T1020.001: Traffic Duplication

Traffic Duplication matters because a legitimate network or cloud monitoring feature can become an exfiltration path. If an attacker gains enough control over network devices or IaaS configuration, mirrored traffic can be redirected to infrastructure they control, allowing sensitive data to leave without looking like a normal file transfer from an endpoint.

Executive priority

Prioritize this where sensitive workloads traverse network devices or IaaS environments that support mirroring, packet mirroring, or virtual taps. Leaders should ask who can create or modify mirroring sessions, whether those changes are logged and reviewed, and whether encrypted traffic, DLP, and account governance provide evidence for audit and incident response. The business risk is quiet loss of data through an administrative feature, not a malware-only scenario.

Technical view

This is an exfiltration sub-technique of Automated Exfiltration affecting Network Devices and IaaS. SOC, cloud security, and IR teams should validate visibility into creation, modification, and destination changes for traffic mirroring on network infrastructure and cloud services such as AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap where used. Because ATT&CK provides no official detection text here, detection engineering should lean on the related detection strategy DET0403 and local control-plane logs, configuration history, and network-flow evidence. Investigations should also consider relationship-driven context: traffic duplication may support Network Sniffing, Input Capture, or Adversary-in-the-Middle activity.

Likely telemetry

Network device configuration change logs for port mirroring, SPAN, traffic mirroring, or redirection settings
IaaS control-plane audit logs for packet mirroring, traffic mirroring, or virtual TAP creation and modification
Cloud IAM or administrative activity showing who changed mirroring sources, filters, and destinations
Network flow records showing mirrored traffic targets or unusual monitoring destinations
Configuration management or backup snapshots for routers, switches, and cloud networking resources

Detection direction

Alert on new, modified, or unauthorized traffic mirroring sessions, especially destination changes to unapproved collectors or infrastructure.
Baseline approved monitoring devices, cloud mirror targets, and maintenance windows to reduce false positives from legitimate network analysis activity.
Correlate mirroring configuration changes with privileged account activity and change-management records.
Review blind spots around legacy network devices, unmanaged infrastructure, and cloud projects/accounts where control-plane logging is incomplete.
Treat detections as high-context leads: mirroring may be legitimate, so validation requires ownership, ticketing, destination, and data-sensitivity review.

Mitigation priorities

Enforce user account management and least-privilege access for network device and IaaS administrators who can configure mirroring.
Maintain approved inventories of mirror sources, filters, and destinations, and review them against business need.
Encrypt sensitive information in transit so duplicated traffic is less useful if redirected.
Use DLP capabilities to identify and control movement of sensitive data where applicable.
Include mirroring and virtual TAP configuration review in cloud security, network device hardening, and incident response playbooks.

Analyst notes and limits

The supplied ATT&CK object is focused on abuse of legitimate traffic mirroring features for exfiltration. The relationship to M1018, M1041, and M1057 supports prioritizing account governance, encryption, and DLP. The relationship to T1020 frames this as automated exfiltration rather than a standalone endpoint behavior.

ATT&CK provides no official detection text for this object, and the related DET0403 details are not supplied beyond its name. Coverage depends heavily on local device models, cloud providers in use, administrative logging, configuration management, and the organization’s approved monitoring architecture. This take does not assert active exploitation or guaranteed detection.

Official MITRE ATT&CK definition

Traffic Duplication

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. [1][2]

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.[3][4]

Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[5][6][7]

Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1020	Automated Exfiltration	This object subtechnique of Automated Exfiltration.

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0403: Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices Enterprise mitigates · Mitigation M1041: Encrypt Sensitive Information Enterprise mitigates · Mitigation M1018: User Account Management Enterprise subtechnique of · Technique T1020: Automated Exfiltration Enterprise mitigates · Mitigation M1057: Data Loss Prevention Enterprise

Mitigations

Mitigation direction

M1041: Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

M1057: Data Loss Prevention

Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. [1] This mitigation can be implemented through the following measures:

Sensitive Data Categorization:

- Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets). - Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.

Exfiltration Restrictions:

- Use Case: Prevent unauthorized transmission of sensitive data. - Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.

Data-in-Transit Monitoring:

- Use Case: Detect and prevent the transmission of sensitive data over unapproved channels. - Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.

Endpoint Data Protection:

- Use Case: Monitor and control sensitive data usage on endpoints. - Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.

Cloud Data Security:

- Use Case: Protect data stored in cloud platforms. - Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.4
Created: Oct 19, 2020, 13:40 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:49 UTC (UTC+00:00)
Raw hash: 9a3614bab81928ce...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.4	Oct 24, 2025, 17:49 UTC (UTC+00:00)	Current bundle	`9a3614bab819…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Cisco Traffic Mirroring

Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020.
Open source URL
[2]
Juniper Traffic Mirroring

Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020.
Open source URL
[3]
US-CERT-TA18-106A

US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Open source URL
[4]
Cisco Blog Legacy Device Attacks

Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
Open source URL
[5]
AWS Traffic Mirroring

Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.
Open source URL
[6]
GCP Packet Mirroring

Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
Open source URL
[7]
Azure Virtual Network TAP

Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.
Open source URL
[8]
mitre-attack T1020.001
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams