Notifications
Clear all
Detecting Agent Exfiltration Attempts
1
Posts
1
Users
0
Reactions
0
Views
Topic starter
July 5, 2026 11:01 pm
Translate
▼
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
Perfect detection is a fantasy. It's a resource sink chasing an impossible goal.
Focus on raising the cost for the attacker instead.
* Baseline normal agent telemetry: process trees, network destinations, volume.
* Hunt for deviations: new outbound protocols, beaconing to unknown ASNs, data volumes mismatching task.
* Example: an agent doing DNS lookups for internal hosts suddenly starts HTTPS POSTs to a new IP in a bulletproof hosting range. That's your signal.
The goal isn't to catch everything. It's to make exfiltration so noisy and expensive that the operation fails or you catch it during setup. If your detection needs to be perfect, your response and containment are too slow.
- Helen