Field Guides · During · data-exfil

Data exfiltration suspected

Something looks like it left. Quiet investigation is the discipline. Premature disclosure damages trust if it was wrong. Premature containment tips off the attacker and loses you scope.

live use · L3

Suspected exfiltration is one of the easiest places to make the situation worse. Premature disclosure damages trust if it was wrong. Premature containment tips off the attacker and loses you scope. Quiet investigation is the discipline.

Read the indicator carefully. Many DLP alerts are false. Many third-party tips are bad data. Many “we saw your data on a forum” reports are old, scraped, or recycled. Confirm before you escalate. But do not freeze. Counsel can be briefed on a maybe. Logs can be preserved on a maybe. The clock starts at the indicator, not at the moment you are sure.

Modern exfiltration rarely shows up as a single large transfer. It looks like a service-principal credential created at 03:00, a new OAuth grant with mail-read scope, a source repository clone from a host that has never cloned before, a quiet sequence of cloud-share changes spread over a week. The audit trail is wider than the proxy log.

If it is real, the regulatory clock is already running from the moment you “knew or should have known.” Counsel decides what the clock means. You decide what to put in front of them, fast.

Checklist

0/360/30 critical

Confirm before you escalate

Indicator source identified (DLP alert, third-party tip, dark-web post, anomaly)Critical
Indicator triaged against false-positive patternsCritical
Suspect time window identified to the hour where possibleCritical
Suspected data class identified (customer, employee, source code, financial, regulated)Critical
Legal counsel engaged before any external notificationCritical
Treat the clock as running from the indicator. Counsel decides what the clock means.Critical

Investigate quietly

Investigation conducted in an out-of-band channelCriticalAssume the attacker is reading email and chat. Switch tools.
Logs covering the window preserved or extended (firewall, proxy, EDR, cloud audit, mail)Critical
DLP, CASB, and cloud audit pulled for the windowCritical
Outbound traffic analysed for volume, destination, and time-of-day anomaliesCritical
Cloud-storage sharing changes audited for the windowCritical
USB and removable-media activity checked on relevant endpoints
Privileged account activity reviewed for the windowCritical

Identity and cloud audit

Check OAuth grants and app consents added in the suspect windowCritical
Check API token and service-principal credential creation in the windowCritical
Look for bulk export, mass download, and large share events in cloud and SaaS audit logsCritical
For Microsoft 365, check Graph and EWS query patterns for bulk mail readsCritical
Check CI/CD systems for unusual artifact downloads or registry pullsCritical
Check source repository audit for unusual clone, fork, or download eventsCritical
Inventory third-party SaaS integrations that read from the affected data class

Decision points

Decision: contain now, or observe to learn moreCriticalIf still active, observation may give scope. If imminent harm, contain.
Incident response firm engaged for forensic confirmationCritical
Regulatory disclosure clock identified (GDPR 72h, state laws, sector rules)Critical
Customer notification position drafted but held until confirmation
Cyber insurer notifiedCritical

What actually breaks

The team is not paralysed by uncertainty. The clock starts at the indicator.CriticalMost teams lose hours waiting to be sure before they begin counsel-side work. Counsel can be briefed on a maybe.
No one has disclosed externally on a hunch. Confirmation comes before notification.Critical
Containment has not happened before scope is understood, unless active harm forces itCritical
Internal rumour control is named. The team knows where information goes and where it does not.Critical
The out-of-band channel is genuinely out of band. Not "a different Slack channel."Critical
People who saw the indicator (helpdesk, dev, third party) are managed, not ignored

If confirmed

Final scope documented (records, fields, individuals)Critical
Containment actions executed (revoke access, rotate, block egress, kill integrations)Critical
External communications released on legal-approved timeline
Regulator filings prepared on the legal-approved clockCritical
Handoff to post-incident review and recovery

Accepted operational risks

30 of 30 critical items unchecked.

Every unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it.

Indicator source identified (DLP alert, third-party tip, dark-web post, anomaly)Confirm before you escalate
Indicator triaged against false-positive patternsConfirm before you escalate
Suspect time window identified to the hour where possibleConfirm before you escalate
Suspected data class identified (customer, employee, source code, financial, regulated)Confirm before you escalate
Legal counsel engaged before any external notificationConfirm before you escalate
Treat the clock as running from the indicator. Counsel decides what the clock means.Confirm before you escalate
Investigation conducted in an out-of-band channelInvestigate quietly
Logs covering the window preserved or extended (firewall, proxy, EDR, cloud audit, mail)Investigate quietly
DLP, CASB, and cloud audit pulled for the windowInvestigate quietly
Outbound traffic analysed for volume, destination, and time-of-day anomaliesInvestigate quietly
Cloud-storage sharing changes audited for the windowInvestigate quietly
Privileged account activity reviewed for the windowInvestigate quietly
Check OAuth grants and app consents added in the suspect windowIdentity and cloud audit
Check API token and service-principal credential creation in the windowIdentity and cloud audit
Look for bulk export, mass download, and large share events in cloud and SaaS audit logsIdentity and cloud audit
For Microsoft 365, check Graph and EWS query patterns for bulk mail readsIdentity and cloud audit
Check CI/CD systems for unusual artifact downloads or registry pullsIdentity and cloud audit
Check source repository audit for unusual clone, fork, or download eventsIdentity and cloud audit
Decision: contain now, or observe to learn moreDecision points
Incident response firm engaged for forensic confirmationDecision points
Regulatory disclosure clock identified (GDPR 72h, state laws, sector rules)Decision points
Cyber insurer notifiedDecision points
The team is not paralysed by uncertainty. The clock starts at the indicator.What actually breaks
No one has disclosed externally on a hunch. Confirmation comes before notification.What actually breaks
Containment has not happened before scope is understood, unless active harm forces itWhat actually breaks
Internal rumour control is named. The team knows where information goes and where it does not.What actually breaks
The out-of-band channel is genuinely out of band. Not "a different Slack channel."What actually breaks
Final scope documented (records, fields, individuals)If confirmed
Containment actions executed (revoke access, rotate, block egress, kill integrations)If confirmed
Regulator filings prepared on the legal-approved clockIf confirmed