{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,23]],"date-time":"2026-01-23T08:01:06Z","timestamp":1769155266614,"version":"3.49.0"},"reference-count":45,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2023,10,20]],"date-time":"2023-10-20T00:00:00Z","timestamp":1697760000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,12,31]]},"abstract":"<jats:p>Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double extortion ransomware now exfiltrates the data first, before encrypting it. As a consequence, the early detection and prevention of data exfiltration is one of today\u2019s major challenges of institutions connected to the Internet. If attempts to illegal data exfiltration are successfully detected, the attacked institution should address a probable subsequent encryption attack step as well. In particular, valuable business assets must be checked for unauthorized access and need to be protected. However, due to the bulk of network traffic and persistent data, automation is a key requirement to successfully defend contemporary threats. The main goal of this article is to present a concept and its initial evaluation to achieve automation of data exfiltration mitigation in a targeted manner. Our concept consists of two main steps. Based on recognized international approaches used in cyber threat intelligence, an automatic procedure on the base of the MITRE Adversarial Tactics, Techniques Common Knowledge (ATT&amp;CK) framework for deriving current threats with respect to data exfiltration is presented in the first place. In the spirit of the Digital Threats: Research and Practice (DTRAP) forum, a practical approach is chosen in addition to the theory in this manner. Our evaluation reveals that we are able to automatically identify the most relevant recent risks of unauthorized data exfiltration. In our second step, we present the design of a simulation gear based on the attacks extracted from the MITRE ATT&amp;CK framework. The aim is to simulate the greatest threats before they actually occur in the operational environment. The strict focus on the threats of data exfiltration characterizes our solution and makes our approach an ideal addition to existing solutions. We provide an evaluation of this initial simulation concept and its underlying technology for the implementation to show that we are on the right track.<\/jats:p>","DOI":"10.1145\/3568993","type":"journal-article","created":{"date-parts":[[2022,10,29]],"date-time":"2022-10-29T11:03:48Z","timestamp":1667041428000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["Threat-Based Simulation of Data Exfiltration Toward Mitigating Multiple Ransomware Extortions"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5789-8558","authenticated-orcid":false,"given":"Michael","family":"Mundt","sequence":"first","affiliation":[{"name":"Universit\u00e4t der Bundeswehr M\u00fcnchen"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9254-6398","authenticated-orcid":false,"given":"Harald","family":"Baier","sequence":"additional","affiliation":[{"name":"Universit\u00e4t der Bundeswehr M\u00fcnchen"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,10,20]]},"reference":[{"key":"e_1_3_4_2_2","doi-asserted-by":"crossref","unstructured":"Muna Al-Hawawreh Elena Sitnikova and Neda Aboutorab. 2021. Asynchronous peer-to-peer federated capability-based targeted ransomware detection model for Industrial IoT. IEEE Access 9 (2021) 148738\u2013148755. https:\/\/ieeexplore.ieee.org\/abstract\/document\/9597509.","DOI":"10.1109\/ACCESS.2021.3124634"},{"key":"e_1_3_4_3_2","volume-title":"Cyber Threat Intelligence","year":"2018","unstructured":"Ali Dehghantanha, Mauro Conti, and Tooska Dargahi (Eds.). 2018. Cyber Threat Intelligence. Springer, Cham, Switzerland."},{"key":"e_1_3_4_4_2","doi-asserted-by":"crossref","unstructured":"Faheem Ullah Matthew Edwards Rajiv Ramdhany Ruzanna Chitchyan M. Ali Babar and Awais Rashid. 