For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1078 - Valid Accounts | There is an opportunity to introduce user accounts that are used to make a system look more realistic. | DTE0010 - Decoy Account | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
T1078 - Valid Accounts | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
T1078 - Valid Accounts | There is an opportunity to prepare user accounts so they look used and authentic. | DTE0008 - Burn-In | A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate. |
T1091 - Replication Through Removable Media | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender can monitor systems for the use of removeable media. |
T1091 - Replication Through Removable Media | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system. |
T1091 - Replication Through Removable Media | There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network. | DTE0023 - Migrate Attack Vector | A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled. |
T1091 - Replication Through Removable Media | There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems. | DTE0022 - Isolation | A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive. |
T1133 - External Remote Services | There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services. | DTE0017 - Decoy System | A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it. |
T1189 - Drive-by Compromise | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.). |
T1189 - Drive-by Compromise | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0013 - Decoy Diversity | A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it. |
T1189 - Drive-by Compromise | There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs. | DTE0014 - Decoy Network | A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise. |
T1190 - Exploit Public-Facing Application | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0017 - Decoy System | A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs. |
T1190 - Exploit Public-Facing Application | There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. | DTE0013 - Decoy Diversity | A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit. |
T1195 - Supply Chain Compromise | Hardware and/or software additions can be tested and verified in controlled environments prior to deployment. | DTE0014 - Decoy Network | A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors. |
T1199 - Trusted Relationship | When authorized behavior is defined and limited for trusted partners, adversaries exploiting trust relationships are easier to detect. | DTE0034 - System Activity Monitoring | Defenders can monitor trusted partner access, detecting unauthorized activity. |
T1200 - Hardware Additions | There is an opportunity to test hardware additions in an isolated environment and ensure they can't be used by an adversary. | DTE0022 - Isolation | A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors. |
T1566 - Phishing | A phishing email can be detected and blocked from arriving at the intended recipient. | DTE0019 - Email Manipulation | A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target. |
T1566 - Phishing | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. | DTE0023 - Migrate Attack Vector | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
T1566 - Phishing | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1566 - Phishing | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |