Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses.(Citation: TrustedSec OOB Communications)(Citation: CISA AA20-352A 2021) Adversaries can collect or forward email from mail servers or clients.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as MFA is recommended to minimize the risk of adversaries collecting usernames and passwords.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1114 | Email Collection | |
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1114 | Email Collection | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1114 | Email Collection | |
| action.malware.variety.RAM scraper | RAM scraper or memory parser (capture data from volatile memory) | related-to | T1114 | Email Collection | |
| attribute.confidentiality.data_disclosure | None | related-to | T1114 | Email Collection | |
| attribute.confidentiality.data_disclosure | None | related-to | T1114 | Email Collection |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1114 | Email Collection |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA reduces the usefulness of usernames and passwords that may be collected via email since adversaries won't have the associated security keys to gain access.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1114.001 | Local Email Collection | 16 |
| T1114.003 | Email Forwarding Rule | 18 |
| T1114.002 | Remote Email Collection | 23 |