For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1003 - OS Credential Dumping | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0012 - Decoy Credentials | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
T1040 - Network Sniffing | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | By changing the output of network sniffing utilities normally found on a system, you can prevent adversaries from seeing particular content or making use of the results at all. |
T1040 - Network Sniffing | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. | DTE0016 - Decoy Process | The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks. |
T1040 - Network Sniffing | There is an opportunity to entice the adversary to expose additional TTPs. | DTE0025 - Network Diversity | The defender can add unique endpoints, servers, routers, and other devices to give the adversary a broader attack surface. This can cause the adversary to expose additional capabilities. |
T1056 - Input Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
T1110 - Brute Force | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can monitor for user login activity that may reveal an adversary leveraging brute force techniques. |
T1111 - Two-Factor Authentication Interception | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0032 - Security Controls | In an adversary engagement operation, a defender can intentionally increase the time window that a token is valid to see if the adversary is able to acquire and leverage the token. |
T1111 - Two-Factor Authentication Interception | There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures. | DTE0033 - Standard Operating Procedure | A defender can implement a standard operating procedure which restricts users from using 2FA or MFA more than once without another process being invoked. |
T1187 - Forced Authentication | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials. |
T1187 - Forced Authentication | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Alternative a defender could redirect outbound SMB requests to a decoy system to thwart attempted credential theft |
T1212 - Exploitation for Credential Access | In an adversary engagement scenario, there is an opportunity to use a variety of applications on a system to see what an adversary tries to exploit in order to acquire credentials. | DTE0004 - Application Diversity | A defender can use a variety of applications on a decoy system or in a decoy network to see what an adversary tries to exploit in order to acquire credentials. |
T1528 - Steal Application Access Token | Users trained and encouraged to report unsolicited application authorization requests can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train users on how to recognize and report third-party applications requesting authorization can create "Human Sensors" that help detect application token theft. |
T1539 - Steal Web Session Cookie | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can harden authentication mechanisms to ensure having just a session cookie is not enough to authenticate with another system. |
T1539 - Steal Web Session Cookie | There is an opportunity to seed systems with decoy cookies that will lead adversaries to decoy targets. | DTE0008 - Burn-In | A defender can authenticate to a collection of decoy sites (as a decoy user) to give the adversary a set of session cookies to harvest and potentially use during adversary engagement. |
T1552 - Unsecured Credentials | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
T1555 - Credentials from Password Stores | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
T1556 - Modify Authentication Process | There is an opportunity to use security controls on systems in order to affect the success of an adversary. | DTE0032 - Security Controls | A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system. |
T1556 - Modify Authentication Process | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. | DTE0034 - System Activity Monitoring | A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system. |
T1557 - Man-in-the-Middle | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | A defender can monitor network traffic for anomalies associated with known MiTM behavior. |
T1558 - Steal or Forge Kerberos Tickets | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0025 - Network Diversity | A defender can setup networks that use Kerberos authentication and systems that authenticate using it. This gives you a chance to see if an adversary has the capacity to steal or forge Kerberos tickets for lateral movement. |
T1558 - Steal or Forge Kerberos Tickets | In an adversary engagement scenario, there is an opportunity to test whether an adversary has the capability to steal or forge Kerberos tickets. | DTE0032 - Security Controls | A defender can secure Kerberos in order to prevent an adversary from leveraging the tickets to authenticate or move laterally. This may result in the adversary exposing additional TTPs. |