For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1001 - Data Obfuscation | There is an opportunity to detect adversary activity that uses obfuscated communication. | DTE0028 - PCAP Collection | A defender can capture network traffic for a compromised system and look for abnormal network traffic that may signal data obfuscation. |
T1001 - Data Obfuscation | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
T1008 - Fallback Channels | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information. |
T1071 - Application Layer Protocol | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1090 - Proxy | There is an opportunity to block an adversary that is seeking to use a proxied connection. | DTE0026 - Network Manipulation | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
T1092 - Communication Through Removable Media | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0029 - Peripheral Management | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
T1092 - Communication Through Removable Media | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. | DTE0023 - Migrate Attack Vector | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
T1095 - Non-Application Layer Protocol | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary. |
T1102 - Web Service | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic. |
T1104 - Multi-Stage Channels | There is an opportunity to detect an unknown process that is being used for command and control and disrupt it. | DTE0022 - Isolation | A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet. |
T1104 - Multi-Stage Channels | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. | DTE0026 - Network Manipulation | A defender could implement a protocol aware IPS to limit systems communicating to unknown locations on the internet. |
T1105 - Ingress Tool Transfer | There is an opportunity to collect network data and analyze the adversary activity it contains. | DTE0028 - PCAP Collection | Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity. |
T1132 - Data Encoding | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can develop protocol decoders that can decrypt network capture data and expose an adversary's command and control traffic as well as their exfiltration activity. |
T1205 - Traffic Signaling | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1219 - Remote Access Software | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control. |
T1568 - Dynamic Resolution | If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. | DTE0021 - Hunting | A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner. |
T1568 - Dynamic Resolution | An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. | DTE0026 - Network Manipulation | A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure. |
T1571 - Non-Standard Port | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1572 - Protocol Tunneling | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | A defender can monitor for systems establishing connections using encapsulated protocols not commonly used together such as RDP tunneled over TCP. |
T1573 - Encrypted Channel | There is an opportunity to reveal data that the adversary has tried to protect from defenders | DTE0031 - Protocol Decoder | Defenders can reverse engineer malware and develop protocol decoders that can decrypt and expose adversary communications |