In last week’s post, we tool at look at how attackers move laterally. They do this to get to their goals and to better entrench themselves. Whether the adversary is an APT or special forces unit, gathering information is critical to the success of any mission. If there are exceptions, they’re probably limited to bombardments (in physical warfare) or Denial of Service (DoS) attacks (in cyber). It’s tough to have long-lasting effects without going further than those brute-force attacks. FThe information may be the end goal, or it may be essential to achieving it. The next MITRE ATT&CK tactic is Collection. Let’s look at how almost every adversary on the very diverse spectrum of threats needs it.

The Importance of Collection

Merriam-Webster’s Dictionary primarily defines a system as “a regularly interacting or interdependent group of items forming a unified whole.” Further down on the page is one that digs deeper: “an organized set of doctrines, ideas, or principles usually intended to explain the arrangement or working of a systematic whole.” Information is essential to any system. You name a system, and I will bet that information defines or runs that system. Alliances or nation-states, terrorist organizations or cults, companies or organizations – all are systems, and all leave indelible marks – information that characterizes them, defines them, or keeps them running.

As we shift to thinking about potential targets in the modern era, it goes beyond even that. In the “Information Age,” a vast majority of “shareholder value” is delivered by collecting and processing data. Healthcare or services organizations rely on information to function. Manufacturers use information to guide production and manage logistics. Military organizations leverage information to guide all decisions. Information is the lifeblood of any system. MITRE designed ATT&CK Collection tactic to focus on this key area of any attack chain.

Collection at war

During conflict, forces continually collect things of value. Sometimes intelligence informs decisions during the operation: intelligence gathering reveals the locations of strengths or weaknesses, prisoners, caches of weapons, or the like. Sometimes, the collection is the point of the entire operation. While information makes up a good part of that, it may also be property that is the focus. In traditional warfare, both sides take whatever they can get.

Fighting an Enigma

Nazi Germany’s early domination in World War II was due in no small part to their mastery of electromechanical cryptography. With a highly centralized command structure, they depended on high-speed communications protected by algorithms provided by devices like the famous Enigma machine. Radio transmissions of the time were easy to intercept, so this layer was essential to keeping the Allies in the dark.

Allies managed, however, to accumulate enough cryptographic material (cipher sets and plugboard settings), design documentation, and even Polish counterfeit machines. Some of these were turned over by resistance forces, others were captured during the Allied invasion of North Africa. Informed by insights provided by Polish mathematicians, the Allies were able to break Enigma’s codes, listen in on German traffic, and make decisions that no doubt altered the course of history.

Picture of German soldiers using a radio and an Enigma Machine
German forces depended on Enigma machines to encode and decode secret messages transmitted over the radio during World War II. The Enigma machine is on the left. (Photo courtesy of Helge Fykse, Norway)

Throughout their collection of German cryptographic material, the Allies issued requests with friendly forces seeking these materials. When sympathetic citizens in occupied areas happened upon these valuable assets or forces captured them, every effort was made to protect the loot and prevent its capture from becoming known to German forces. The value in the collection and loss of these cryptographic treasures was at risk. If Germans realized their precious machines were compromised, the value to the Allies would be nullified. Had they found out, they would have switched schemes, obscured their communications, and rendered Allied efforts pointless.

Collection in modern cyberspace

These same exact principles apply in the cyber realm. Attackers will collect information for many purposes. For the sake of our future dialog, we’ll assume a couple of things. If it happens outside of and before the active operation, it is Reconnaissance. If it is collected while actively inside victim systems and used to further the attackers operation, it is Discovery. Either of those may provide information that can inform Credential Access. When we talk about the ATT&CK definition of Collection, it is the process of gathering any information during the active phases of an operation that either furthers the op (Discovery & Credential Access) or has intrinsic value to the victim, the market, or both. We’ve covered how the operationally-significant data impacts victims, but what about the rest?

That information could be financial (banking information, credit card data, balances). This data is useful in either embarrassing the victim or allowing a malicious actor to abuse them. Healthcare data, intellectual property, diplomatic or legal information – all of these are ripe for harvest and bring value on the dark web’s markets. Some data may be useful in both the operation and on the market. Databases storing credentials or PII can help inform following techniques and be sold or marketed by initial access brokers. When targeting individuals for blackmail, attackers gather audio or video recordings or photos of that target in compromising situations.

The current trend in breaches is in the double extortion game. Early ransomware aimed to encrypt files to render them useless. Recent reports point toward attackers depriving the rightful owners of access while simultaneously holding that data over the victims head. This threatens to release or sell that information should ransom demands not be met.

Collection: the art of quietly accumulating anything of value

The MITRE ATT&CK entry for Collection (TA0009) lists 17 techniques and 20 subtechniques. These cover a lot of methods for gleaning information. These many techniques vary most by the types of information they hope to collect.

