Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)
Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Man-in-the-Middle depending on the goals and objectives of the adversary.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-16 | Security and Privacy Attributes | Protects | T1020.001 | Traffic Duplication | |
AC-17 | Remote Access | Protects | T1020.001 | Traffic Duplication | |
AC-18 | Wireless Access | Protects | T1020.001 | Traffic Duplication | |
AC-19 | Access Control for Mobile Devices | Protects | T1020.001 | Traffic Duplication | |
AC-20 | Use of External Systems | Protects | T1020.001 | Traffic Duplication | |
CM-2 | Baseline Configuration | Protects | T1020.001 | Traffic Duplication | |
CM-6 | Configuration Settings | Protects | T1020.001 | Traffic Duplication | |
CM-8 | System Component Inventory | Protects | T1020.001 | Traffic Duplication | |
SC-4 | Information in Shared System Resources | Protects | T1020.001 | Traffic Duplication | |
SI-12 | Information Management and Retention | Protects | T1020.001 | Traffic Duplication | |
SI-4 | System Monitoring | Protects | T1020.001 | Traffic Duplication | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1020.001 | Traffic Duplication | |
action.malware.variety.Export data | Export data to another site or system | related-to | T1020.001 | Automated Exfiltration: Traffic Duplication | |
aws_config | AWS Config | technique_scores | T1020.001 | Traffic Duplication |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: "acm-certificate-expiration-check" for nearly expired certificates in AWS Certificate Manager (ACM); "alb-http-to-https-redirection-check" for Application Load Balancer (ALB) HTTP listeners; "api-gw-ssl-enabled" for API Gateway REST API stages; "cloudfront-custom-ssl-certificate", "cloudfront-sni-enabled", and "cloudfront-viewer-policy-https", for Amazon CloudFront distributions; "elb-acm-certificate-required", "elb-custom-security-policy-ssl-check", "elb-predefined-security-policy-ssl-check", and "elb-tls-https-listeners-only" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; "redshift-require-tls-ssl" for Amazon Redshift cluster connections to SQL clients; "s3-bucket-ssl-requests-only" for requests for S3 bucket contents; and "elasticsearch-node-to-node-encryption-check" for Amazon ElasticSearch Service node-to-node communications.
All of these are run on configuration changes except "alb-http-to-https-redirection-check", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.
References
|
aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1020.001 | Traffic Duplication |
Comments
The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: "CA certificate expiring" ("CA_CERTIFICATE_EXPIRING_CHECK" in the CLI and API), "CA certificate key quality" ("CA_CERTIFICATE_KEY_QUALITY_CHECK" in the CLI and API), and "CA certificate revoked but device certificates still active" ("REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the "UPDATE_CA_CERTIFICATE" mitigation action which can resolve them. "Device certificate expiring" ("DEVICE_CERTIFICATE_EXPIRING_CHECK" in the CLI and API), "Device certificate key quality" ("DEVICE_CERTIFICATE_KEY_QUALITY_CHECK" in the CLI and API), "Device certificate shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" in the CLI and API), and "Revoked device certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) can identify problems with IoT devices' certificates and support the "UPDATE_DEVICE_CERTIFICATE" and "ADD_THINGS_TO_THING_GROUP" mitigation actions which can resolve them.
Coverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.
References
|