Data Theft Investigation

This scenario covers a suspected data exfiltration event: identifying what data left the network, who accessed it, and whether the transfer was authorised.

Scenario

A DLP or SIEM alert fires on an unusually large upload to an external cloud storage service from a corporate workstation. The alert includes the source IP, the destination domain, the username, and the volume of data transferred as observables.

Create the case

Open Alerts and locate the alert. Click Preview, review the Similar cases tab for any related transfers from the same user or destination, then select the Data Theft template from the Import alert as dropdown and click Yes, Import.

The case is created with the following tasks:

Task

Group

Action

Search logs

Identification

Search SIEM and proxy logs for traffic from the source IP around the event time. Note all destination addresses, transferred volumes, and protocols used.

Disable affected user accounts

Containment

Suspend the user’s account via the LDAP BlockUser responder or manually in AD if the transfer was not authorised. Reset credentials after investigation.

Identify where the data was transferred to

Identification

Determine the external destination. Run threat intelligence analyzers on the destination domain or IP to assess whether it is a known malicious host or data broker.

Identify the method of data theft

Identification

Determine the protocol used: HTTP upload, FTP, email attachment, or USB. Check DLP logs for the data categories and file types transferred.

Identify the hosts impacted

Identification

List all workstations and servers involved in the transfer. Check for lateral movement prior to the exfiltration event.

Add observables and run analyzers

Open the Observables tab and click Add Observable. Add:

  • Source IP (type ip) — the workstation that initiated the transfer.

  • Destination domain or IP (type domain or ip) — the external endpoint.

  • Username (type other) — the account used.

  • Data volume (type other) — annotate with the byte count for the timeline record.

Select the destination domain or IP observable, click Run Analyzers, and run threat intelligence analyzers. Check the results for:

  • Reputation of the destination host.

  • Whether the domain is registered to a known cloud provider (expected) or an unknown entity (suspicious).

  • Any passive DNS history linking the domain to malware infrastructure.

TTPs

From the TTPs tab, add the techniques observed:

  • T1567 Exfiltration Over Web Service — if data left via a web upload.

  • T1048 Exfiltration Over Alternative Protocol — if FTP, DNS, or another protocol was used.

  • T1078 Valid Accounts — if the exfiltration used a legitimate user account.

  • T1530 Data from Cloud Storage — if cloud storage repositories were the source of the stolen data.

Close the case

After all tasks are complete, click Close case. Select:

  • True Positive — if data left the network without authorisation.

  • False Positive — if the transfer was authorised (approved business use).

  • Indeterminate — if authorisation cannot be confirmed.

Set Impact to Yes if sensitive or regulated data (PII, IP, financial records) was involved. Enter a Summary describing the data categories affected, the user, the destination, and the outcome. Click Close case.