Establish or maintain awareness into what an adversary is doing.
Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools.
| Technique | Description |
|---|---|
| DTE0003 - API Monitoring | Monitor local APIs that might be used by adversary tools and activity. |
| DTE0004 - Application Diversity | Present the adversary with a variety of installed applications and services. |
| DTE0006 - Baseline | Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary. |
| DTE0007 - Behavioral Analytics | Deploy tools that detect unusual system or user behavior. |
| DTE0010 - Decoy Account | Create an account that is used for active defense purposes. |
| DTE0011 - Decoy Content | Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc. |
| DTE0012 - Decoy Credentials | Create user credentials that are used for active defense purposes. |
| DTE0013 - Decoy Diversity | Deploy a set of decoy systems with different OS and software configurations. |
| DTE0014 - Decoy Network | Create a target network with a set of target systems, for the purpose of active defense. |
| DTE0015 - Decoy Persona | Develop personal information (aka a backstory) about a user and plant data to support that backstory. |
| DTE0017 - Decoy System | Configure a computing system to serve as an attack target or experimental environment. |
| DTE0019 - Email Manipulation | Modify the flow or contents of email. |
| DTE0021 - Hunting | Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc. |
| DTE0022 - Isolation | Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits. |
| DTE0026 - Network Manipulation | Make changes to network properties and functions to achieve a desired effect. |
| DTE0027 - Network Monitoring | Monitor network traffic in order to detect adversary activity. |
| DTE0028 - PCAP Collection | Collect full network traffic for future research and analysis. |
| DTE0030 - Pocket Litter | Place data on a system to reinforce the legitimacy of the system or user. |
| DTE0031 - Protocol Decoder | Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic. |
| DTE0033 - Standard Operating Procedure | Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable. |
| DTE0034 - System Activity Monitoring | Collect system activity logs which can reveal adversary activity. |
| DTE0035 - User Training | Train users to detect malicious intent or activity, how to report it, etc. |
| DTE0036 - Software Manipulation | Make changes to a system's software properties and functions to achieve a desired effect. |