T1020.001 Traffic Duplication Mappings

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)

Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP)

Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1020.001 Automated Exfiltration: Traffic Duplication
attribute.confidentiality.data_disclosure None related-to T1020.001 Automated Exfiltration: Traffic Duplication

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_config AWS Config technique_scores T1020.001 Traffic Duplication
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: "acm-certificate-expiration-check" for nearly expired certificates in AWS Certificate Manager (ACM); "alb-http-to-https-redirection-check" for Application Load Balancer (ALB) HTTP listeners; "api-gw-ssl-enabled" for API Gateway REST API stages; "cloudfront-custom-ssl-certificate", "cloudfront-sni-enabled", and "cloudfront-viewer-policy-https", for Amazon CloudFront distributions; "elb-acm-certificate-required", "elb-custom-security-policy-ssl-check", "elb-predefined-security-policy-ssl-check", and "elb-tls-https-listeners-only" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; "redshift-require-tls-ssl" for Amazon Redshift cluster connections to SQL clients; "s3-bucket-ssl-requests-only" for requests for S3 bucket contents; and "elasticsearch-node-to-node-encryption-check" for Amazon ElasticSearch Service node-to-node communications. All of these are run on configuration changes except "alb-http-to-https-redirection-check", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.
References
    aws_iot_device_defender AWS IoT Device Defender technique_scores T1020.001 Traffic Duplication
    Comments
    The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: "CA certificate expiring" ("CA_CERTIFICATE_EXPIRING_CHECK" in the CLI and API), "CA certificate key quality" ("CA_CERTIFICATE_KEY_QUALITY_CHECK" in the CLI and API), and "CA certificate revoked but device certificates still active" ("REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the "UPDATE_CA_CERTIFICATE" mitigation action which can resolve them. "Device certificate expiring" ("DEVICE_CERTIFICATE_EXPIRING_CHECK" in the CLI and API), "Device certificate key quality" ("DEVICE_CERTIFICATE_KEY_QUALITY_CHECK" in the CLI and API), "Device certificate shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" in the CLI and API), and "Revoked device certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) can identify problems with IoT devices' certificates and support the "UPDATE_DEVICE_CERTIFICATE" and "ADD_THINGS_TO_THING_GROUP" mitigation actions which can resolve them. Coverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.
    References