Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
* Policies, procedures, and standards
* Physical / logical network diagrams
* System architecture diagrams
* Technical system documentation
* Testing / development credentials
* Work / project schedules
* Source code snippets
* Links to network shares and other internal resources
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as
Sharepoint [MITRE]
and
Confluence [MITRE]
, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.
In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to authenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.
Detection
As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource. (Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
| ID |
Data Source |
Data Component |
Description |
|
DS0028
|
Logon Session
|
Logon Session Creation
|
Monitor for newly constructed logon behavior within Microsoft’s SharePoint can be configured to report access to certain pages and documents. SharePoint audit logging can also be configured to report when a user shares a resource. The user access logging within Altassian’s Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. In AWS environments, GuardDuty can be configured to report suspicious login activity in RDS. Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.
|
Mitigation
| ID |
Mitigation |
Description |
|
M1047
|
Audit
|
Consider periodic review of accounts and privileges for critical and sensitive repositories. Ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.
|
References
|