advanced

Data Exfiltration Investigation

Investigation procedures for suspected or confirmed data exfiltration incidents.

Days to weeks5 steps12 checklist items

Summary

Framework for investigating data loss incidents and determining regulatory notification requirements.

Step-by-Step Procedure

Initial Detection Assessment

Evaluate the exfiltration indicators.

Actions

Identify the detection source (DLP, SIEM, user report)

Document initial indicators

Assess data sensitivity of potentially affected data

Determine if exfiltration is ongoing or historical

Scope Determination

Identify what data may have been exfiltrated.

Actions

Analyze DLP logs for transferred files

Review network logs for data volumes

Identify destination of exfiltrated data

Catalog affected data types and records

Source Investigation

Determine how the exfiltration occurred.

Actions

Identify the user or system responsible

Determine if insider, external attacker, or accidental

Trace the attack chain if external

Identify root cause

Regulatory Assessment

Evaluate notification and reporting requirements.

Actions

Catalog affected data types (PII, PHI, PCI, etc.)

Identify applicable regulations

Determine notification timelines

Engage legal for breach determination

Remediation

Stop the bleeding and prevent recurrence.

Actions

Block exfiltration paths

Revoke compromised access

Implement additional DLP controls

Address root cause vulnerabilities

Completion Checklist

Detection source identified

Initial indicators documented

Data scope estimated

Destination identified

Source/method determined

Root cause identified

Regulatory requirements assessed

Legal engaged for breach determination

Exfiltration paths blocked

Affected individuals identified

Notification plan developed

Incident documented

Evidence to Collect

DLP alert details
Network flow data
File transfer logs
User activity logs
Data inventory of affected records
Regulatory assessment documentation

Communication Templates

Legal notification memo
Regulatory notification template
Customer notification template

Join our community to discuss playbooks and share incident response experiences.

Step-by-Step Procedure

Initial Detection Assessment

Evaluate the exfiltration indicators.

Actions

Identify the detection source (DLP, SIEM, user report)

Document initial indicators

Assess data sensitivity of potentially affected data

Determine if exfiltration is ongoing or historical

Scope Determination

Identify what data may have been exfiltrated.

Actions

Analyze DLP logs for transferred files

Review network logs for data volumes

Identify destination of exfiltrated data

Catalog affected data types and records

Source Investigation

Determine how the exfiltration occurred.

Actions

Identify the user or system responsible

Determine if insider, external attacker, or accidental

Trace the attack chain if external

Identify root cause

Regulatory Assessment

Evaluate notification and reporting requirements.

Actions

Catalog affected data types (PII, PHI, PCI, etc.)

Identify applicable regulations

Determine notification timelines

Engage legal for breach determination

Remediation

Stop the bleeding and prevent recurrence.

Actions

Block exfiltration paths

Revoke compromised access

Implement additional DLP controls

Address root cause vulnerabilities