๐ค Data Exfiltration Response Quickstart
Time-boxed response path for data exfiltration incidents. Focuses on confirming active exfiltration, blocking outbound channels, preserving network and host evidence, and determining the scope of data loss for regulatory notification and business impact assessment.
First 15 Minutes
0/4Validate the exfiltration alert by reviewing firewall logs, proxy logs, and DLP alerts for evidence of large outbound data transfers to unusual destinations. Look for high-volume uploads to cloud-storage providers, FTP transfers to external IPs, DNS tunneling patterns, or encrypted channels to non-business destinations. Distinguish between a true positive data exfiltration and a false positive caused by legitimate business activity such as cloud backups or large file shares.
Determine which internal systems are the source of the exfiltrated data by correlating network flow data with host-level authentication and process-execution logs. Identify the user accounts and processes generating the outbound traffic. Establishing the source systems is essential for understanding what data is at risk and for prioritizing containment actions on the systems actively leaking data.
Immediately block the identified exfiltration channels at the network perimeter. This may include adding firewall deny-rules for destination IPs, blocking specific cloud-storage domains at the proxy, sinkholing DNS for C2 domains, or isolating the source host from the network entirely. Prioritize stopping the data flow over forensic perfection in the first 15 minutes, as every minute of continued exfiltration increases the data-loss impact.
Disable or force password resets for all user and service accounts associated with the exfiltration activity. If the exfiltration involves cloud resources, revoke active sessions and refresh tokens in Azure AD or the relevant identity provider. Check whether the compromised accounts have access to additional sensitive data repositories that have not yet been exfiltrated, and restrict that access proactively to prevent further data loss.
First 60 Minutes
0/4Gather all data-loss-prevention alerts and policy-match logs from the relevant DLP platform (Microsoft Purview, Symantec DLP, etc.) covering the exfiltration timeframe. DLP logs can reveal the specific file names, data classifications, and sensitivity labels of the exfiltrated data, which is critical for regulatory notification obligations. Cross-reference DLP detections with the network-level exfiltration evidence to build a complete picture of what left the environment.
Acquire full memory dumps from the source systems involved in the exfiltration before they are rebooted or remediated. Memory may contain running exfiltration tools, encryption keys used for data packaging, clipboard contents with pasted credentials or connection strings, and network connection state showing active tunnels. Use WinPMEM or similar tools and record hash values for chain-of-custody documentation.
Preserve copies of firewall, proxy, DNS, and host security logs covering at least 72 hours before the first confirmed exfiltration event. These logs are essential for reconstructing the full exfiltration timeline, identifying earlier reconnaissance or staging activity, and determining whether additional exfiltration channels were used. Export logs to a forensic evidence repository with write-protection and hash verification.
Pull EDR telemetry from all source systems to capture process-execution history, file-access patterns, and network connections associated with the exfiltration. Look for data-staging behaviors such as archiving files with 7-Zip or RAR, renaming files to avoid detection, and writing large archives to temporary directories. EDR data provides the host-level context that network logs alone cannot, linking specific processes and users to the observed data flows.
First 4 Hours
0/4Examine MFT records, Prefetch files, and file-system timeline data on source hosts to reconstruct how the attacker collected, compressed, and staged data before exfiltration. Look for archive-creation tools (7z.exe, rar.exe, tar), large file writes to staging directories, and renamed file extensions. Understanding the staging methodology reveals what data was packaged and whether the attacker selectively targeted high-value files or performed bulk collection.
Conduct a comprehensive analysis of all outbound data channels used by the attacker. Review proxy logs for HTTP/HTTPS uploads, DNS query logs for DNS-tunneling indicators (high query volume, long subdomain labels, TXT record queries), and firewall logs for direct-IP connections on non-standard ports. Build a complete map of exfiltration infrastructure including destination IPs, domains, and protocols to ensure all channels have been blocked and to support threat-intelligence sharing.
Compile an inventory of all data confirmed or suspected to have been exfiltrated, including file names, data classifications, record counts, and data-subject categories (PII, PHI, financial, intellectual property). This inventory drives regulatory notification timelines under GDPR, HIPAA, state breach-notification laws, and contractual obligations. Work with data owners and legal counsel to classify the business impact and determine notification requirements.
Formally document the chain of custody for all forensic evidence collected during the investigation, including memory dumps, disk images, log exports, and email artifacts. Record who collected each piece of evidence, when and how it was collected, hash values, and where it is stored. Proper chain-of-custody documentation is essential for any legal proceedings, regulatory inquiries, or insurance claims that may result from the data-exfiltration incident.
DFIR Assist โ Data Exfiltration Response Quickstart Quickstart | Printed 3/1/2026