For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system. |
T1005 - Data from Local System | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1025 - Data from Removable Media | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1039 - Data from Network Shared Drive | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1039 - Data from Network Shared Drive | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1056 - Input Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
T1074 - Data Staged | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network. |
T1113 - Screen Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement. |
T1114 - Email Collection | There is an opportunity to influence an adversary to move toward systems you want them to engage with. | DTE0011 - Decoy Content | A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems. |
T1115 - Clipboard Data | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can insert into a system's clipboard decoy content for the adversary to find. |
T1119 - Automated Collection | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner. |
T1123 - Audio Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working. |
T1123 - Audio Capture | There is an opportunity to alter the system to prevent an adversary from capturing audio content. | DTE0020 - Hardware Manipulation | A defender can physically remove or disable a system's microphone and web camera so that audio capture is not possible. |
T1125 - Video Capture | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0011 - Decoy Content | A defender can introduce video content designed to make the adversary believe that their capture efforts are working. |
T1125 - Video Capture | There is an opportunity to alter the system to prevent an adversary from capturing video content. | DTE0020 - Hardware Manipulation | A defender can physically remove or disable a system's web camera and remove any video capture applications so that video capture is not possible. |
T1185 - Man in the Browser | In an adversary engagement scenario, there is an opportunity to prepare a user's browser data (sessions, cookies, etc.) so it looks authentic and fully populated. | DTE0008 - Burn-In | A defender can perform web browsing tasks on a decoy system over time to give the adversary a robust set of browser data that looks realistic and could potentially be used during adversary engagement. |
T1213 - Data from Information Repositories | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1213 - Data from Information Repositories | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1530 - Data from Cloud Storage Object | In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc. |
T1530 - Data from Cloud Storage Object | In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. | DTE0030 - Pocket Litter | A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc. |
T1602 - Data from Configuration Repository | There is an opportunity to monitor logs on a system for common ways adversaries behave and detect on that activity. | DTE0034 - System Activity Monitoring | A defender could monitor logs off-system in order to detect adversary activities even when logs have been deleted on the system. |
T1602 - Data from Configuration Repository | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | Defenders can detect adversaries attempting to open a port by analyzing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before. |
T1602 - Data from Configuration Repository | Although adversaries may attempt to delete or change important artifacts, there may be a window of time to retrieve them before that happens. | DTE0005 - Backup and Recovery | A defender can backup system information on a regular basis and send it to an alternate location for storage. |
T1557 - Man-in-the-Middle | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | A defender can monitor network traffic for anomalies associated with known MiTM behavior. |
T1560 - Archive Collected Data | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable. |
T1602 - Data from Configuration Repository | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. | DTE0012 - Decoy Credentials | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |