M1057: Data Loss Prevention
Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. [1] This mitigation can be implemented through the following measures:
Sensitive Data Categorization:
- Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets). - Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.
Exfiltration Restrictions:
- Use Case: Prevent unauthorized transmission of sensitive data. - Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.
Data-in-Transit Monitoring:
- Use Case: Detect and prevent the transmission of sensitive data over unapproved channels. - Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.
Endpoint Data Protection:
- Use Case: Monitor and control sensitive data usage on endpoints. - Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.
Cloud Data Security:
- Use Case: Protect data stored in cloud platforms. - Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.
Analyst context for executives and security teams
Data Loss Prevention matters because many ATT&CK exfiltration paths depend on sensitive data being found, moved, copied, uploaded, mirrored, or shared before the organization notices. For leaders, the decision value is not simply whether a DLP tool exists, but whether sensitive data is classified, monitored, and controlled across endpoint, network, removable media, and cloud-sharing paths that ATT&CK maps to collection and exfiltration behavior.
Executive priority
Prioritize DLP as a resilience, compliance, and incident-readiness control for PII, financial data, intellectual property, and other sensitive information. Executives should ask whether the organization can prove where sensitive data resides, which transfer channels are controlled, and whether cloud sharing, USB movement, email attachments, unapproved uploads, and outbound network flows are governed by enforceable policy rather than assumed user behavior.
Technical view
For SOC, detection engineering, and IR teams, validate DLP coverage against the related ATT&CK behaviors: data collected from local systems and removable media; exfiltration over C2, alternative protocols, encrypted and unencrypted non-C2 channels, web services, webhooks, physical media, USB, traffic duplication, and cloud-account transfers. Because MITRE provides no specific detection text for M1057, teams should test whether DLP events are generated, routed, retained, and correlated with endpoint, network, identity, and cloud activity during sensitive-data movement scenarios.
Likely telemetry
- Sensitive data classification and tagging results for PII, financial data, trade secrets, and other protected data types
- Endpoint DLP events for copy, paste, print, file share, removable media, and local file access activity
- Network DLP or outbound inspection events for sensitive content leaving over approved or unapproved channels
- Email attachment and cloud upload policy events involving sensitive data
- Cloud storage, SaaS, Office Suite, and IaaS sharing, sync, download, and transfer logs where integrated with DLP
Detection direction
- Confirm that DLP alerts are not isolated in a separate console; they should be available to SOC workflows with enough context for triage and incident response.
- Tune detections around sensitive-data movement rather than volume alone, since related techniques include cloud-to-cloud transfers, web services, webhooks, USB, and protocol-based exfiltration paths.
- Validate coverage for encrypted or obfuscated channels where content inspection may be limited; compensate with metadata, destination, cloud, identity, and endpoint context.
- Review false positives from legitimate business processes such as approved finance exports, legal transfers, backups, collaboration-platform sharing, and administrative network analysis.
- Test whether DLP policy detects both accidental leakage and malicious movement from compromised systems, including local system data collection and removable media paths.
Mitigation priorities
- Start with sensitive data categorization so policies are based on known PII, financial data, intellectual property, and other protected formats.
- Implement exfiltration restrictions for unapproved email attachments, USB usage, unencrypted uploads, and unauthorized cloud storage transfers.
- Deploy or integrate DLP controls across endpoint, network, and cloud platforms where sensitive data is created, stored, shared, or transmitted.
- Define policy actions that match business risk, such as block, warn, encrypt, quarantine, or require approval for sensitive transfers.
- Ensure DLP evidence supports compliance and incident response by retaining alerts, policy decisions, user context, file metadata, and transfer details.
Analyst notes and limits
This take is based on MITRE ATT&CK mitigation M1057 Data Loss Prevention and its stated relationships to collection and exfiltration techniques. The strongest defensive value comes from using DLP as a policy-enforcement and evidence layer, not only as a product deployment. Local data classification quality, cloud integration, endpoint coverage, and SOC access to DLP events will determine practical effectiveness.
MITRE does not provide an official detection section or platforms for M1057 itself. Related techniques provide platform and tactic context, but actual applicability depends on the organization’s systems, cloud services, data types, inspection capability, encryption constraints, and DLP integrations. No active exploitation, attribution, or guaranteed detection coverage is implied.
Data Loss Prevention
Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. [1] This mitigation can be implemented through the following measures:
Sensitive Data Categorization:
- Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets). - Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.
Exfiltration Restrictions:
- Use Case: Prevent unauthorized transmission of sensitive data. - Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.
Data-in-Transit Monitoring:
- Use Case: Detect and prevent the transmission of sensitive data over unapproved channels. - Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.
Endpoint Data Protection:
- Use Case: Monitor and control sensitive data usage on endpoints. - Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.
Cloud Data Security:
- Use Case: Protect data stored in cloud platforms. - Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1052 | Exfiltration Over Physical Medium | Data loss prevention can detect and block sensitive data being copied to physical mediums. |
| Enterprise | T1537 | Transfer Data to Cloud Account | Data loss prevention can prevent and block sensitive data from being shared with individuals outside an organization.CitationMicrosoft Purview Data Loss Prevention CitationGoogle Workspace Data Loss Prevention |
| Enterprise | T1005 | Data from Local System | Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Data loss prevention can detect and block sensitive data being uploaded via web browsers. |
| Enterprise | T1567 | Exfiltration Over Web Service | Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers. |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Data loss prevention can detect and block sensitive data being sent over unencrypted protocols. |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Data loss prevention can detect and block sensitive data being sent over unencrypted protocols. |
| Enterprise | T1025 | Data from Removable Media | Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Data loss prevention can detect and block sensitive data being copied to USB devices. |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | Data loss prevention can detect and block sensitive data being uploaded via web browsers. |
| Enterprise | T1567.004 | Exfiltration Over Webhook Sub-technique | Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers. |
| Enterprise | T1020.001 | Traffic Duplication Sub-technique | Implement Data Loss Prevention (DLP) solutions to monitor, detect, and control the flow of sensitive information. DLP tools can be configured to block unauthorized attempts to exfiltrate data, such as preventing emails from being forwarded to external recipients or monitoring for suspicious data transfers. By creating email flow rules and applying policies to detect anomalies, DLP solutions help mitigate the risk of data exfiltration over alternative protocols. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6f1af5ac0350… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PurpleSec Data Loss Prevention
Michael Swanagan. (2020, October 24). 7 Data Loss Prevention Best Practices & Strategies. Retrieved August 30, 2021.
Open source URL -
[2]
mitre-attack M1057Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.