2018. Data exfiltration: A review of external attack vectors and countermeasures. Journal of Network and Computer Applications 101 (2018) 18\u201354. https:\/\/eprints.lancs.ac.uk\/id\/eprint\/88549\/1\/1_s2.0_S1084804517303569_main.pdf.","DOI":"10.1016\/j.jnca.2017.10.016"},{"key":"e_1_3_4_5_2","doi-asserted-by":"crossref","unstructured":"Michael Mundt and Harald Baier. 2021. Towards mitigation of data exfiltration techniques using the MITRE ATT&CK framework. In Digital Forensics and Cyber Crime . Lecture Notes of the Institute for Computer Sciences Social Informatics and Telecommunications Engineering Vol. 441. Springer 139\u2013158. https:\/\/link.springer.com\/chapter\/10.1007\/978-3-031-06365-7_9.","DOI":"10.1007\/978-3-031-06365-7_9"},{"key":"e_1_3_4_6_2","unstructured":"Philippe Biondi and the Scapy Community. 2021. Scapy: Packet Crafting for Python2 and Python3. Retrieved November 7 2022 from https:\/\/scapy.net\/."},{"key":"e_1_3_4_7_2","unstructured":"Philippe Biondi and the Scapy Community. 2021. Scapy Documentation. Retrieved November 7 2022 from https:\/\/scapy.readthedocs.io\/_\/downloads\/en\/latest\/pdf\/."},{"key":"e_1_3_4_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3439873"},{"key":"e_1_3_4_9_2","unstructured":"BSIMM Community. 2021. Building Security in Maturity Model (BSIMM): Online Community. Retrieved November 7 2022 from https:\/\/www.bsimm.com\/."},{"key":"e_1_3_4_10_2","unstructured":"Open Source Community. 2021. Apache Airflow. Retrieved November 7 2022 from https:\/\/airflow.apache.org\/."},{"key":"e_1_3_4_11_2","unstructured":"MITRE Corporation. 2021. Adversary Emulation Plans. Retrieved November 7 2022 from https:\/\/attack.mitre.org\/resources\/adversary-emulation-plans\/."},{"key":"e_1_3_4_12_2","unstructured":"MITRE Corporation. 2021. MITRE ATT&CK Scripts. Retrieved November 7 2022 from https:\/\/github.com\/mitre-attack\/attack-scripts\/tree\/master\/scripts."},{"key":"e_1_3_4_13_2","unstructured":"MITRE Corporation. 2021. MITRE Cyber Analytics Repository. Retrieved November 7 2022 from https:\/\/car.mitre.org\/."},{"key":"e_1_3_4_14_2","unstructured":"MITRE Corporation. 2021. mitreattack-python. Retrieved November 7 2022 from https:\/\/github.com\/mitre-attack\/mitreattack-python."},{"key":"e_1_3_4_15_2","unstructured":"Dianna Leddy Darktrace Blog. 2021. Double Extortion: Ransomware. Retrieved November 7 2022 from https:\/\/www.darktrace.com\/de\/blog\/double-extortion-ransomware\/?utm_source=xing&utm_medium=static-awareness-de&utm_campaign=campaign_socialmedia&dclid=CMnvw4O-2vICFdJD4AodzLAPWw."},{"key":"e_1_3_4_16_2","volume-title":"Handbook of Big Data Privacy","author":"Dehghantanha Kim-Kwang, Raymond Choo, and Ali","year":"2020","unstructured":"Kim-Kwang, Raymond Choo, and Ali Dehghantanha. 2020. Handbook of Big Data Privacy. Springer, Cham, Switzerland."},{"key":"e_1_3_4_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966916"},{"key":"e_1_3_4_18_2","unstructured":"Eric M. Hutchins Michael J. Cloppert and Rohan M. Amin. 2015. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Retrieved November 7 2022 from https:\/\/www.lockheedmartin.com\/content\/dam\/lockheed-martin\/rms\/documents\/cyber\/LM-White-Paper-Intel-Driven-Defense.pdf."},{"key":"e_1_3_4_19_2","unstructured":"Organization for the Advancement of Structured Information Standards (OASIS). 2020. OASIS TC Open Repository: Python APIs for STIX 2. Retrieved November 7 2022 from https:\/\/github.com\/oasis-open\/cti-python-stix2."},{"key":"e_1_3_4_20_2","unstructured":"Bundesamt f\u00fcr Sicherheit in der Informationstechnik. 2020. Die Lage der IT-Sicherheit in Deutschland. Retrieved November 7 2022 from https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Publikationen\/Lageberichte\/Lagebericht2020.pdf?__blob=publicationFile&v=2."},{"key":"e_1_3_4_21_2","unstructured":"Bundesamt f\u00fcr Sicherheit in der Informationstechnik. 2021. BSI TR-02102 Kryptographische Verfahren: Empfehlungen und Schl\u00fcssell\u00e4ngen. Retrieved November 7 2022 from https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/Technische-Richtlinien\/TR-nach-Thema-sortiert\/tr02102\/tr02102_node.html."