MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Backup and Recovery
Make copies of key system software, configuration, and data to enable rapid system restoration.
Employ disk imaging, system backup, or file synchronization tools to create copies of key data on a protected backup repository. This is typically done to capture/restore an entire system or major subsystems.
Opportunities
| ID | Description |
|---|---|
| DOS0058 | Although adversaries may attempt to delete or change important artifacts, there may be a window of time to retrieve them before that happens. |
| DOS0118 | There is an opportunity to test what an adversary might do if destroyed data is selectively replaced by the defender. |
| DOS0122 | There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender. |
| DOS0124 | There is an opportunity to disrupt an adversary's defacement activity by quickly restoring altered content. |
Use Cases
| ID | Description |
|---|---|
| DUC0058 | A defender can backup system information on a regular basis and send it to an alternate location for storage. |
| DUC0118 | A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts. |
Procedures
| ID | Description |
|---|---|
| DPR0009 | Backup data on public facing websites and retain the files offline. In the event of data damage or loss, restore the data from backup. |
| DPR0010 | Backup data on an end-user system and store offline. If an adversary alters or deletes data on the system, restore the data using the backup copy. |
| DPR0063 | In an adversary engagement situation, if an adversary deletes or alters files on a machine they are controlling, restore the data to it original state and location to see how the adversary reacts. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1485 | Data Destruction | Impact |
| T1486 | Data Encrypted for Impact | Impact |
| T1491 | Defacement | Impact |