Who Was the First to Use the Term Exfiltration in Cybersecurity?

Cybersecurity professionals often use the word exfiltration to refer to the process of data leaving the compromised network. When did this term first appear in our field and where did it originate? And how likely are non-security geeks understand it?

Data Exfiltration with the SEC

The first time I saw the cybersecurity version of the word exfiltration on a document meant for non-technical readers was Verisign’s 2010 data breach in a 2011 SEC filing which stated, “Information stored on the compromised corporate systems was exfiltrated.”

Verisign wasn’t the first company to introduce the term exfiltration into SEC documentation in the information security context. As far as I can tell, the first mention can be attributed to SRA International. SRA’s May 11, 2009, 10-Q statement mentions several malware infections identified by the company’s IT and security staff. It continues:

“While we have not determined that specific information was exfiltrated, our forensic analysts suggest that the virus was designed for this purpose and, based on indirect evidence found, there is the possibility that data was compromised.”

Origins of the Term Exfiltration

The Oxford English Dictionary defines exfiltrate as:

Withdrawing “(troops, spies, etc.) from a dangerous position.”

It also refers to exfiltration as the “action or process of filtering out” and points to a geological book published in 1866 by P. H. Lawrence. In it, the author states:

“The opal is a product of exfiltration from the rock in or near which it occurs.”

Exfiltration in Cybersecurity

The first mention of the term in the context of cybersecurity that I could find dates to the unclassified NSA paper published in 2002 and titled Microsoft Office 2000 Executable Content Security Risks and Countermeasures. It explains:

“Customizations with VBA or ActiveX provide a powerful programming capability within Office applications. An attacker can write a wide range of attacks from altering system settings and exfiltrating information to dangerous denial of service attacks such as deleting all files on a hard drive.”

Do you know of earlier uses of the term exfiltration in cybersecurity scenarios such as data breaches? I’m curious.

Updated

About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more