},{"key":"e_1_3_4_22_2","unstructured":"Anaconda Inc.2021. Anaconda: Data Science Technology for Human Sensemaking. Retrieved November 7 2022 from https:\/\/www.anaconda.com\/."},{"key":"e_1_3_4_23_2","unstructured":"Esri Inc.2021. ArcGIS Insights: Standortanalysesoftware als Self-Service. Retrieved November 7 2022 from https:\/\/www.esri.com\/de-de\/arcgis\/products\/arcgis-insights\/overview."},{"key":"e_1_3_4_24_2","unstructured":"CYBERResilienz IT-OT-OK. 2022. Informationsblatt Resilienzanalyse mit securiCAD. Retrieved November 7 2022 from https:\/\/cyberesilienz.de\/wp-content\/uploads\/2020\/11\/20201102-Infoblatt-securiCAD-v0.2.pdf."},{"key":"e_1_3_4_25_2","doi-asserted-by":"crossref","unstructured":"Rudra P. Baksi and Shambhu J. Upadhyaya. 2021.Decepticon: A theoretical framework to counter advanced persistent threats. Information Systems Frontiers 23 (2021) 897\u2013913. https:\/\/link.springer.com\/content\/pdf\/10.1007%2Fs10796-020-10087-4.pdf.","DOI":"10.1007\/s10796-020-10087-4"},{"key":"e_1_3_4_26_2","doi-asserted-by":"crossref","unstructured":"Andrew Jenkinson. 2022. Ransomware and Cybercrime. Retrieved November 7 2022 from https:\/\/www.taylorfrancis.com\/books\/mono\/10.1201\/9781003278214\/ransomware-cybercrime-andrew-jenkinson.","DOI":"10.1201\/9781003278214-2"},{"key":"e_1_3_4_27_2","unstructured":"KimiNewt. 2021. PyShark: - Python Wrapper for TShark Allowing Python Packet Parsing Using Wireshark Dissectors. Retrieved November 7 2022 from https:\/\/github.com\/KimiNewt\/pyshark."},{"key":"e_1_3_4_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/1413140.1413159"},{"key":"e_1_3_4_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3475786"},{"key":"e_1_3_4_30_2","article-title":"Multiple-extortion ransomware: The case for active cyber threat intelligence","author":"Mienie B. Payne and E.","unstructured":"B. Payne and E. Mienie. 2021. Multiple-extortion ransomware: The case for active cyber threat intelligence. In Proceedings of the 2021 20th European Conference on Cyber Warfare and Security (ECCWS\u201921).","journal-title":"Proceedings of the 2021 20th European Conference on Cyber Warfare and Security (ECCWS\u201921)."},{"key":"e_1_3_4_31_2","doi-asserted-by":"crossref","unstructured":"Natialia Miloslavskaya. 2020. Stream data analytics for network attacks prediction. Procedia Computer Science 169 (2020) 57\u201362. https:\/\/www.sciencedirect.com\/science\/article\/pii\/S1877050920302374.","DOI":"10.1016\/j.procs.2020.02.114"},{"key":"e_1_3_4_32_2","unstructured":"Vinodini Salvi and Prasad Bapat. 2015. Mode of data flow in the OSI model. International Journal of Innovations in Engineering Research and Technology 2 3 (2015)."},{"key":"e_1_3_4_33_2","unstructured":"MITRE. 2021. ATT&CK Version 9.0. The Cyber Threat Intelligence Repository of MITRE ATTCK and CAPED Catalogs Expressed in STIX 2.0 JSON. Retrieved November 7 2022 from https:\/\/github.com\/mitre\/cti."},{"key":"e_1_3_4_34_2","unstructured":"MITRE. 2021. MITRE ATT&CK Framework. Retrieved November 7 2022 from https:\/\/attack.mitre.org\/."},{"key":"e_1_3_4_35_2","unstructured":"PR Newswire. 2021. Global XDR (Extended Detection and Response) Market Report 2021: Vendors and End-Users Need to See Beyond Marketing Claims. Retrieved November 7 2022 from https:\/\/eds.s.ebscohost.com\/eds\/detail\/detail?vid=26&sid=6bcfe3cb-db80-41c0-bcbf-6921d11a202d%40redis&bdata=Jmxhbmc9ZGUmc2l0ZT1lZHMtbGl2ZQ%3d%3d#AN=202108111030PR.NEWS.USPR.IO71820&db=bwh."},{"key":"e_1_3_4_36_2","article-title":"Ransomware: Stages, detection and evasion","author":"Ngah Yus Kamalrul Bin Mohamed Yunus and Syahrulanuar Bin","unstructured":"Yus Kamalrul Bin Mohamed Yunus and Syahrulanuar Bin Ngah. 2021. Ransomware: Stages, detection and evasion. In Proceedings of the International Conference on Software Engineering and Computer Systems and the 4th International Conference on Computational Science and Information Management (ICSECS-ICOCSIM\u201921).https:\/\/ieeexplore.ieee.org\/abstract\/document\/9537079.","journal-title":"Proceedings of the International Conference on Software Engineering and Computer Systems and the 4th International Conference on Computational Science and Information Management (ICSECS-ICOCSIM\u201921)."