MITRE ATT&CK and SaaS Security
SaaS Security

MITRE ATT&CK and SaaS Security

Exploring The ‘Data from Information Repositories’ Cyber Tactic

As you likely know, a nonprofit association called MITRE has created a knowledge base of techniques used by cyber adversaries to gain access to organizations’ valuable data. The framework, ATT&CK (Adversarial Tactics, Techniques and Common Knowledge), classifies offensive actions used against various platforms. Rather than focusing on tools and malware the adversaries use, ATT&CK addresses how those tools interact with systems during an operation. 

While the ATT&CK framework has been around since 2013, interest in it has grown of late as threats have increased and organizations better understand how critical it is to guard against cyber risks. CISOs look to MITRE ATT&CK to measure how well their security IT teams and security stack are prepared for the various attack vectors, adjusting resource deployments accordingly. If you’re not familiar with MITRE ATT&CK, we at DoControl urge you to explore the framework as part of your cybersecurity planning. 

One of the tactics catalogued in the curated MITRE knowledge base is “Data from Information Repositories” – a threat avenue that DoControl can help organizations guard against. In this process, the adversary gathers data, then looks for ways to exfiltrate the data. Sources for the data to be collected include drives, browsers, email and audio/video, often collected by capturing screenshots and keyboard input. 

As MITRE ATT&CK specifies, adversaries mine these data repositories for sensitive data such as the following:

  • Policies, procedures, and standards
  • Physical/logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing/development credentials
  • Work/project schedules
  • Source code snippets
  • Links to network shares and other internal resources

The framework says the key mitigation technique to combat the Data from Information Repositories threat is through continuous monitoring and detecting anomalous behavior. The framework has identified two platforms to which this attack vector has been deployed (so far): Microsoft SharePoint and Atlassian’s Confluence. While the MITRE ATT&CK framework identifies methods by which organizations using those applications can detect anomalous behavior using the platforms’ own tools, the framework notes that, “As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial.” Those creating the framework further suggest, “Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.”

At DoControl, we respectfully suggest that is a severe understatement. The potential for cyber adversaries to exploit information repositories like Google Drive, Dropbox, and Github, among others, is huge and growing daily. While the MITRE ATT&CK framework is helpful for calling attention to the vulnerabilities in SharePoint and Confluence, the threat extends to all SaaS applications where repositories exist for bad actors to carry out the collection phase of an attack. In fact, the danger lurks in Salesforce, Box, Slack, and any of the other widely-used or highly specialized SaaS applications. Our experience tells us that the danger of the Data from Information Repositories tactic is vast and not feasibly managed just by relying on the security features of individual SaaS applications.

That’s why we created DoControl – to provide organizations a comprehensive view of their SaaS applications and the risks they pose by exposing data, and to allow security teams to effectively monitor and remediate those threats. We invite you to get in touch with us to learn more about how we can help your organization guard against this threat and others.

Related Posts