Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Discovery

Data Gathering

Data Gathering
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The "Data Gathering" detection focuses on identifying activities that involve the collection and aggregation of information from within an organization's network. This activity can be a precursor to more severe attacks, as attackers often gather data to understand the environment, identify targets, and plan their next steps. Detecting data gathering is crucial to prevent potential data breaches, privilege escalation, and other malicious activities.

Triggers

  • Pre-exfiltration behaviors have been observed on a host that has received abnormally high amounts of data from one or more hosts within a short period of time.

Possible Root Causes

  • An attacker has pivoted to a host to use for dumping/staging data prior to exfiltrating, likely taking advantage of the trusted nature of this host to bypass security controls and evade detection.
  • A malicious insider is collecting data they intend to steal from a position of trust.
  • A user has joined a new team, changed organizational roles, or otherwise been given reason to significantly depart from their typical data access and retrieval activities.
  • An application has been observed on an unusual or infrequent backup or update cycle.

Business Impact

  • Failure to identify and respond to pre-exfiltration activities in an organization increases the likelihood of data loss.
  • When successful, data exfiltration places an organization at the risk of the loss of intellectual property, financial data, or other regulated or sensitive data sources.

Steps to Verify

  1. Verify if the data gathered supports valid and authorized business activities.
  2. Investigate the host and associated accounts for other signs of compromise.
Data Gathering

Possible root causes

Malicious Detection

  • An external attacker has gained initial access and is performing reconnaissance to gather information.
  • Insider threat where an employee is collecting sensitive data for malicious purposes.
  • Use of malware or automated tools designed to gather data from the network.

Benign Detection

  • Legitimate administrative tasks involving data collection or backup.
  • Security assessments or penetration tests involving data gathering activities.
  • Business processes requiring the aggregation of information for analysis or reporting.
Data Gathering

Example scenarios

Scenario 1: An attacker who has gained access to the network starts querying Active Directory to gather information about users, groups, and computers. The detection is triggered by the high volume of directory service queries.

Scenario 2: An insider threat scenario where an employee uses automated scripts to collect sensitive customer data from various databases. The detection is triggered by the unusual volume and pattern of data access activities.

Data Gathering

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Data Breach

Unauthorized access to and potential exfiltration of sensitive information.

Privilege Escalation

Attackers can use gathered data to escalate privileges within the network.

Operational Disruption

Extensive data gathering can disrupt normal operations and impact system performance.

Data Gathering

Steps to investigate

Review Access Logs

  • Check logs for patterns of unusual or high-volume access to sensitive files and databases.
  • Identify the source IP addresses and user accounts involved in the data gathering activities.

Correlate with User Activity

  • Verify if the data gathering activities are associated with legitimate business processes or administrative tasks.
  • Check for recent changes in user behavior, access patterns, or account privileges.

Examine Tools and Scripts

  • Look for the presence of known data gathering tools or scripts.
  • Review any automated tasks or processes that may be causing the data gathering activities.

Conduct a Threat Hunt

  • Search for other indicators of compromise or malicious activity associated with the same user or IP addresses.
  • Verify if the detected activity is part of a scheduled security assessment or penetration test.
Data Gathering

MITRE ATT&CK techniques covered

Data from Information Repositories

T1213

Data Staged

T1074

Automated Collection

T1119

Data from Network Shared Drive

T1039
Data Gathering

Related detections

Data Smuggler

Suspicious Port Scan

File Share Enumeration

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is data gathering in the context of cybersecurity?

Data gathering involves the collection and aggregation of information from within an organization's network, often used by attackers for reconnaissance and planning further attacks.

What are the common signs of data gathering activities?

Common signs include high-volume data access, multiple directory service queries, unusual file access patterns, and network scans.

Can legitimate activities trigger the detection of data gathering?

Yes, legitimate administrative tasks, business processes, or security assessments can trigger this detection. It’s important to verify the context of the activity.

How does Vectra AI detect data gathering activities?

Vectra AI uses advanced AI algorithms to analyze network traffic and access logs, identifying patterns indicative of data gathering and correlating these with other suspicious behaviors.

What is the business impact of data gathering?

The primary risks are data breaches, privilege escalation, operational disruptions, and compliance violations, which can lead to significant harm to the organization.

How can I detect data gathering activities in my environment?

Monitor for unusual or high-volume access to sensitive files and databases, multiple queries to directory services, and network scans targeting various resources.

Why is data gathering a significant threat?

Data gathering can lead to unauthorized access to sensitive information, privilege escalation, operational disruption, and compliance violations.

What steps should I take if I detect data gathering?

Investigate the source of the data gathering activity, verify if it was authorized, check for other signs of malicious activity, and secure sensitive data and systems.

What tools can help verify the presence of data gathering?

Tools like network traffic analyzers, threat detection and response solutions, and specialized monitoring solutions can help identify and verify data gathering activities.

How can I prevent unauthorized data gathering?

Implement strong access controls, monitor data access and network traffic, use data loss prevention (DLP) tools, set up alerts for suspicious activity, and regularly audit data access and user activity.