T1567 Exfiltration Over Web Service

This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.

This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.

This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle. For this technique, adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. In terms of mitigation, an NIDS or DLP solution may can block sensitive data being uploaded to web services via web browsers based on what's on the allow/block list.

This control requires implementing data leakage prevention (DLP) capapbiltities on endpoint devices. This includes classifying and inventorying data, protecting sensitive information in transit and at rest, monitoring for unauthorized disclosures, and responding to policy violations. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. This control enforces the classification of data by type, criticality, and sensitivity level to enable appropriate protections (including DLP measures), mitigating attacker techniques such as data exfiltration, unauthorized disclosure, and the misuse of unprotected sensitive information. Data loss prevention capabilities can be detect and block tagged sensitive data being uploaded to web services via web browsers or block pre-defined blacklisted websites.

The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited. Attackers may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Regular testing should identify data exfiltration paths through applications and testing cloud APIs and web applications for unauthorized data access exfiltration.

This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Security requirements should be in place to mitigate the configuration cloud applications and web services that could be abused to exfiltrate data