Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1052.001 | Exfiltration over USB |
Comments
This control can help prevent adversaries attempting to exfiltrate data via a USB connected physical device, through mechanisms such as automatic screen locking and automatic session logout.
References
|
| UEM-11 | Data Loss Prevention | mitigates | T1052.001 | Exfiltration over USB |
Comments
Adversaries may attempt to exfiltrate data over a USB connected physical device. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations.
References
|
| DSP-04 | Data Classification | mitigates | T1052.001 | Exfiltration over USB |
Comments
Adversaries may attempt to exfiltrate data over a USB connected physical device. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention can detect and block sensitive data being copied to USB devices.
References
|