Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.