The exfiltration landscape¶

Exfiltration detection used to be straightforward: look for data going to unusual destinations over unusual protocols. That is no longer reliable. Modern exfiltration uses destinations and protocols the organisation already trusts: its own cloud storage, collaboration platforms, backup pipelines, and SaaS APIs.

The challenge for defenders is not identifying malicious traffic. It is identifying malicious behaviour within traffic that looks entirely normal.