Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This control can help prevent adversaries attempting to exfiltrate data via a physical medium, such as a removable drive, through mechanisms such as automatic screen locking and automatic session logout.
References
|
| UEM-11 | Data Loss Prevention | mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations.
References
|
| DSP-04 | Data Classification | mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can detect and block sensitive data being copied to physical mediums.
References
|
| DSP-02 | Secure Disposal | mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
Adversaries may attempt to exfiltrate data via a physical medium, such as removable drives. This control ensures that storage media is securely and irreversibly sanitized using industry‑accepted methods to prevent data recovery, thereby mitigating attacker techniques such as data remanence exploitation, forensic recovery, and unauthorized access to residual sensitive information from discarded or repurposed devices.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1052.001 | Exfiltration over USB | 3 |