Data Exfiltration Through Tampered Metrics

CCC.Monitor.TH05

If a malicious actor is able to make changes to the metrics being collected, it could be used to encrypt and or compress sensitive data and bypass controls preventing exfiltration. The data can then be staged in the monitoring system and exfiltrated in bulk at a later point in time

Related Capabilities

ID	Title	Description
CCC.Monitoring.CP01	CCC.Monitoring.CP01
CCC.Monitoring.CP11	CCC.Monitoring.CP11

Related Controls

ID	Title	Description
CCC.Monitor.CN06	Metrics pushed for authorised services only	Use IAM to control which types of metrics or traces can be pushed by different system to avoid a compromised system pushing fabricated metrics about a different service

External Mappings

Framework	ID	Remarks
MITRE-ATT&CK	T1560	Archive Collected Data
MITRE-ATT&CK	T1074	Data Staged
MITRE-ATT&CK	T1567	Exfiltration Over Web Service