BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1036 - Masquerading | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections. |
T1190 - Exploit Public-Facing Application | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0017 - Decoy System | A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs. |
T1190 - Exploit Public-Facing Application | There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. | DTE0013 - Decoy Diversity | A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit. |
T1203 - Exploitation for Client Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
T1203 - Exploitation for Client Execution | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0004 - Application Diversity | A defender can install one or more applications on a decoy system with a variety of patch levels to see how an adversary might exploit those applications. |
T1204 - User Execution | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0018 - Detonate Malware | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |