Data from Information Repositories

From enterprise
Jump to: navigation, search
Data from Information Repositories
Technique
ID T1213
Tactic Collection
Platform Linux, Windows, macOS
Permissions Required User
Data Sources Application Logs, Authentication logs, Data loss prevention, Third-party application logs
Contributors Milos Stojadinovic

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

  • Policies, procedures, and standards
  • Physical / logical network diagrams
  • System architecture diagrams
  • Technical system documentation
  • Testing / development credentials
  • Work / project schedules
  • Source code snippets
  • Links to network shares and other internal resources

Common information repositories:

Microsoft SharePoint

Found in many enterprise networks and often used to store and share significant amounts of documentation.

Atlassian Confluence

Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation.

Examples

  • APT28 has collected information from Microsoft SharePoint services within target networks.1
  • spwebmember is used to enumerate and dump information from Microsoft SharePoint.2

Mitigation

To mitigate adversary access to information repositories for collection:

  • Develop and publish policies that define acceptable information to be stored
  • Appropriate implementation of access control mechanisms that include both authentication and appropriate authorization
  • Enforce the principle of least-privilege
  • Periodic privilege review of accounts
  • Mitigate access to Valid Accounts that may be used to access repositories

Detection

As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents.3 The user user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.4 Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.