We have a blog! Check out MITRE Shield on Medium.

Mapping To Collection

For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.

Details
ATT&CK ID: TA0009

ATT&CK Technique Opportunity Space AD Technique Use Case
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity to add legitimacy by ensuring the local system is with fully populated with content. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files to bolster the legitimacy of the local system.
T1005 - Data from Local System In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1025 - Data from Removable Media In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.
T1025 - Data from Removable Media In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1039 - Data from Network Shared Drive In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.
T1039 - Data from Network Shared Drive In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1056 - Input Capture There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.
T1074 - Data Staged In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network.
T1113 - Screen Capture There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement.
T1114 - Email Collection There is an opportunity to influence an adversary to move toward systems you want them to engage with. DTE0011 - Decoy Content A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems.
T1115 - Clipboard Data There is an opportunity to introduce data to an adversary to influence their future behaviors. DTE0011 - Decoy Content A defender can insert into a system's clipboard decoy content for the adversary to find.
T1119 - Automated Collection In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner.
T1123 - Audio Capture There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working.
T1123 - Audio Capture There is an opportunity to alter the system to prevent an adversary from capturing audio content. DTE0020 - Hardware Manipulation A defender can physically remove or disable a system's microphone and web camera so that audio capture is not possible.
T1125 - Video Capture There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0011 - Decoy Content A defender can introduce video content designed to make the adversary believe that their capture efforts are working.
T1125 - Video Capture There is an opportunity to alter the system to prevent an adversary from capturing video content. DTE0020 - Hardware Manipulation A defender can physically remove or disable a system's web camera and remove any video capture applications so that video capture is not possible.
T1185 - Man in the Browser In an adversary engagement scenario, there is an opportunity to prepare a user's browser data (sessions, cookies, etc.) so it looks authentic and fully populated. DTE0008 - Burn-In A defender can perform web browsing tasks on a decoy system over time to give the adversary a robust set of browser data that looks realistic and could potentially be used during adversary engagement.
T1213 - Data from Information Repositories In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.
T1213 - Data from Information Repositories In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1530 - Data from Cloud Storage Object In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.
T1530 - Data from Cloud Storage Object In an adversary engagement scenario, there is an opportunity provide content on a variety of topics to see what types of information seems to interest the adversary. DTE0030 - Pocket Litter A defender can stage a variety of pocket litter files in order to determine if an adversary is interested in specific file types, subjects, etc.
T1557 - Man-in-the-Middle There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring A defender can monitor network traffic for anomalies associated with known MiTM behavior.
T1560 - Archive Collected Data There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. DTE0036 - Software Manipulation A defender might alter APIs to expose data that is being archived, encoded, and/or encrypted. This can also be used to corrupt the action so the data isn't usable.