Once an attacker has established access and pivoted around to the point of gathering the necessary data, they will work on exfiltration of that data. Not all malware will reach this stage.

Ransomware, for example, usually has no interest in exfiltrating data. As with the Collection tactic, there’s little guidance on how to mitigate an attacker exfiltrating data from the enterprise.

Data Exfiltration

In cases where data is being exfiltrated over the network, having a network intrusion detection or prevention system in place can help identify when data is being transferred. Especially in the case when attackers are stealing large amounts of data, such as a customer database. Even open source tools such as Bro IDS are a great alternative if budget for a commercial solution is not feasible.

Another alternative which is not called out in ATT&CK is utilizing data loss prevention tools. Although DLP can be expensive and complex to roll out, it identifies when sensitive data could be leaving the environment.

Neither IDS/IPS nor DLP is 100 percent accurate, so deploy a defense-in-depth architecture to ensure your confidential data stays confidential.

Controlling External Drives

If your organization deals with highly sensitive data, then limiting access to external drives should be something that’s on your radar. Some endpoint tools can control how external drives are used; however, in Windows, it is quite simple to lock down external drive access via USB.

Whenever a USB drive is plugged in, it uses C:\Windows\inf\usbstor.PNF and C:\Windows\inf\usbstor.INF files to mount the drive. By restricting access to these files to users who are not permitted to use external drives, you can disable their ability to mount an external drive.

Forensic evidence of USB usage is also stored in the registry. For USB devices, the first time the device was plugged in, the last time it was plugged in and the last time it was removed are all stored within the HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR section of the registry.

Only system-level accounts can access this data when the machine is booted, so you need a tool like Tripwire Enterprise to copy the registry file for offline analysis to see this level of data. There are other aspects of USB usage that are also stored in the registry which will be covered in a later incident response blog post.

Securing Critical Data

To properly address this tactic, you first need to know where your organization’s critical data resides. Once it is here, you can follow CIS Control 14, Controlled Access Based on the Need to Know, to secure it. After that, follow CIS Control 13, Data Protection, on how to monitor who’s trying to access the data.

Read more about the MITRE ATT&CK Framework here: