Michael Mundt¹ and Harald Baier², ¹Esri Deutschland GmbH, Germany, ²Bundeswehr University, Germany

The risk of data theft has increased significantly over the past years. As a consequence, overwhelming damage is caused to institutions and private persons, respectively. Even the widespread ISO standard 27001 was updated recently in October 2022 to integrate data exfiltration aspects. Corresponding new security controls have been introduced. In this paper we review the ISO 27001:2022 with respect to data exfiltration and come up with recommendations on how recently integrated ISO 27001:2022 controls can be used in an operational environment. Based on that, we introduce and demonstrate the effectiveness of a proactive and dynamic concept by integrating a simulation cycle into the Information Security Management System (ISMS) and using cyber threat intelligence to provide us with information about current threats. We provide a prototype for the threat simulation cycle based on a smart combination of established and widely accepted cyber defence tools. Within our evaluation we show the feasibility of our targeted and dynamically configurable simulation of data exfiltration threats and thus support to thwart the actual cyber-attacks in advance. In all we contribute to prevent (or at least make it significantly more difficult) the threat of data exfiltration. Dynamic, threat aware and preventive cyber-defence is our objective, and we provide an updated concept which integrates conclusively into an ISO 27001:2022 compliant ISMS.

ISO 27001:2022 Update, Data Exfiltration, Control 5.7 Threat Intelligence, Threat Simulation