Data exfiltration attacks Monitoring network traffic  helps security professionals detect,  prevent, and respond to attacks.  In my experience as a security professional, monitoring for deviations from  typical network traffic patterns has yielded big results. Even if information is encrypted,  monitoring network traffic is still  important for security purposes. Let's discuss how the detection and response  process might work in a data exfiltration attack. First, we'll outline the attacker's perspective. Before attackers can perform data exfiltration,  they'll need to gain initial access  into a network and computer system. This can be done through a social  engineering attack like phishing,  which tricks people into disclosing sensitive data. Attackers can send phishing emails with attachments or  links that trick their target  into entering their credentials. Now, an attacker has  successfully gained access to their device. After gaining their initial position into  the system, an attacker won't stop there. The goal for attackers is to maintain access in  the environment and avoid being  detected for as long as possible. To do this, they'll perform  a tactic known as lateral movement, or pivoting. This is when they'll spend time  exploring the network with the goal of  expanding and maintaining their access  to other systems on the network. As an attacker pivots in the network,  they'll scope out the environment  to identify valuable assets,  such as sensitive data like proprietary code,  personally identifiable information like  names and addresses, or financial records. They'll do this by searching  locations such as network file shares,  intranet sites, code repositories, and more. After the attacker identifies the assets of value,  they'll need to collect, package,  and prepare the data for exfiltration outside of the organization's network and into the attacker's hands. One way they may do this is by reducing the data size. This helps attackers hide  the stolen data and bypass security controls. Finally, the attacker will exfiltrate  the data to their destination of choice. There are many ways to do this. For example,  attackers can email the stolen data to  themselves using the compromised email account. Now that you've tapped into the attacker's perspective,  let's explore how organizations  can defend against this type of attack. First, security teams must prevent attacker access. There are many methods you can use to  protect your network from phishing attempts. For example, requiring users  to use multi-factor authentication. Attackers that gain access to a network  can remain unnoticed for a while. It's important that security teams  monitor network activity to  identify any suspicious activity  that can indicate a compromise. For example, multiple user logins coming from  IP addresses outside of  the network should be investigated. Earlier, you examined how to identify, classify,  and protect assets using  asset inventories and security controls. As part of an organization's security policy,  all assets should be cataloged in an asset inventory. The appropriate security controls should also be applied  to protect these assets from unauthorized access. Lastly, if a data exfiltration attack is successful,  security teams must detect and stop the exfiltration. To detect the attack,  indicators of unusual data collection can  be identified through network monitoring. These include: large internal file transfers,  large external uploads,  and unexpected file writes. SIEM tools can detect an alert on these activities. Once an alert has been sent out,  security teams investigate and  stop the attack from continuing. There are many ways to stop an attack like this. For instance, once the unusual activity is identified,  you can block the IP addresses  associated with the attacker using firewall rules. Data exfiltration attacks are just one of  many attacks that can be  detected through network monitoring. Coming up, you'll learn how to monitor and  analyze network communications using packet sniffers.