MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Mapping To Impact
For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.
Details
ATT&CK ID:
TA0040
ATT&CK Technique |
Opportunity Space | AD Technique | Use Case |
|---|---|---|---|
| T1485 - Data Destruction | There is an opportunity to test what an adversary might do if destroyed data is selectively replaced by the defender. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
| T1485 - Data Destruction | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0036 - Software Manipulation | A defender can manipulate commands on systems so an adversary is unable delete data in ways they normally would. |
| T1485 - Data Destruction | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for the execution of utilities commonly used for data destruction, such as SDelete. |
| T1486 - Data Encrypted for Impact | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for the execution of utilities commonly used for ransomware and other data encryption. |
| T1486 - Data Encrypted for Impact | There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
| T1489 - Service Stop | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | By looking for anomalies in system service states and alerting on suspect situations, the defender can detect potential malicious activity and triage the system to re-enable the services that have been stopped. |
| T1490 - Inhibit System Recovery | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can use process monitoring to look for command execution and command line parameters commonly used to inhibit system recovery. |
| T1491 - Defacement | There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites. | DTE0034 - System Activity Monitoring | A defender can monitor websites for unplanned content changes and generate alerts when activity is detected. |
| T1491 - Defacement | There is an opportunity to disrupt an adversary's defacement activity by quickly restoring altered content. | DTE0005 - Backup and Recovery | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
| T1495 - Firmware Corruption | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can collect system activity and detect commands that interact with firmware. This can speed up the recovery of a system. |
| T1496 - Resource Hijacking | There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors. | DTE0007 - Behavioral Analytics | By looking for anomalies in host resource consumption and alerting on suspect activity, the defender can detect the use of system resources at odd times or at odd levels. |
| T1498 - Network Denial of Service | There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service. | DTE0026 - Network Manipulation | A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation. |
| T1499 - Endpoint Denial of Service | There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service. | DTE0026 - Network Manipulation | A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation. |
| T1499 - Endpoint Denial of Service | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. | DTE0032 - Security Controls | A defender can configure systems to block any system with a number of authentication failures in a certain window of time. |
| T1529 - System Shutdown/Reboot | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0017 - Decoy System | A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device. |
| T1531 - Account Access Removal | There is an opportunity to create a detection with a moderately high probability of success. | DTE0034 - System Activity Monitoring | A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc. |
| T1561 - Disk Wipe | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. | DTE0036 - Software Manipulation | A defender can modify the functionality of commands that are used to delete files or format drives so they fail when used in a specific manner. |
| T1565 - Data Manipulation | In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system. | DTE0011 - Decoy Content | A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices. |