Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.
Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation: Microsoft Outlook Files)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and using public cryptic keys are recommended to minimize the risk of adversaries collecting information from files saved on email servers and caches.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement protects against Local Email Collection through the use of key management. Employing key protection strategies for key material used in protection of emails, limitations to specific accounts along with access control mechanisms provides protection against adversaries abusing local email collection.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SC-37 | Out-of-band Channels | mitigates | T1114.001 | Local Email Collection | |
| AC-17 | Remote Access | mitigates | T1114.001 | Local Email Collection | |
| AC-19 | Access Control for Mobile Devices | mitigates | T1114.001 | Local Email Collection | |
| SI-12 | Information Management and Retention | mitigates | T1114.001 | Local Email Collection | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1114.001 | Local Email Collection | |
| AC-16 | Security and Privacy Attributes | mitigates | T1114.001 | Local Email Collection | |
| AC-20 | Use of External Systems | mitigates | T1114.001 | Local Email Collection | |
| SI-04 | System Monitoring | mitigates | T1114.001 | Local Email Collection | |
| AC-04 | Information Flow Enforcement | mitigates | T1114.001 | Local Email Collection |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.confidentiality.data_disclosure | None | related-to | T1114.001 | Local Email Collection |