Description
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
Policies, procedures, and standards Physical / logical network diagrams System architecture diagrams Technical system documentation Testing / development credentials (i.e., Unsecured Credentials) Work / project schedules Source code snippets Links to network shares and other internal resources Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:
Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases Collaboration platforms such as SharePoint, Confluence, and code repositories Messaging platforms such as Slack and Microsoft Teams
In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.(Citation: Mitiga)(Citation: TrendMicro Exposed Redis 2020)(Citation: Cybernews Reuters Leak 2022)
Platforms
Sub-Techniques (6)
Confluence
T1213.002Sharepoint
T1213.003Code Repositories
T1213.004Customer Relationship Management Software
T1213.005Messaging Applications
T1213.006Databases
Mitigations (7)
Multi-factor AuthenticationM1032
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
Out-of-Band Communications ChannelM1060
Create plans for leveraging a secure out-of-band communications channel, rather than existing in-network chat applications, in case of a security incident.(Citation: TrustedSec OOB Communications)
User TrainingM1017
Develop and publish policies that define acceptable information to be stored in repositories.
Software ConfigurationM1054
Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.
User Account ManagementM1018
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
AuditM1047
Consider periodic review of accounts and privileges for critical and sensitive repositories. Ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.(Citation: AWS DB VPC)
Encrypt Sensitive InformationM1041
Encrypt data stored at rest in databases.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has collected files from various information repositories.(Citation: Cybersecurity Advisory GRU Brute F... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1148 | Raccoon Stealer | Malware | [Raccoon Stealer](https://attack.mitre.org/software/S1148) gathers information from repositories associated with cryptocurrency wallets and the Telegr... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) gathers information from the Government Public Key Infrastructure (GPKI) folder, associated w... |
References
- Ariel Szarf, Doron Karmi, and Lionel Saposnik. (n.d.). Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots. Retrieved September 24, 2024.
- Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.
- David Fiser and Jaromir Horejsi. (2020, April 21). Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining. Retrieved September 25, 2024.
- Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.
- Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.
- Vilius Petkauskas . (2022, November 3). Thomson Reuters collected and leaked at least 3TB of sensitive data. Retrieved September 25, 2024.
Frequently Asked Questions
What is T1213 (Data from Information Repositories)?
T1213 is a MITRE ATT&CK technique named 'Data from Information Repositories'. It belongs to the Collection tactic(s). Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or infor...
How can T1213 be detected?
Detection of T1213 (Data from Information Repositories) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1213?
There are 7 documented mitigations for T1213. Key mitigations include: Multi-factor Authentication, Out-of-Band Communications Channel, User Training, Software Configuration, User Account Management.
Which threat groups use T1213?
Known threat groups using T1213 include: APT28.