T1119 Automated Collection

This control provides for implementation of endpoint storage encryption. Encryption and off-system storage of sensitive information ensures the confidentiality of data and can help to mitigate adversary use of automated techniques for automatically collecting data and files.

This control provides for the use of secure and encrypted communication channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can help to mitigate adversary use of automated techniques for automatically collecting data and files.

This control provides cryptographic protection for data-at-rest and data-in-transit within the cloud environment. Encryption and off-system storage of sensitive information ensures the confidentiality of data and can help to mitigate adversary use of automated techniques for automatically collecting data and files.

This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.

The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, encryption and off-system storage of sensitive information may be one way to mitigate collection of files.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, in cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. In terms of mitigation, encrypting data stored at rest in cloud storage through the use of managed encryption keys can be rotated by most providers.

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations.

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Certain data loss prevention capabilities can restrict the feature of mass automated collection techniques used by attackers on data that has been tagged sensitive.

This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. In cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.