One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltrated, there is generally no way for the organization to recover the lost information. Therefore, organizations may consider dividing the information into disparate elements and distributing those elements across multiple systems or system components and locations. Such actions will increase the adversary’s work factor to capture and exfiltrate the desired information and, in so doing, increase the probability of detection. The fragmentation of information impacts the organization’s ability to access the information in a timely manner. The extent of the fragmentation is dictated by the impact or classification level (and value) of the information, threat intelligence information received, and whether data tainting is used (i.e., data tainting-derived information about the exfiltration of some information could result in the fragmentation of the remaining information).
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| SI-23 | Information Fragmentation | Protects | T1070 | Indicator Removal on Host |
| SI-23 | Information Fragmentation | Protects | T1070.001 | Clear Windows Event Logs |
| SI-23 | Information Fragmentation | Protects | T1070.002 | Clear Linux or Mac System Logs |
| SI-23 | Information Fragmentation | Protects | T1072 | Software Deployment Tools |
| SI-23 | Information Fragmentation | Protects | T1119 | Automated Collection |
| SI-23 | Information Fragmentation | Protects | T1565 | Data Manipulation |
| SI-23 | Information Fragmentation | Protects | T1565.001 | Stored Data Manipulation |