Data from Information Repositories

From attackics
Revision as of 16:56, 29 September 2020 by Jsteele (talk | contribs)
Jump to navigation Jump to search
Data from Information Repositories
ID T0811
Tactic Collection
Data Sources Application logs, Authentication logs, Data loss prevention, Third-party application logs
Asset Control Server, Data Historian, Engineering Workstation, Human-Machine Interface


Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.

Procedure Examples

  • Dragonfly 2.0 accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts.1
  • ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories.2
  • Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance.3
  • Flame has built-in modules to gather information from compromised computers.4


  • Encrypt Sensitive Information - Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know.56
  • Privileged Account Management - Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software.6
  • User Account Management - Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Configure user permissions, groups, and roles for access to cloud-based systems as well. Implement strict IAM controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.
  • User Training - Develop and publish policies that define acceptable information to be stored in repositories.
  • Audit - Consider periodic reviews of accounts and privileges for critical and sensitive repositories.