ATTACK-T1114.001Active

Local Email Collection

Statement

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation: Microsoft Outlook Files)

Location

Tactic: Collection

Technique Details

Identifier: ATTACK-T1114.001
Parent Technique: ATTACK-T1114
ATT&CK Page: View on MITRE

Tactics

Collection

Platforms

Windows

Detection

Detect Local Email Collection via Outlook Data File Access and Command Line Tooling

Mitigations

Out-of-Band Communications Channel: Establish secure out-of-band communication channels to ensure the continuity of critical communications during security incidents, data integrity attacks, or in-network communication failures. Out-of-band communication refers to using an alternative, separate communication path that is not dependent on the potentially compromised primary network infrastructure. This method can include secure messaging apps, encrypted phone lines, satellite communications, or dedicated emergency communication systems. Leveraging these alternative channels reduces the risk of adversaries intercepting, disrupting, or tampering with sensitive communications and helps coordinate an effective incident response.(Citation: TrustedSec OOB Communications)(Citation: NIST Special Publication 800-53 Revision 5)

Encrypt Sensitive Information: Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

EquivalentPartialRelated

SP 800-53

SP800-53-AC-16relatedvia ctid-attack-to-sp800-53

SP800-53-AC-17relatedvia ctid-attack-to-sp800-53

SP800-53-AC-19relatedvia ctid-attack-to-sp800-53

SP800-53-AC-20relatedvia ctid-attack-to-sp800-53

SP800-53-AC-4relatedvia ctid-attack-to-sp800-53

View in graph Report an issue

← Back to Collection

Encrypt Data at Rest:

Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Local Email Collection

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings8

Local Email Collection

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings8