Data Exfiltration

Data exfiltration is the moment an intrusion turns into real damage. An attacker may spend weeks gaining access, escalating privileges, and moving through a network, but none of that costs the victim anything until data actually leaves. In the MITRE ATT&CK framework, exfiltration is its own tactic (TA0010): the set of techniques adversaries use to steal data once they have collected it. Understanding how exfiltration works is essential for both offensive testers, who must prove impact, and defenders, who must stop the data before it walks out the door.

How Exfiltration Works

Exfiltration is rarely a single action. It is usually the final stage of a longer operation. After lateral movement puts the attacker on systems that hold valuable data, the data is collected, then staged in one place, compressed to make it smaller, and encrypted to hide its contents. Only then is it transferred out. This staging step is deliberate: moving one large archive is quieter than copying thousands of files across the network.

The transfer itself almost always rides over a channel the network already trusts. Most often that is the existing command and control connection, but attackers also abuse DNS queries, HTTPS to cloud storage, email, or alternate protocols that egress controls tend to ignore. The goal is always the same: make the theft look like normal traffic.

Common Exfiltration Channels

Attackers choose channels based on what blends in with the target environment:

• Over the C2 channel: reusing the command and control link the attacker already established.
• DNS tunneling: encoding data inside DNS queries, which many networks barely inspect.
• Cloud and web services: uploading to trusted SaaS storage, paste sites, or code repositories.
• Alternate protocols: using a protocol different from the C2 channel to split the trail.

Collect Data

→stage

Stage and Compress

→encrypt

Encrypt

→tunnel

Exfiltrate via C2

A real-world example of how these steps get automated end to end is covered in our analysis of how hackers use AI, where models drive collection and transfer with far less human effort.

Detecting and Stopping Exfiltration

Because exfiltration hides inside trusted traffic, detection depends on knowing what normal looks like. Defenders baseline outbound volume, destinations, and protocol mix, then alert on deviations: a workstation suddenly uploading gigabytes, DNS volume spiking, or connections to a host nobody has talked to before.

The principle for defenders is simple, even if the execution is hard: an intrusion is survivable until the data leaves. Every control that delays or reveals exfiltration buys back the time needed to detect the attacker and cut them off before a compromise becomes a data breach.