An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement provides protection from Data Transfer Size Limits by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
| PR.DS-01.03 | Removable media protection | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1030 | Data Transfer Size Limits |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement protects against Data Transfer Size Limits through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1030 | Data Transfer Size Limits | |
| CM-06 | Configuration Settings | mitigates | T1030 | Data Transfer Size Limits | |
| SI-03 | Malicious Code Protection | mitigates | T1030 | Data Transfer Size Limits | |
| CM-02 | Baseline Configuration | mitigates | T1030 | Data Transfer Size Limits | |
| SI-04 | System Monitoring | mitigates | T1030 | Data Transfer Size Limits | |
| AC-04 | Information Flow Enforcement | mitigates | T1030 | Data Transfer Size Limits | |
| SC-07 | Boundary Protection | mitigates | T1030 | Data Transfer Size Limits |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1030 | Data Transfer Size Limits | |
| attribute.confidentiality.data_disclosure | None | related-to | T1030 | Data Transfer Size Limits |