MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Contain

Prevent an adversary from moving outside specific bounds or constraints.

Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally.

Details
ID: DTA0003

Techniques

TechniqueDescription
DTE0001 - Admin Access Modify a user's administrative privileges.
DTE0006 - Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
DTE0010 - Decoy Account Create an account that is used for active defense purposes.
DTE0014 - Decoy Network Create a target network with a set of target systems, for the purpose of active defense.
DTE0018 - Detonate Malware Execute malware under controlled conditions to analyze its functionality.
DTE0020 - Hardware Manipulation Alter the hardware configuration of a system to limit what an adversary can do with the device.
DTE0022 - Isolation Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.
DTE0023 - Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
DTE0026 - Network Manipulation Make changes to network properties and functions to achieve a desired effect.
DTE0032 - Security Controls Alter security controls to make the system more or less vulnerable to attack.
DTE0036 - Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.