Skip to content

Collection

What is "Collection" ?

The "Collection" category encompasses techniques that adversaries may use to gather information (such as data or credentials) that can be used to achieve their objectives within a target network. This information can be anything from confidential business documents to user credentials or system configurations.

How is "Collection" Implemented ?

  1. Data from Local System: Adversaries may collect data stored locally on a device. Techniques include searching for specific file types, scraping memory for credentials, or accessing recently used documents.

  2. Data from Removable Media: Involves collecting information from external storage devices connected to the system, such as USB drives or external hard drives.

  3. Data from Network Shared Drive: Adversaries might search through and extract data from network shares accessible from compromised systems.

  4. Email Collection: This includes methods for accessing and extracting emails stored on servers or client applications.

  5. Automated Collection: Utilization of scripts or automated tools to systematically gather data of interest from various sources within the victim environment.

  6. Input Capture: Techniques such as keylogging or capturing input via web forms to collect sensitive user inputs directly.

  7. Clipboard Data: Collecting data saved to the clipboard, which can contain sensitive information if the user has copied passwords, configuration details, etc.

  8. Screen Capture: Capturing screenshots of a user’s desktop can provide current operational insights into user activities and potentially expose sensitive data displayed on the screen.

  9. Audio Capture: Involves recording audio from devices’ microphones to eavesdrop on confidential meetings or capture voice authentication details.

  10. Video Capture: Similar to audio capture but involves video recording, potentially capturing details about the environment, identity badges, or other sensitive visual information.

Where Does "Collection" Occur ?

The collection generally occurs after an adversary has established a foothold within a system (Initial Access) and has successfully performed actions like Execution, Persistence, Privilege Escalation, and Defense Evasion. The specific targets for collection are usually identified during the Reconnaissance phase and are executed in environments where sensitive data resides — typically within secured segments of corporate networks, cloud environments, personal devices of high-profile users, and critical servers.

Why is "Collection" Significant ?

  • Objective Fulfillment: Collection is crucial as it directly ties into fulfilling an adversary's primary objectives such as espionage, financial gain, or sabotage.
  • Data Sensitivity Awareness: Understanding what adversaries are likely to target helps in prioritizing defense mechanisms around more critical assets.
  • Tailored Defense Strategies: By knowing how adversaries collect data, organizations can implement specific security measures such as restricting access to important files, monitoring unusual access patterns on network shares, employing robust endpoint detection solutions that alert on suspicious process behaviors indicative of scraping memory or keylogging.
  • Regulatory Compliance and Data Protection: Ensuring that effective controls are in place to prevent unauthorized data collection helps organizations comply with privacy laws and regulations like GDPR or HIPAA which mandate stringent handling and protection of personal data.

In conclusion, understanding each aspect of the Collection category within MITRE ATT&CK framework assists cybersecurity professionals in crafting defenses that are not only reactive but also proactive against threats targeting sensitive organizational assets.