How to Prevent Attackers from Stealing Data in Plain Sight

This guest blog was contributed by Dr. Süleyman Özarslan, co-founder of Picus Security and VP of Picus Labs

Data exfiltration remains the easiest part of the attack chain, with organizations blocking 3% of attempts. That weakness gives attackers an almost unfettered path to stealing sensitive data. Ransomware groups no longer need to rely on file encryption. Their ability to quietly steal data and threaten its exposure powers most ransomware operations. They understand that if customer records, trade secrets, or regulated data are uncovered, the reputational, legal, and financial repercussions will outweigh any damages associated with encrypting that data.

Why cyber defenses are failing

Attacker activity has increased while defenses against exfiltration have greatly diminished. Infostealer campaigns are up 300%, and ransomware groups are developing double and triple extortion models. The combination of an increase in attacks and a decrease in defenses is widening the gap.

Attackers often succeed because many environments don’t monitor outbound flows in any meaningful way. They exploit common channels such as HTTPS or DNS, stage files by using built-in system tools, or compress the data to hide that exfiltration is taking place. Without advanced analytics, very few logs generate alerts suggesting that active theft is happening, as the actions have the appearance of accepted behavior.

The other reason for failure is cultural. Security teams prioritize perimeter defenses and initial access prevention, while internal and outbound controls remain less tuned and validated. Organizations assume they’re protected based on the presence of controls in the stack. But without testing, they can’t be certain that those controls work against modern attack techniques.

The limits of backup-centric thinking

Backup and recovery strategies remain important, but they no longer reduce the impact of a ransomware campaign. When adversaries focus on data theft, the real question becomes whether defenders can stop the information from leaving. A system rebuild or cloud snapshot can’t undo the exposure of sensitive records. Ransomware groups exploit this blind spot, applying pressure in the public long after technical recovery.

This reliance on recovery also creates a false sense of preparedness. Leaders may believe they’re resilient because they can restore operations, but they remain exposed to the reputational damage and regulatory fallout from stolen information.

Where blind spots occur

Several recurring weaknesses explain why exfiltration defenses fail. Data loss prevention (DLP) rules are often outdated or insufficiently validated. Outbound traffic monitoring lacks depth, especially across encrypted channels and cloud services. Behavioral detection remains underdeveloped, allowing staging and compression activities to pass as normal behavior.

Too many defenses fail because they’re never tested through realistic scenarios. Controls may be in place, but few teams run simulations to confirm whether they block or alert. Without that feedback loop, defenses quietly lose effectiveness until a real incident exposes them. 

Strengthening the defense

Security teams should baseline normal outbound traffic patterns and validate their ability to detect anomalies. DLP policies must be reviewed and tested regularly against common attacker methods. Behavioral analytics should be expanded to detect subtler signs such as compression, encoding, or unusual staging of sensitive files.

Breach and attack simulation (BAS) provides a practical way to validate these defenses continuously. Attack methodologies evolve rapidly, and configuration drift, updates, or integration failures may weaken controls that once seemed effective. By simulating exfiltration attempts, organizations can confirm that defenses perform as expected and that alerts reach analysts in time.

Strong detection engineering turns raw telemetry into intelligence that defenders can act on. Comprehensive logging, fine-tuned correlation rules, and actionable alerts give teams the context to respond quickly. Turning data into meaningful intelligence can determine whether theft is stopped in minutes or discovered months later.

Organizations can only show progress by measurable outcomes, and BAS makes it possible in a repeatable way. Teams can document the percentage of simulated theft attempts that caused alerts, how long it took to block outbound transfers, and the balance of logs to high-fidelity alerts. These indicators demonstrate whether defenses are improving and assure leadership that the resources are used effectively.

A new priority for 2025

Unchecked data theft has become the next phase in ransomware. Attackers now rely on a steady pipeline of stolen data to cause damage. Organizations that treat exfiltration as inevitable, validate their defenses continuously, and measure progress through outcomes will reclaim ground. Those that don’t will remain vulnerable to attackers stealing data in plain sight.

Dr. Süleyman Özarslan is a co-founder of Picus Security and VP of Picus Labs, where he has significantly shaped the landscape of attack simulation and security validation. He received a Ph.D. in information systems in 2002, and since then Dr. Özarslan has enriched the field of cybersecurity with numerous academic papers, blogs, research reports, and whitepapers. Fueled by a strong enthusiasm for innovation and a lasting passion for fostering a proactive security culture, he’s turning hackers’ tricks into teachable moments.