DET0403: Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices
This detection strategy matters because traffic mirroring is a legitimate network and cloud infrastructure feature that can become an exfiltration path whe...
Analyst context for executives and security teams
This detection strategy matters because traffic mirroring is a legitimate network and cloud infrastructure feature that can become an exfiltration path when abused. For leaders, the risk is not just “data leaving the network,” but that normal administrative capability in IaaS or network devices could duplicate sensitive traffic to an unauthorized destination while looking like routine monitoring unless change control, logging, and review are strong.
Executive priority
Prioritize this as an exfiltration-readiness question: do teams know who can configure traffic mirroring, where mirrored traffic is allowed to go, and whether those changes are logged and reviewed? The business value is in proving governance over high-risk infrastructure features, supporting incident response scoping, and producing audit evidence that cloud and network monitoring capabilities cannot be silently repurposed.
Technical view
ATT&CK links this detection strategy to T1020.001 Traffic Duplication under exfiltration, with related platforms of Network Devices and IaaS. SOC, cloud, and network teams should validate visibility into creation, modification, and deletion of traffic mirroring or packet capture forwarding configurations; destinations receiving mirrored traffic; administrative identities making changes; and whether changes align with approved network analysis use cases. Because the ATT&CK object provides no official detection text, local detections should be built from environment-specific control-plane logs, device configuration records, and approved baseline exceptions.
Likely telemetry
- IaaS control-plane or audit logs for traffic mirroring/session configuration changes
- Network device configuration change logs
- Administrative authentication and authorization logs for accounts able to configure mirroring
- Change management records for approved monitoring or network analysis destinations
- Network telemetry showing mirrored traffic destinations where available
Detection direction
- Baseline approved mirroring configurations and alert on new, modified, or unexpected destinations.
- Correlate mirroring changes with the administrator identity, source of the change, ticket/change record, and affected asset or subnet.
- Tune for legitimate network analysis activity to reduce false positives, but require strong exception documentation because the feature can support exfiltration.
- Look for high-risk patterns such as mirroring from sensitive segments or workloads to destinations not used by approved monitoring tools.
- Validate coverage separately for IaaS and network devices; the ATT&CK strategy object does not specify a unified detection method.
Mitigation priorities
- Restrict who can create or modify traffic mirroring on IaaS and network devices using least privilege.
- Require change control and documented business justification for mirroring sessions and destinations.
- Maintain an approved inventory of monitoring destinations and compare configurations against it.
- Ensure control-plane, device configuration, and administrative activity logs are retained for investigation and compliance evidence.
- Include traffic mirroring review in cloud security, network security, and incident response readiness exercises.
Analyst notes and limits
This is a detection-strategy object, not a full ATT&CK technique description. The only supplied relationship is that it detects T1020.001 Traffic Duplication, an exfiltration technique involving abuse of traffic mirroring in Network Devices and IaaS. Treat the value of this object as a prompt to validate monitoring of legitimate infrastructure features that can be misused.
The official object provides no description, no official detection text, no tactics, and no platforms for the detection strategy itself. Any concrete detection logic, thresholds, approved destinations, or control assertions require local architecture, logging, IAM, and change-management evidence.
Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1020.001 | Traffic Duplication Sub-technique | This object detects Traffic Duplication. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 648fc61e4214… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0403Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.