Establish or maintain awareness into what an adversary is doing.

Detect is used to establish or maintain awareness into what an adversary is doing. This could be accomplished by introducing a tripwire that alerts when an adversary touches a system or resource. It could also be accomplished by using end-point or network tools.

ID: DTA0004


DTE0003 - API Monitoring Monitor local APIs that might be used by adversary tools and activity.
DTE0004 - Application Diversity Present the adversary with a variety of installed applications and services.
DTE0006 - Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
DTE0007 - Behavioral Analytics Deploy tools that detect unusual system or user behavior.
DTE0010 - Decoy Account Create an account that is used for active defense purposes.
DTE0011 - Decoy Content Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.
DTE0012 - Decoy Credentials Create user credentials that are used for active defense purposes.
DTE0013 - Decoy Diversity Deploy a set of decoy systems with different OS and software configurations.
DTE0014 - Decoy Network Create a target network with a set of target systems, for the purpose of active defense.
DTE0015 - Decoy Persona Develop personal information (aka a backstory) about a user and plant data to support that backstory.
DTE0017 - Decoy System Configure a computing system to serve as an attack target or experimental environment.
DTE0019 - Email Manipulation Modify the flow or contents of email.
DTE0021 - Hunting Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.
DTE0022 - Isolation Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.
DTE0026 - Network Manipulation Make changes to network properties and functions to achieve a desired effect.
DTE0027 - Network Monitoring Monitor network traffic in order to detect adversary activity.
DTE0028 - PCAP Collection Collect full network traffic for future research and analysis.
DTE0030 - Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
DTE0031 - Protocol Decoder Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.
DTE0033 - Standard Operating Procedure Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.
DTE0034 - System Activity Monitoring Collect system activity logs which can reveal adversary activity.
DTE0035 - User Training Train users to detect malicious intent or activity, how to report it, etc.
DTE0036 - Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.