For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1021 - Remote Services | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1021 - Remote Services | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. | DTE0017 - Decoy System | A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service. |
T1072 - Software Deployment Tools | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can deploy a decoy software deployment tool within an adversary engagement environment to see how the adversary attempts to use the device during their activity. |
T1080 - Taint Shared Content | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0011 - Decoy Content | A defender could seed decoy network shares within an adversary engagement network to see if an adversary uses them for payload delivery or lateral movement. |
T1091 - Replication Through Removable Media | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. | DTE0034 - System Activity Monitoring | A defender can monitor systems for the use of removeable media. |
T1091 - Replication Through Removable Media | There is an opportunity to use security controls to stop or allow an adversary's activity. | DTE0032 - Security Controls | A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system. |
T1091 - Replication Through Removable Media | There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network. | DTE0023 - Migrate Attack Vector | A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled. |
T1091 - Replication Through Removable Media | There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems. | DTE0022 - Isolation | A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive. |
T1210 - Exploitation of Remote Services | There is an opportunity to provide a variety of applications to an adversary to see what things an adversary prefers or to influence their operations. | DTE0004 - Application Diversity | A defender can stand up decoy systems or processes using a wide array of applications. These applications can be hardened to test an adversary's capabilities, or easily exploited to entice an adversary to move in that direction. |
T1534 - Internal Spearphishing | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0035 - User Training | A program to train users to report emails that they did not send but appear in their sent folder. |
T1550 - Use Alternate Authentication Material | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent. |
T1563 - Remote Service Session Hijacking | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity. |
T1570 - Lateral Tool Transfer | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1570 - Lateral Tool Transfer | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender can block certain adversary used protocols used between systems in order to prevent lateral tool transfer. |