Considering the scenario when the attacker is able to exfiltrate sensitive data from compromised system to external network or Internet, but there are only limited ways to achieve this because the outbound connection is configured to not allow connection on any application layer protocol based on TCP, so the attacker decided to exfiltrate data via DNS which are allowed by the configuration (Yes! this is the mistake).
In my opinion, there are two ways to detect this kind of exfiltration:
- Content-based: the content of transferred data must be inspected to find sensitive data or anything such as file signature, header or file properties.
- Volume-based: the amount of data must be compared with data usage baseline. If the current volume of data (in some amount of time) is larger then data usage baseline, then w00t w00t!
These are my questions:
- Is there any other effective solution to detect data exfiltration in the scenario like this?
- For the volume-based detection, is there any recommendations to calculate data usage baseline? Only average data usage for a month is good enough?