Discovery
Data Gathering
Detection overview
The "Data Gathering" detection focuses on identifying activities that involve the collection and aggregation of information from within an organization's network. This activity can be a precursor to more severe attacks, as attackers often gather data to understand the environment, identify targets, and plan their next steps. Detecting data gathering is crucial to prevent potential data breaches, privilege escalation, and other malicious activities.
Triggers
- Pre-exfiltration behaviors have been observed on a host that has received abnormally high amounts of data from one or more hosts within a short period of time.
Possible Root Causes
- An attacker has pivoted to a host to use for dumping/staging data prior to exfiltrating, likely taking advantage of the trusted nature of this host to bypass security controls and evade detection.
- A malicious insider is collecting data they intend to steal from a position of trust.
- A user has joined a new team, changed organizational roles, or otherwise been given reason to significantly depart from their typical data access and retrieval activities.
- An application has been observed on an unusual or infrequent backup or update cycle.
Business Impact
- Failure to identify and respond to pre-exfiltration activities in an organization increases the likelihood of data loss.
- When successful, data exfiltration places an organization at the risk of the loss of intellectual property, financial data, or other regulated or sensitive data sources.
Steps to Verify
- Verify if the data gathered supports valid and authorized business activities.
- Investigate the host and associated accounts for other signs of compromise.
Data Gathering
Possible root causes
Malicious Detection
- An external attacker has gained initial access and is performing reconnaissance to gather information.
- Insider threat where an employee is collecting sensitive data for malicious purposes.
- Use of malware or automated tools designed to gather data from the network.
Benign Detection
- Legitimate administrative tasks involving data collection or backup.
- Security assessments or penetration tests involving data gathering activities.
- Business processes requiring the aggregation of information for analysis or reporting.
Data Gathering
Example scenarios
Scenario 1: An attacker who has gained access to the network starts querying Active Directory to gather information about users, groups, and computers. The detection is triggered by the high volume of directory service queries.
Scenario 2: An insider threat scenario where an employee uses automated scripts to collect sensitive customer data from various databases. The detection is triggered by the unusual volume and pattern of data access activities.
Data Gathering
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data Breach
Unauthorized access to and potential exfiltration of sensitive information.
Privilege Escalation
Attackers can use gathered data to escalate privileges within the network.
Operational Disruption
Extensive data gathering can disrupt normal operations and impact system performance.
Data Gathering
Steps to investigate
Review Access Logs
- Check logs for patterns of unusual or high-volume access to sensitive files and databases.
- Identify the source IP addresses and user accounts involved in the data gathering activities.
Correlate with User Activity
- Verify if the data gathering activities are associated with legitimate business processes or administrative tasks.
- Check for recent changes in user behavior, access patterns, or account privileges.
Examine Tools and Scripts
- Look for the presence of known data gathering tools or scripts.
- Review any automated tasks or processes that may be causing the data gathering activities.
Conduct a Threat Hunt
- Search for other indicators of compromise or malicious activity associated with the same user or IP addresses.
- Verify if the detected activity is part of a scheduled security assessment or penetration test.
Data Gathering
MITRE ATT&CK techniques covered
FAQs
What is data gathering in the context of cybersecurity?
Data gathering involves the collection and aggregation of information from within an organization's network, often used by attackers for reconnaissance and planning further attacks.
How can I detect data gathering activities in my environment?
Monitor for unusual or high-volume access to sensitive files and databases, multiple queries to directory services, and network scans targeting various resources.
What are the common signs of data gathering activities?
Common signs include high-volume data access, multiple directory service queries, unusual file access patterns, and network scans.
Why is data gathering a significant threat?
Data gathering can lead to unauthorized access to sensitive information, privilege escalation, operational disruption, and compliance violations.
Can legitimate activities trigger the detection of data gathering?
Yes, legitimate administrative tasks, business processes, or security assessments can trigger this detection. It’s important to verify the context of the activity.
What steps should I take if I detect data gathering?
Investigate the source of the data gathering activity, verify if it was authorized, check for other signs of malicious activity, and secure sensitive data and systems.
How does Vectra AI detect data gathering activities?
Vectra AI uses advanced AI algorithms to analyze network traffic and access logs, identifying patterns indicative of data gathering and correlating these with other suspicious behaviors.
What tools can help verify the presence of data gathering?
Tools like network traffic analyzers, threat detection and response solutions, and specialized monitoring solutions can help identify and verify data gathering activities.
What is the business impact of data gathering?
The primary risks are data breaches, privilege escalation, operational disruptions, and compliance violations, which can lead to significant harm to the organization.
How can I prevent unauthorized data gathering?
Implement strong access controls, monitor data access and network traffic, use data loss prevention (DLP) tools, set up alerts for suspicious activity, and regularly audit data access and user activity.