},{"key":"e_1_3_4_37_2","doi-asserted-by":"publisher","DOI":"10.5555\/3299514"},{"key":"e_1_3_4_38_2","unstructured":"GitHub. 2016. DET (Extensible) Data Exfiltration Toolkit. Retrieved November 7 2022 from https:\/\/github.com\/sensepost\/DET."},{"key":"e_1_3_4_39_2","unstructured":"Internet Engineering Task Force (IETF) and J. Postel. 1981. Request for Comment (RFC) 792: Internet Control Message Protocol. Retrieved November 7 2022 from https:\/\/tools.ietf.org\/html\/rfc792."},{"key":"e_1_3_4_40_2","unstructured":"Mayra Fuentes Feike Hacquebord Stephen Hilt Ian Kenefick Vladimir Kropotov Robert McArdle Fernando Merc\u00eas and David Sancho. 2021. Modern ransomware\u2019s double extortion tactics and how to protect enterprises against them. Retrieved November 7 2022 from https:\/\/edu.anarcho-copy.org\/Against%20Security%20&%20%20Self%20Security\/wp-modern-ransomwares-double-extortion-tactics.pdf."},{"key":"e_1_3_4_41_2","volume-title":"Python Network Programming","author":"Sarker Abhishek Ratan, Eric Chou, Pradeeban Kathiravelu, and M. O. Faruque","year":"2019","unstructured":"Abhishek Ratan, Eric Chou, Pradeeban Kathiravelu, and M. O. Faruque Sarker. 2019. Python Network Programming."},{"key":"e_1_3_4_42_2","unstructured":"Swimlane. 2021. pyattck 4.0.3. Retrieved November 7 2022 from https:\/\/pypi.org\/project\/pyattck\/."},{"key":"e_1_3_4_43_2","unstructured":"Blake E. Strom Andy Applebaum Doug P. Miller Kathryn C. Nickels Adam G. Pennington and Cody B. Thomas. 2020. MITRE ATT&CK: Design and Philosophy . MITRE Corporation. https:\/\/attack.mitre.org\/docs\/ATTACK_Design_and_Philosophy_March_2020.pdf."},{"key":"e_1_3_4_44_2","unstructured":"tisf. 2020. PyExfil 1.10.4: A Python Package for Data Exfiltration. Retrieved November 7 2022 from https:\/\/pypi.org\/project\/PyExfil\/."},{"key":"e_1_3_4_45_2","unstructured":"Blake E. Strom Joseph A. Battaglia Michael S. Kemmerer William Kupersanin Douglas P. Miller Craig Wampler Sean M. Whitley and Ross D. Wolf. [n.d.]. Finding Cyber Threats with ATT&CK\u2122-Based Analytics. Retrieved November 7 2022 from https:\/\/www.mitre.org\/sites\/default\/files\/publications\/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf."},{"key":"e_1_3_4_46_2","article-title":"A representation of business oriented cyber threat intelligence and the objects assembly","author":"2020 Yuanchen Xu, Yingjie Yang, and Ying He.","unstructured":"Yuanchen Xu, Yingjie Yang, and Ying He. 2020. A representation of business oriented cyber threat intelligence and the objects assembly. In Proceedings of the IEEE 10th International Conference on Information Science and Technology (ICIST\u201920).https:\/\/ieeexplore.ieee.org\/stamp\/stamp.jsp?tp=&arnumber=7795373.","journal-title":"Proceedings of the IEEE 10th International Conference on Information Science and Technology (ICIST\u201920)."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3568993","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3568993","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:00:03Z","timestamp":1750186803000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3568993"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,20]]},"references-count":45,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,12,31]]}},"alternative-id":["10.1145\/3568993"],"URL":"https:\/\/doi.org\/10.1145\/3568993","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,10,20]]},"assertion":[{"value":"2021-11-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-10-13","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-10-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}