }