Once an attacker has established access and pivoted around to the point of gathering the necessary data, they will work on exfiltration of that data. Not all malware will reach this stage.

Ransomware, for example, usually has no interest in exfiltrating data. As with the Collection tactic, there’s little guidance on how to mitigate an attacker exfiltrating data from the enterprise.

Data Exfiltration

In cases where data is being exfiltrated over the network, having a network intrusion detection or prevention system in place can help identify when data is being transferred. Especially in the case when attackers are stealing large amounts of data, such as a customer database. Even open source tools such as Bro IDS are a great alternative if budget for a commercial solution is not feasible.

Another alternative which is not called out in ATT&CK is utilizing data loss prevention tools. Although DLP can be expensive and complex to roll out, it identifies when sensitive data could be leaving the environment.

Neither IDS/IPS nor DLP is 100 percent accurate, so deploy a defense-in-depth architecture to ensure your confidential data stays confidential.

Controlling External Drives

If your organization deals with highly sensitive data, then limiting access to external drives should be something that’s on your radar. Some endpoint tools can control how external drives are used; however, in Windows, it is quite simple to lock down external drive access via USB.

Whenever a USB drive is plugged in, it uses C:Windowsinfusbstor.PNF and C:Windowsinfusbstor.INF files to mount the drive. By restricting access to these files to users who are not permitted to use external drives, you can disable their ability to mount an external drive.

Forensic evidence of USB usage is also stored in the registry. For USB devices, the first time the device was plugged in, (Read more...)