Techniques describes things that can be done (by defenders) in active defense. The detail page for each technique will provide information about which tactics it supports, what opportunities are available based on adversary TTPs, as well as use cases and procedures to prompt implementation discussions.
| ID | Name | Description |
|---|---|---|
| DTE0001 | Admin Access | Modify a user's administrative privileges. |
| DTE0003 | API Monitoring | Monitor local APIs that might be used by adversary tools and activity. |
| DTE0004 | Application Diversity | Present the adversary with a variety of installed applications and services. |
| DTE0005 | Backup and Recovery | Make copies of key system software, configuration, and data to enable rapid system restoration. |
| DTE0006 | Baseline | Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary. |
| DTE0007 | Behavioral Analytics | Deploy tools that detect unusual system or user behavior. |
| DTE0008 | Burn-In | Exercise a target system in a manner where it will generate desirable system artifacts. |
| DTE0010 | Decoy Account | Create an account that is used for active defense purposes. |
| DTE0011 | Decoy Content | Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc. |
| DTE0012 | Decoy Credentials | Create user credentials that are used for active defense purposes. |
| DTE0013 | Decoy Diversity | Deploy a set of decoy systems with different OS and software configurations. |
| DTE0014 | Decoy Network | Create a target network with a set of target systems, for the purpose of active defense. |
| DTE0015 | Decoy Persona | Develop personal information (aka a backstory) about a user and plant data to support that backstory. |
| DTE0016 | Decoy Process | Execute software on a target system for the purposes of the defender. |
| DTE0017 | Decoy System | Configure a computing system to serve as an attack target or experimental environment. |
| DTE0018 | Detonate Malware | Execute malware under controlled conditions to analyze its functionality. |
| DTE0019 | Email Manipulation | Modify the flow or contents of email. |
| DTE0020 | Hardware Manipulation | Alter the hardware configuration of a system to limit what an adversary can do with the device. |
| DTE0021 | Hunting | Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc. |
| DTE0022 | Isolation | Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits. |
| DTE0023 | Migrate Attack Vector | Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use. |
| DTE0025 | Network Diversity | Use a diverse set of devices on the network to help establish the legitimacy of a decoy network. |
| DTE0026 | Network Manipulation | Make changes to network properties and functions to achieve a desired effect. |
| DTE0027 | Network Monitoring | Monitor network traffic in order to detect adversary activity. |
| DTE0028 | PCAP Collection | Collect full network traffic for future research and analysis. |
| DTE0029 | Peripheral Management | Manage peripheral devices used on systems within the network for active defense purposes. |
| DTE0030 | Pocket Litter | Place data on a system to reinforce the legitimacy of the system or user. |
| DTE0031 | Protocol Decoder | Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic. |
| DTE0032 | Security Controls | Alter security controls to make the system more or less vulnerable to attack. |
| DTE0033 | Standard Operating Procedure | Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable. |
| DTE0034 | System Activity Monitoring | Collect system activity logs which can reveal adversary activity. |
| DTE0035 | User Training | Train users to detect malicious intent or activity, how to report it, etc. |
| DTE0036 | Software Manipulation | Make changes to a system's software properties and functions to achieve a desired effect. |