Who Was the First to Use the Term Exfiltration in Cybersecurity?

Cybersecurity professionals often use the word exfiltration to refer to the process of data leaving the compromised network. When did this term first appear in our field and where did it originate? And how likely are non-security geeks understand it?

Data Exfiltration with the SEC

The first time I saw the cybersecurity version of the word exfiltration on a document meant for non-technical readers was Verisign's 2010 data breach in a 2011 SEC filing which stated, “Information stored on the compromised corporate systems was exfiltrated.”

Verisign wasn't the first company to introduce the term exfiltration into SEC documentation in the information security context. As far as I can tell, the first mention can be attributed to SRA International. SRA’s May 11, 2009, 10-Q statement mentions several malware infections identified by the company’s IT and security staff. It continues:

"While we have not determined that specific information was exfiltrated, our forensic analysts suggest that the virus was designed for this purpose and, based on indirect evidence found, there is the possibility that data was compromised."

Origins of the Term Exfiltration

The Oxford English Dictionary defines exfiltrate as:

Withdrawing “(troops, spies, etc.) from a dangerous position.”

It also refers to exfiltration as the “action or process of filtering out” and points to a geological book published in 1866 by P. H. Lawrence. In it, the author states:

"The opal is a product of exfiltration from the rock in or near which it occurs."

Exfiltration in Cybersecurity

The first mention of the term in the context of cybersecurity that I could find dates to the unclassified NSA paper published in 2002 and titled Microsoft Office 2000 Executable Content Security Risks and Countermeasures. It explains:

"Customizations with VBA or ActiveX provide a powerful programming capability within Office applications. An attacker can write a wide range of attacks from altering system settings and exfiltrating information to dangerous denial of service attacks such as deleting all files on a hard drive."

Do you know of earlier uses of the term exfiltration in cybersecurity scenarios such as data breaches? I’m curious.

Updated December 30, 2018
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more