Active Defense Techniques

Techniques describes things that can be done (by defenders) in active defense. The detail page for each technique will provide information about which tactics it supports, what opportunities are available based on adversary TTPs, as well as use cases and procedures to prompt implementation discussions.

DTE0001 Admin Access Modify a user's administrative privileges.
DTE0003 API Monitoring Monitor local APIs that might be used by adversary tools and activity.
DTE0004 Application Diversity Present the adversary with a variety of installed applications and services.
DTE0005 Backup and Recovery Make copies of key system software, configuration, and data to enable rapid system restoration.
DTE0006 Baseline Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
DTE0007 Behavioral Analytics Deploy tools that detect unusual system or user behavior.
DTE0008 Burn-In Exercise a target system in a manner where it will generate desirable system artifacts.
DTE0010 Decoy Account Create an account that is used for active defense purposes.
DTE0011 Decoy Content Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.
DTE0012 Decoy Credentials Create user credentials that are used for active defense purposes.
DTE0013 Decoy Diversity Deploy a set of decoy systems with different OS and software configurations.
DTE0014 Decoy Network Create a target network with a set of target systems, for the purpose of active defense.
DTE0015 Decoy Persona Develop personal information (aka a backstory) about a user and plant data to support that backstory.
DTE0016 Decoy Process Execute software on a target system for the purposes of the defender.
DTE0017 Decoy System Configure a computing system to serve as an attack target or experimental environment.
DTE0018 Detonate Malware Execute malware under controlled conditions to analyze its functionality.
DTE0019 Email Manipulation Modify the flow or contents of email.
DTE0020 Hardware Manipulation Alter the hardware configuration of a system to limit what an adversary can do with the device.
DTE0021 Hunting Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.
DTE0022 Isolation Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.
DTE0023 Migrate Attack Vector Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
DTE0025 Network Diversity Use a diverse set of devices on the network to help establish the legitimacy of a decoy network.
DTE0026 Network Manipulation Make changes to network properties and functions to achieve a desired effect.
DTE0027 Network Monitoring Monitor network traffic in order to detect adversary activity.
DTE0028 PCAP Collection Collect full network traffic for future research and analysis.
DTE0029 Peripheral Management Manage peripheral devices used on systems within the network for active defense purposes.
DTE0030 Pocket Litter Place data on a system to reinforce the legitimacy of the system or user.
DTE0031 Protocol Decoder Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.
DTE0032 Security Controls Alter security controls to make the system more or less vulnerable to attack.
DTE0033 Standard Operating Procedure Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.
DTE0034 System Activity Monitoring Collect system activity logs which can reveal adversary activity.
DTE0035 User Training Train users to detect malicious intent or activity, how to report it, etc.
DTE0036 Software Manipulation Make changes to a system's software properties and functions to achieve a desired effect.