Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.
|M1057||Data Loss Prevention||
Data loss prevention can detect and block sensitive data being copied to USB devices.
|M1042||Disable or Remove Feature or Program|
|M1034||Limit Hardware Installation||
Limit the use of USB devices and removable media within a network.
|ID||Data Source||Data Component|
Monitor file access on removable media. Detect processes that execute when removable media are mounted.