T1020.001: Traffic Duplication
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device.
Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.
Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.
Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
— Juniper: Monitoring of events related to command execution where command line input contains 'edit forwarding-options port-mirroring' or 'set port-mirror'. — Cisco IOS: Monitoring of events related to command execution where command line input contains 'monitor session' or 'remote-span'.
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by abnormal or untrusted hosts. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor and analyze network flows associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider analyzing newly constructed network connections that are sent or received by untrusted hosts, unexpcted hardware devices, or other uncommon data flows. |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required. |
---|
ID | M1041 | Name | Encrypt Sensitive Information | Description | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
---|