Runbook: Suspected Data Exfiltration¶
Runbook Metadata¶
| Field | Value |
|---|---|
| Runbook ID | RB-004 |
| Title | Suspected Data Exfiltration |
| Version | 1.0 |
| Status | Approved |
| Owner | SOC Tier 2 |
| MITRE ATT&CK | TA0010 (Exfiltration) — T1567 (Exfil to Cloud), T1041 (Exfil over C2), T1030 (Data Transfer Size Limits), T1020 (Automated Exfil) |
| Alert Sources | DLP alert, anomalous upload volume, CASB alert, large email with attachment, DNS tunneling detection |
| Nexus SecOps Controls | Nexus SecOps-049, Nexus SecOps-051, Nexus SecOps-071, Nexus SecOps-073, Nexus SecOps-127 |
| SLA | Critical: 15min acknowledgment; High: 30min |
Overview¶
What triggers this runbook: DLP policy violation for data upload to unapproved destination; anomalous volume of data transferred from internal host to external service; CASB detection of sensitive data upload to cloud storage; large attachment sent to external email; DNS tunneling signatures; anomalous SMB/FTP traffic.
Why this matters: Data exfiltration is the most impactful phase of many attacks and insider threat incidents. It triggers regulatory breach notification requirements. Early detection limits the scope of what was taken and enables legal action.
Common causes:
| Cause | TP or FP | Frequency |
|---|---|---|
| Insider uploading data before departure | TP | Medium |
| Attacker exfiltrating after compromise | TP | Low-Medium |
| Employee using personal cloud storage for work | FP | High |
| Approved backup to third-party service | FP | Medium |
| Software telemetry or automated update | FP | Medium |
| Large legitimate file transfer (approved) | FP | Medium |
Triage Steps (Tier 1)¶
Step 1: Alert Classification¶
- [ ] 1.1 Identify the alert type:
- ☐ DLP — specific data classification triggered (PII, PCI, IP, etc.)
- ☐ Volume-based — large data transfer to external destination
- ☐ CASB — upload to unapproved cloud service
- ☐ Email — large attachment to external recipient
-
☐ DNS tunneling — high-entropy DNS queries, large DNS responses
-
[ ] 1.2 Identify the affected user and host:
- User: ______
- Host: ______
- User role/department: ______
- User employment status: ☐ Active ☐ Pending departure ☐ On PIP
A user pending departure or on a performance improvement plan (PIP) significantly increases insider threat probability. Escalate faster.
Step 2: Quick Context¶
- [ ] 2.1 What was transferred?
- Destination: ______
- Volume (MB/GB): ______
- File types (if known): ______
-
Data classification: ☐ Public ☐ Internal ☐ Confidential ☐ Restricted/Regulated
-
[ ] 2.2 Is the destination an approved service? (check approved cloud services list)
- ☐ Approved (e.g., corporate Box, SharePoint) → Possible FP
-
☐ Not on approved list → Escalate
-
[ ] 2.3 Is this volume anomalous for this user? (check UEBA baseline)
- Typical daily upload volume: ______
- Today's volume: ______
Step 3: Quick Verification¶
- [ ] 3.1 Check if there's a change request or business justification for this transfer
- [ ] 3.2 Check if user is in a role that routinely handles large file transfers (backup admin, etc.)
- [ ] 3.3 Are there other alerts for this user/host in the past 7 days?
Investigation Steps (Tier 2)¶
Step 4: Data Scope Investigation¶
// DLP events for this user in last 30 days
DLPEvent
| where User == "{USER}"
| where Timestamp > ago(30d)
| project Timestamp, PolicyName, DataClassification, Destination, FileSize, Action
| order by Timestamp desc
// Proxy/web gateway logs for upload activity
WebProxyLogs
| where UserName == "{USER}"
| where Timestamp > ago(48h)
| where BytesSent > 10485760 // > 10MB
| project Timestamp, DestinationURL, BytesSent, Category
| order by BytesSent desc
// Email large attachments to external domains
EmailEvents
| where SenderEmailAddress contains "{USER}"
| where Timestamp > ago(30d)
| where RecipientEmailAddress !contains "{INTERNAL_DOMAIN}"
| where AttachmentCount > 0
| project Timestamp, RecipientEmailAddress, Subject, AttachmentNames
- [ ] 4.1 What is the total volume transferred in the past 30 days to external services?
