Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement provides another layer of protection from adversaries trying to gain access to data that is en route to storage or other systems.
References
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement protects against Transmitted Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used in sensitive information transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against transmitted data manipulation by adversaries.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1565.002 | Transmitted Data Manipulation | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1565.002 | Transmitted Data Manipulation | |
| attribute.integrity.variety.Modify data | Modified stored data or content | related-to | T1565.002 | Transmitted Data Manipulation |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_private_link | Azure Private Link | technique_scores | T1565.002 | Transmitted Data Manipulation |
Comments
This control reduces the likelihood of data manipulation for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
|
| azure_vpn_gateway | Azure VPN Gateway | technique_scores | T1565.002 | Transmitted Data Manipulation |
Comments
This control can protect against transmitted data manipulation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| sensitive_data_protection | Sensitive Data Protection | technique_scores | T1565.002 | Transmitted Data Manipulation |
Comments
This control is able to scan cloud storage objects for sensitive data and transform that data into a secure or nonsensitive form. It is able to scan for a variety of common sensitive data types, such as API keys, credentials, or credit card numbers. The de-identified service lets you obfuscate instances of sensitive data before they can be transmitted for sharing.
References
|
| cloud_vpn | Cloud VPN | technique_scores | T1565.002 | Transmitted Data Manipulation |
Comments
This control provides protection against data from being manipulated by adversaries through target applications by encrypting important information. Since this control only provides protection against data in transit, it received a partial score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1565.002 | Transmitted Data Manipulation | |
| aws_rds | AWS RDS | technique_scores | T1565.002 | Transmitted Data Manipulation |
Comments
AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.
References
|
| aws_rds | AWS RDS | technique_scores | T1565.002 | Transmitted Data Manipulation |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|