Data Loss from Traffic Analysis

Detecting Data Exfiltration Through Network Patterns

Section 1 of 4 0% Complete

Common Data Exfiltration Techniques

Attackers use various methods to steal data from compromised networks. Understanding these techniques helps you recognize the traffic patterns they create.

DNS Tunneling HIGH RISK

Encodes data in DNS queries to bypass security controls.

HTTPS Exfil HIGH RISK

Hides data in encrypted HTTPS POST requests.

ICMP Tunneling MEDIUM

Embeds data in ping packet payloads.

Cloud Storage MEDIUM

Uploads to legitimate cloud services (Dropbox, Google Drive).

Steganography HIGH RISK

Hides data within images or other files.

Email Exfil MEDIUM

Sends data as attachments or in message body.

Select a technique to learn more

Click on any technique card above to see traffic patterns and detection methods.

Exfiltration Indicators

Look for these red flags in network traffic that may indicate data theft in progress.

Volume Indicators

  • Unusual outbound data volume (especially after hours)
  • Large uploads to external IPs not in whitelist
  • Sustained high-bandwidth connections
  • Single endpoint transferring more than peers

Protocol Indicators

  • DNS queries with unusually long hostnames
  • High volume of TXT record requests
  • ICMP packets with non-standard payload sizes
  • HTTP POST to rarely-accessed domains

Behavioral Indicators

  • Access to sensitive files followed by network activity
  • Compression/archiving before transfer
  • Connections to known file-sharing sites
  • Encrypted traffic to non-standard ports

Key Insight

  • Single indicators rarely confirm exfiltration — look for patterns
  • Correlate network data with endpoint activity (file access, process execution)
  • Baseline normal traffic to identify anomalies
  • Some techniques blend with legitimate traffic — context matters

Analyze Traffic Flows

Examine these network flows and identify potential data exfiltration. Click on suspicious flows to analyze them.

NetFlow Records - Last Hour

Click a flow to analyze

Quick Reference: Normal vs. Suspicious

Metric Normal Suspicious
DNS Query Length 10-50 characters 100+ characters (encoded data)
HTTPS Upload Small POST (form data) Large POST (100KB+) to unknown domain
ICMP Payload 32-64 bytes (standard ping) Variable/large payloads
After-Hours Traffic Minimal, known services Large outbound transfers

Exfiltration Detection Challenge

You're a SOC analyst reviewing alerts. Analyze each scenario and determine the appropriate response.