It’s not personal, or maybe it is?

These ATT&CK collection techniques lean more toward gaining information that could be used post-breach to embarrass, compromise, or otherwise disadvantage the victim. Due to the very personal nature of these techniques, they tend to be used against individuals and are combined with social engineering to play on fear, stress, and desperation. Extortion or blackmail information may be gathered through many of these methods, but Audio Capture (T1123) and Video Capture (T1125) are primarily focused on this use case.

Useful in both furthering objectives and ransom scenarios

Screen Capture (T1113) can also be useful in ransom/extorion scenarios, but also offers a means by which to steal credentials, sensitive business data, or other more corporate uses. Input Capture (T1056) and Email Collection (T1114) are likewise multi-use techniques, feeding future operations and generating ransom fodder. Clipboard Data (T1115) takes advantage of user habits, where typical behavior sees a lot of cutting and pasting of credentials and PII.

Further from the users own actions, Data from Cloud Storage (T1530), , Removable Media (T1025), Local System (T1005), and Network Shared Drive (T1039) are all potential treasure troves that could offer both operationally significant data and embarrassing or sensitive information. Data from Information Repositories (T1213) or Configuration Repositories (T1602) tend to be more focused on corporate information, but that data may assist in pushing deeper into the target environment while boosting the value on dark web clearing houses.

Data in motion is also up for grabs. Adversary-in-the-Middle (T1557) sees attackers intercepting data to pull it “off the wire”, with hopes that the victim is non-the-wiser. Browser Session Hijacking (T1185) goes right to the client and allows not just intercept, but potential poisoning of data or extended access to applications while posing as the legitimate user.

Getting organized

A number of the techniques in the ATT&CK Collection tactic are focused not on capturing the information, but in processing or moving it for later use. Archived Collected Data (T1560) prepares the data for efficient exfiltration, and may involve compression, archival, or encryption as part of performing it. This may happen in concert with staging that information at collection points, as described by the Data Staged (1074) technique. Some tools use Automated Collection (T1119) – key loggers and CLI parsers can pattern patch to pull useful data for adversaries to look into later.

IcedID uses a robust attack chain, including very methodical Collection techniques to harvest information. here they are searching paths and looking for useful data to collect for future exfiltration (from The DFIR Report’s awesome reporting)

How can we mitigate Collection?

The ATT&CK Collection techniques often come in groups. Pulling the information in the first place is only part of the tactic. The adversary must also get it somewhere they can exfiltrate it from or access it to assess its value. It may be impossible to prevent some of these techniques due to use of system LOLBins, but detection will be dependent on a mix of behavioral analytics and firm understanding of what ‘normal’ is for your environments.

Suggestions

Here are some things to focus on:

  • User Training and Awareness – as with many of the prior tactics, your users are the first like of defense. They are very capable detectors – train them to recognize strange behaviors and use common-sense while operating.
  • Segmentation of all types guards against putting all eggs in one basket. Breaches happen – ensure they do not include all data in one fell swoop. Create friction, and that will improve detectibility as adversaries will make more noise.
  • Harden Systems and turn off unused or lower-security protocols. Many sniffing and AiTM techniques take advantage of services that have no place in a modern environment. Shut them down!
  • Access Control and Privilege Management – by ensuring need to know and evaluating posture before allowing access, you reduce risk of all-out compromise tremendously.
  • Encryption isn’t infallible, but done right it renders the stealing of information useless for now. Even better, look for ways to implement quantum resistant methods so as to avoid exposure later, when adversaries can apply quantum computing to your locked secrets.
  • Behavioral analytics – establishing a baseline and monitoring for strange behaviors addresses future attacks, even when signatures don’t yet exist. Data hoarding alerts, collection events, and strange interactions between usually unrelated entities will tip you off.
  • Log and audit – access to any sensitive data, files, or systems should be readily auditable. It isn’t exciting, but it is immense helpful.

Conclusion

Adversaries know that collection only really helps if they can get away with it. Prevention sure would be nice for a defender, but detection can allow disruption and corrective action before the adversary can take advantage of their new found loot. The Allies’ efforts to break Enigma only worked because they were able to collect and exfiltrate the needed information without detection. More importantly, Alan Turing was able to lead a team to build a first-of-its-kind computer to break it, feed that information to British and American Intelligence, and impact the war. If Germans had good auditing, segmentation, and access control or PAM, the Allies would have had a different outcome, and we may have been subjected to The Man in the High Castle as an alternate outcome.

Don’t let your adversary have so much time with your data that they can get away with reverse engineering your entire mission critical applications, folks. Alan Turing did exactly that, and it changed everything!

We should strive to detect more, and to do so earlier. That affords us more options and less urgency, and if we buy additional time by encrypting our information, we stand a chance of avoiding real impact.

I hope this ATT&CK Collection entry in the series has been helpful – thank you for reading and feel free to comment below!