Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)
Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)
Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP)
Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-07 | Migration to Cloud Environments | mitigates | T1020.001 | Traffic Duplication |
Comments
This control provides for the use of secure and encrypted communication
channels when migrating to cloud environments. Ensuring that all wireless traffic is encrypted appropriately can mitigate adversary abuse of traffic mirroring for redirection of network traffic and automated data exfiltration.
References
|
| CEK-03 | Data Encryption | mitigates | T1020.001 | Traffic Duplication |
Comments
This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Ensuring that all wireless traffic is encrypted appropriately can mitigate adversary abuse of traffic mirroring for redirection of network traffic and automated data exfiltration.
References
|
| DSP-10 | Sensitive Data Transfer | mitigates | T1020.001 | Traffic Duplication |
Comments
The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
References
|