The MITRE ATT&CK Framework: Exfiltration
Once an attacker has established access and pivoted around to the point of gathering the necessary data, they will work on exfiltration of that data. Not all malware will reach this stage.
Ransomware, for example, usually has no interest in exfiltrating data. As with the Collection tactic, there’s little guidance on how to mitigate an attacker exfiltrating data from the enterprise.
In cases where data is being exfiltrated over the network, having a network intrusion detection or prevention system in place can help identify when data is being transferred. Especially in the case when attackers are stealing large amounts of data, such as a customer database. Even open source tools such as Bro IDS are a great alternative if budget for a commercial solution is not feasible.