NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(18)Analyze Traffic and Covert Exfiltration

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: {{ insert: param, si-04.18_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography.

Practitioner Notes

Monitor for covert exfiltration — attackers using hidden channels like DNS tunneling, steganography, or encrypted tunnels to sneak data out of your network.

Example 1: Monitor DNS query logs for signs of DNS tunneling: unusually long domain names, high volume of TXT record queries to a single domain, or domains with high entropy in their subdomains. Configure your SIEM to alert on these patterns.

Example 2: Use a network DLP solution that inspects outbound traffic for sensitive data patterns, even in unusual protocols. Look for CUI data patterns in HTTP headers, ICMP payloads, or DNS queries that should not normally contain sensitive data.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status