Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:
In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1213 | Data from Information Repositories |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-14 | Strong Authentication | mitigates | T1213 | Data from Information Repositories |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| IAM-06 | User Access Provisioning | mitigates | T1213 | Data from Information Repositories |
Comments
This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.
References
|
| UEM-08 | Storage Encryption | mitigates | T1213 | Data from Information Repositories |
Comments
This control provides for implementation of endpoint storage encryption. Encrypting data stored at rest in information repositories ensures the confidentiality of data and can mitigate adversary access to information of value, such as sensitive documents or data that may aid their further objectives.
References
|
| UEM-05 | Endpoint Management | mitigates | T1213 | Data from Information Repositories |
Comments
This control provides for the implementation of best practices for endpoint management. Effectively securing information repositories and enforcing robust data retention policies can mitigate the risk of adversaries exploiting information repositories to access sensitive or valuable information.
References
|
| LOG-08 | Audit Logs Sanitization | mitigates | T1213 | Data from Information Repositories |
Comments
This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Data from Information Repositories (T1213) can occur if logs containing sensitive data are accessed or exfiltrated.
References
|
| I&S-07 | Migration to Cloud Environments | mitigates | T1213 | Data from Information Repositories |
Comments
This control provides for the use of secure and encrypted communication
channels when migrating to cloud environments. Encrypting data at all stages, from storage to transmission, ensures the confidentiality of data and can mitigate adversary access to information of value, such as sensitive documents or data that may aid their further objectives.
References
|
| CEK-03 | Data Encryption | mitigates | T1213 | Data from Information Repositories |
Comments
This control provides cryptographic protection for data-at-rest within the cloud environment. Encrypting data stored at rest in information repositories ensures the confidentiality of data and can mitigate adversary access to information of value, such as sensitive documents or data that may aid their further objectives.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1213 | Data from Information Repositories |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|
| IAM-07 | User Access Changes and Revocation | mitigates | T1213 | Data from Information Repositories |
Comments
This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents.
References
|
| IAM-05 | Least Privilege | mitigates | T1213 | Data from Information Repositories |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
Adversaries have been observed leveraging this type of technique for collecting data from misconfigured cloud-hosted databases. For this technique, in terms of mitigation, enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
References
|
| DSP-08 | Data Privacy by Design and Default | mitigates | T1213 | Data from Information Repositories |
Comments
Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, encrypt data stored at rest in databases for mitigation.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1213 | Data from Information Repositories |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch. In terms of mitigation, encrypt data stored at rest in databases and ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1213 | Data from Information Repositories |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Effectively securing information repositories and enforcing robust data retention policies can mitigate the risk of adversaries exploiting information repositories to access sensitive or valuable information.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1213.002 | Sharepoint | 2 |
| T1213.001 | Confluence | 2 |
| T1213.004 | Customer Relationship Management Software | 3 |