IDS-002 recommended Data Exfiltration Detection

Network-level data transfer monitoring

Monitors outbound data volume per IP/session; thresholds defined for unusual activity; alerts configured

Question to ask

"Would 10GB leaving your network tonight trigger an alert?"

Verification guide

Severity: Recommended (Critical for big projects)

Unusual outbound data volumes can indicate data exfiltration via API or web endpoints. Monitoring should detect when an IP downloads significantly more data than normal patterns.

Check automatically:

  1. Check Cloudflare analytics/alerts (if using Cloudflare):
# Check for Cloudflare notification policies via API
# Requires CLOUDFLARE_API_TOKEN with Account:Read
curl -sX GET "https://api.cloudflare.com/client/v4/accounts/{account_id}/alerting/v3/policies" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" 2>/dev/null | jq '.result[] | {name, alert_type}'

# Check for rate limiting rules
curl -sX GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.result[] | select(.phase == "http_ratelimit")'
  1. Check cloud provider flow logs:
# AWS VPC Flow Logs
aws ec2 describe-flow-logs 2>/dev/null | jq '.FlowLogs[] | {FlowLogId, LogDestination, TrafficType}'

# AWS CloudWatch alarms for data transfer
aws cloudwatch describe-alarms --alarm-name-prefix "DataTransfer" 2>/dev/null

# GCP VPC Flow Logs
gcloud compute networks subnets list --format="table(name,enableFlowLogs)" 2>/dev/null
  1. Check application-level response logging:
# Look for response size/bandwidth tracking in code
grep -rE "content-length|response.*size|bandwidth|bytes.*sent|transfer.*size" --include="*.ts" --include="*.js" src/ 2>/dev/null

# Look for custom middleware tracking response sizes
grep -rE "res\.on\('finish'|onFinished|response.*logging" --include="*.ts" --include="*.js" src/ 2>/dev/null
  1. Check for rate limiting with data awareness:
# Look for rate limit configuration
grep -rE "rateLimit|rate-limit|throttle" --include="*.ts" --include="*.js" --include="*.yml" src/ 2>/dev/null

# Check for download-specific limits
grep -rE "download.*limit|export.*limit|bulk.*limit" --include="*.ts" --include="*.js" src/ 2>/dev/null
  1. Check APM/monitoring tools for bandwidth metrics:
# Datadog, New Relic, etc. config
grep -rE "datadog|newrelic|apm" --include="*.ts" --include="*.js" --include="*.yml" src/ 2>/dev/null

# Look for custom metrics
grep -rE "metrics\.increment|statsd|prometheus.*bytes" --include="*.ts" --include="*.js" src/ 2>/dev/null

Ask user:

  • "Do you monitor outbound data transfer per IP/session?"
  • "What thresholds would indicate abnormal download activity?"
  • "Who gets alerted if unusual data transfer is detected?"

Thresholds to consider (project-specific):

  • Single IP downloading >100MB in 1 hour
  • Single session downloading >1000 records
  • Sudden spike in bandwidth from one source
  • After-hours bulk downloads

Cross-reference with:

  • IDS-001 (general IDS - may include this capability)
  • SEC-001 (Cloudflare setup)
  • MON-003 (HTTP logging from section 12)

Pass criteria:

  • Some mechanism monitors outbound data volume per IP/session
  • Thresholds defined for what constitutes "unusual"
  • Alerts configured to notify team when thresholds exceeded

Fail criteria:

  • No visibility into data transfer patterns
  • Thresholds not defined ("we'd notice manually")
  • Monitoring exists but no alerting

Evidence to capture:

  • Monitoring mechanism (CDN analytics, flow logs, APM, custom)
  • Thresholds configured
  • Alert destinations
  • Example of recent alert (if available)

Section

25. Intrusion Detection

Data Management

← Previous

IDS-001

Intrusion detection system evaluated/deployed

 Next →

IDS-003

Database query anomaly detection