- [ ] 4.2 Is this a single event or a pattern of transfers?
- [ ] 4.3 What specific files or data classifications were involved?
- [ ] 4.4 Did the user access data repositories unusually (SharePoint, code repo, file server) before the transfer?
Step 5: Destination Investigation¶
- [ ] 5.1 Identify the destination service:
- Is it a personal cloud account (personal Gmail Drive, personal Dropbox)?
- Is it a competitor's domain?
- Is it an anonymous file-sharing service?
- Is it a known C2 domain? (check TIP)
- [ ] 5.2 Obtain the destination account/URL if possible (for legal hold / law enforcement referral)
- [ ] 5.3 Check if the destination is accessible publicly (can legal recover data?)
Step 6: User Activity Timeline¶
Build a 30-day timeline of: - File access patterns (what repositories did they access, when?) - Large file operations (downloads from SharePoint, code repositories) - Email activity to external addresses - USB/removable media usage (if logged) - Print activity (if logged) - Application usage anomalies
Containment Actions¶
Containment strategy depends on whether this is insider threat vs. external attacker exfiltration. Insider threat cases involve HR and Legal from the start.
External Attacker Exfiltration¶
- Contain the source host (isolate via EDR if malware involved)
- Block identified exfiltration destination at proxy/firewall
- Revoke attacker access (disable compromised accounts, revoke sessions)
- Preserve logs immediately (external IPs, data accessed, timeline)
Insider Threat Suspected¶
- Do NOT tip off the user — do not take visible containment action until legal advises
- Notify HR and Legal immediately — insider threat cases require HR/Legal involvement
- Preserve evidence silently: capture logs, emails, access records for legal use
- Legal hold: HR/Legal to determine timing of account action and evidence preservation
- Restrict access quietly (if instructed by Legal): modify permissions without visible notification
For insider threat cases, do NOT contact the user directly or take account actions without Legal/HR guidance. Evidence handling mistakes can compromise legal proceedings.
Regulatory Considerations¶
| Condition | Regulation | Action Required |
|---|---|---|
| EU personal data exfiltrated | GDPR | Notify DPA within 72 hours |
| PHI confirmed exfiltrated | HIPAA | Notify HHS, potentially affected individuals |
| Cardholder data exfiltrated | PCI DSS | Notify acquiring bank, card brands immediately |
| Employee personal data | Employment law | Legal review required |
| Trade secrets | Trade Secrets Act | Legal action may be available |
Engage legal immediately if any of the above apply. Regulatory notification requirements begin from when the breach is "discovered," not when it is fully investigated.
Evidence Preservation Checklist¶
Preserve in this order before any containment that may destroy evidence:
- [ ] Web proxy logs showing upload activity (full 90 days if possible)
- [ ] DLP alert data with file metadata
- [ ] Email records
- [ ] EDR telemetry for the user's host
- [ ] Authentication logs
- [ ] File access audit logs (SharePoint, file server)
- [ ] CASB/cloud access records
- [ ] USB/print logs if available
Document: What was preserved, when, from where, by whom (chain of custody)
References¶
- T1567 — Exfiltration Over Web Service
- T1020 — Automated Exfiltration
- CISA Insider Threat Mitigation Guide
- Related: RB-001 — Identity Anomaly | RB-002 — Endpoint Malicious Behavior
RB-004 v1.0 | Reviewed: 2025-Q4 | Next review: 2026-Q4