Hackers compromise your network, set up shop and then steal all your data, right? That’s the narrative we all have in our heads, and it seems to be borne out by the headlines. After all, the news these days is all about the Office of Personnel Management – the U.S. Government’s main human resources agency, from which hackers made off with sensitive personnel files on an estimated 18 million federal employees.

But a recent study by the firm Vectra networks suggests that data theft is one of the least common malicious activities observed following a network compromise. The question: is that really true, or are we just looking in the wrong places?

The second annual Vectra Post-Intrusion Report presents the findings of an analysis of 40 compromised networks and 46,000 incidents spread across almost 250,000 hosts. The report found that incidents of data exfiltration were rare – just 3% of threat detections across all industries were characterized as “data exfiltration.” Looked at another way: just half of 1% of infected hosts across all industry verticals exhibited data exfiltration behavior. By comparison, command and control behavior and lateral movement within compromised networks were observed in about 6% of hosts on compromised networks, Vectra reported.

True: in certain industries, the likelihood of data exfiltration being a part of an incident was much higher. 34% of attacks on healthcare organizations and 25% of all attacks on technology firms included data exfiltration as a component of the attack, according to the report. Around 2% of hosts in compromised energy firms exhibited data exfiltration behavior, according to the report.

But incidents of data exfiltration were lower across the board than other categories of malicious activity on compromised networks, such as “lateral movement” between systems. Why?

Seen in a certain light this makes sense: many – even most – malicious cyber incidents aren’t targeted attacks executed with a specific set of data in mind. Many are merely byproducts of cyber criminal campaigns such as spam e-mail or denial of service attacks. Corporate endpoints may end up as part of botnets that are being used for such activities, but that doesn’t mean that the corporation in question or its data is of interest to the malicious actors. That helps explain why botnet command and control activity far outstrips data exfiltration in Vectra’s data.

And measuring the impact of a malicious activity by how many hosts exhibit that behavior is misleading. True: data theft is less frequently detected on compromised networks than other behaviors. But data exfiltration is also a far more costly and worrying activity, suggesting malicious actors have canvassed the target network, identified sensitive (saleable) information and taken steps to ferret it out of the organization. The fact that all those things have happened without IT becoming aware of the behavior doesn’t auger well for the organization in question.

The other possibility, of course, is that data exfiltration is more common than the data suggests, but is being missed by detection tools. The Post-Intrusion Report notes that attackers are hiding stolen data in common network traffic such as HTTP, Secure HTTP (HTTPS) and DNS, not to mention encrypted communications tools like TOR.

But it is also possible that attackers are using as-yet undiscovered avenues to remove data, whether those are so-called “shadow IT” deployments like DropBox or by way of as-yet undetected malware.

There’s at least anecdotal evidence for this. A recent data dump on cyber criminal networks believed to be linked to the Office of Personnel Management, for example, was discovered to be from Unicor, a U.S. Government-owned corporation that manages the use of penal labor for the Federal Bureau of Prisons. The incident in question actually occurred in 2013, when Unicor discovered “unauthorized access to its public Web site.” No public notice of that was made at the time, and it is unclear whether Unicor knew that its data had been stolen.

I note also this report on the Stegoloader Trojan, which uses techniques such as steganography to disguise command and control traffic. Is data exfiltration a rarefied behavior? Certainly. Are organizations missing exfiltration activity? Absolutely.

Paul F. Roberts is the Editor in Chief of The Security Ledger.