Threat Actors may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.