For a given ATT&CK® tactic, the table shows the adversary techniques that are used, the active defense opportunities that are created, the active defense techniques that can then be applied, and use cases to illustrate possible applications.
ATT&CK Technique | Opportunity Space | AD Technique | Use Case |
---|---|---|---|
T1589 - Gather Victim Identity Information | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0010 - Decoy Account | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
T1589 - Gather Victim Identity Information | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1589 - Gather Victim Identity Information | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1590 - Gather Victim Network Information | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. | DTE0014 - Decoy Network | A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary. |
T1590 - Gather Victim Network Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can seed decoy content into network service configuration files which may be consumed during an adversary's recon activity. |
T1590 - Gather Victim Network Information | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1591 - Gather Victim Org Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can expose decoy information about their organization to try and influence an adversary's future activity. |
T1591 - Gather Victim Org Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1592 - Gather Victim Host Information | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
T1592 - Gather Victim Host Information | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0017 - Decoy System | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
T1593 - Search Open Websites/Domains | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can deploy a decoy website to support a deception operation or piece of the organization's deception strategy. |
T1594 - Search Victim-Owned Websites | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity. |
T1594 - Search Victim-Owned Websites | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
T1595 - Active Scanning | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. | DTE0016 - Decoy Process | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
T1595 - Active Scanning | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. | DTE0017 - Decoy System | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
T1595 - Active Scanning | There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. | DTE0027 - Network Monitoring | The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. |
T1596 - Search Open Technical Databases | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1596 - Search Open Technical Databases | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can insert decoy content into external sources or resources that adversaries may leverage for intelligence gathering. |
T1596 - Search Open Technical Databases | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0021 - Hunting | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1597 - Search Closed Sources | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0015 - Decoy Persona | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1597 - Search Closed Sources | There is an opportunity to introduce data to an adversary to influence their future behaviors. | DTE0011 - Decoy Content | A defender can insert decoy content into external sources or resources that adversaries may leverage for intelligence gathering. |
T1597 - Search Closed Sources | There is an opportunity to discover who or what is being targeting by an adversary. | DTE0021 - Hunting | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
T1598 - Phishing for Information | Users trained and encouraged to report phishing can detect attacks that other defenses do not. | DTE0035 - User Training | A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks. |
T1598 - Phishing for Information | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. | DTE0010 - Decoy Account | A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation. |