Prevent an adversary from moving outside specific bounds or constraints.
Contain is used to prevent an adversary from moving outside specific bounds or constraints. This may include preventing them from accessing certain subnets or systems based on where they are operating. Defenders can also harden systems to prevent them from moving laterally.
| Technique | Description |
|---|---|
| DTE0001 - Admin Access | Modify a user's administrative privileges. |
| DTE0006 - Baseline | Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary. |
| DTE0010 - Decoy Account | Create an account that is used for active defense purposes. |
| DTE0014 - Decoy Network | Create a target network with a set of target systems, for the purpose of active defense. |
| DTE0018 - Detonate Malware | Execute malware under controlled conditions to analyze its functionality. |
| DTE0020 - Hardware Manipulation | Alter the hardware configuration of a system to limit what an adversary can do with the device. |
| DTE0022 - Isolation | Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits. |
| DTE0023 - Migrate Attack Vector | Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use. |
| DTE0026 - Network Manipulation | Make changes to network properties and functions to achieve a desired effect. |
| DTE0032 - Security Controls | Alter security controls to make the system more or less vulnerable to attack. |
| DTE0036 - Software Manipulation | Make changes to a system's software properties and functions to achieve a desired effect. |