Infringement
Disruption of Business Operations
Excessive Personal Use
Exfiltration via Email
Exfiltration via Media Capture
Exfiltration via Messaging Applications
Exfiltration via Other Network Medium
Exfiltration via Physical Medium
- Exfiltration via Bring Your Own Device (BYOD)
- Exfiltration via Disk Media
- Exfiltration via Floppy Disk
- Exfiltration via New Internal Drive
- Exfiltration via Physical Access to System Drive
- Exfiltration via Physical Documents
- Exfiltration via Target Disk Mode
- Exfiltration via USB Mass Storage Device
- Exfiltration via USB to Mobile Device
- Exfiltration via USB to USB Data Transfer
Exfiltration via Web Service
Inappropriate Web Browsing
Installing Unapproved Software
Misappropriation of Funds
Non-Corporate Device
Providing Access to a Unauthorized Third Party
Public Statements Resulting in Brand Damage
Sharing on AI Chatbot Platforms
Theft
Unauthorized Changes to IT Systems
Unauthorized Printing of Documents
Unauthorized VPN Client
Unlawfully Accessing Copyrighted Material
- ID: IF002.005
- Created: 08th June 2024
- Updated: 09th June 2024
- Contributor: The ITM Team
Exfiltration via Physical Documents
A subject tansports physical documents outside of the control of the organization.
Prevention
ID | Name | Description |
---|---|---|
PV014 | Disable Printing, Windows | Group Policy can be used to disable printing for specific user accounts. |
PV012 | End-User Security Awareness Training | Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others. |
PV016 | Enforce a Data Classification Policy | A Data Classification Policy establishes a standard for handling data by setting out criteria for how data should be classified and subsequently managed and secured. A classification can be applied to data in such a way that the classification is recorded in the body of the data (such as a footer in a text document) and/or within the metadata of a file. |
PV011 | Physical Access Controls | Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge. |
Detection
ID | Name | Description |
---|---|---|
DT033 | Closed-Circuit Television | CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file. |
DT048 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |
DT006 | Installed Printers via Registry | The Windows Registry stores information about installed printers and their configurations. The following registry keys can be useful to investigators:
|
DT005 | Print Spooler Service | The Spool files can typically be found in the following directory: A spool file with a The spool file is stored in the spool directory associated with the printer until the print job is completed. Once the print job is finished and successfully printed, the .SPL file is typically deleted. A job control language file with a The .SHD file is also stored in the spool directory during the print job's processing. Unlike the .SPL file, the .SHD file can sometimes persist longer, but it is generally deleted after the print job is completed or upon system cleanup. If the files are not present, it may be possible to use file carving techniques on a disk image to retrieve .SPL and .SHD files. Content and metadata analysis can be conducted to identify timestamps, document names, and user names. |
DT007 | Printed Documents via Event Logs | Windows logs print job activities to Event logs, containing information such as job creation, completion, errors, and adding or deleting printer devices.
Event ID 307 - A document was printed. Event ID 310 - A document failed to print. Event ID 701 - Printer status changed. Event ID 703 - Printer object added. Event ID 804 - Document resumed for printing. Event ID 805 - Printer driver was installed.
Event ID 808 - Printer driver was installed. Event ID 843 - The print spooler failed to import the printer driver. Event ID 1000 - Document print started. Event ID 1001 - Document was printed. Event ID 1100 - Printer was added. Event ID 1101 - Printer was deleted. Event ID 1200 - Print spooler service started. Event ID 1201 - Print spooler service stopped. |