The Collection tactic outlines techniques an attacker will undertake in order to find and gather the data they need to meet their actions on objectives.
I see most of these techniques as being useful for describing what a piece of malware or threat actor is up to rather than looking to them for guidance on how to mitigate and detect their actions.
Many of the techniques listed in this tactic have no real guidance on how to mitigate them. In fact, most use the blanket statement of using application whitelisting or recommend blocking an attacker earlier in the lifecycle.
On the detection side, some of the guidance is not entirely useful, either. Monitoring for image files on an endpoint or looking for access to the clipboard may provide little value unless it’s used as evidence when an attack was discovered in another method.
Instead, look to the various techniques in this tactic as a way to learn more about how malware is going after the data in your organization.
Attackers will try to steal information about the current user; what’s on their screen, what they are typing, what they are talking about and what they look like. Beyond that, they are also going after sensitive data on the local system as well as data elsewhere on the network.
Understand where you have sensitive data stored and apply the appropriate controls to secure it. Following CIS Control 14, Controlled Access Based on the Need to Know, can help prevent data from falling into the wrong hands.
For extremely sensitive data, apply additional amounts of logging around who is accessing that data and what they are doing with it. It’s not often that employees need to access the crown jewels of the company, and when they do, they should be under the close eye of the security team.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control