Prevent Data Exfiltration

TL;DR

This guide shows you how to block files and data from leaving a device using built-in tools and common software. We’ll cover USB control, network restrictions, and application whitelisting.

1. Control USB Device Access

USB drives are a common way for data to be stolen. Here’s how to restrict their use:

1. Windows: Group Policy Editor

• Press Win + R, type gpedit.msc and press Enter.
• Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access.
• Enable the policy “Removable Disks: Deny execute access”. This prevents running files from USB drives.
• Enable the policy “Removable Disks: Deny read access” to completely block reading data. Warning: this will prevent legitimate use too!

macOS: System Preferences

• Go to System Preferences > Security & Privacy > General tab.
• Check the box “Prevent files from being copied to USB drives”.

2. Restrict Network Data Transfer

Control what data can be sent over the network.

1. Firewall Rules

• Configure your firewall to block specific applications from accessing the internet or external networks. This is useful if you know a particular program is being used for exfiltration.
• Example (Windows Firewall): netsh advfirewall firewall add rule name="Block Dropbox" dir=out action=block program="C:Program FilesDropboxDropbox.exe" enable=yes

Network Monitoring Tools

• Use tools like Wireshark to monitor network traffic and identify suspicious activity (large uploads, connections to unknown servers).

3. Application Whitelisting

Only allow approved applications to run. This prevents unauthorized software from transferring data.

1. Windows: AppLocker

• Press Win + R, type secpol.msc and press Enter.
• Navigate to Application Control Policies > AppLocker.
• Create rules for Executable Rules, Windows Installer Rules, Script Rules, and Packaged app Rules. Define paths to allowed applications.

macOS: Gatekeeper & Third-Party Tools

• Gatekeeper (System Preferences > Security & Privacy) helps prevent unsigned or malicious apps from running.
• Consider third-party application whitelisting software for more granular control.

4. Data Loss Prevention (DLP) Software

More advanced DLP solutions can identify and block sensitive data based on content, not just the application used to transfer it.

• These often require a paid subscription but offer more comprehensive protection.

5. Endpoint Detection and Response (EDR)

EDR tools monitor endpoint activity for malicious behaviour, including data exfiltration attempts. They can automatically block suspicious processes.

• Like DLP, EDR is typically a paid solution.