We have a blog! Check out MITRE Shield on Medium.

Decoy Diversity

Deploy a set of decoy systems with different OS and software configurations.

Decoy diversity is the deployment of decoy systems with varying Operating Systems and software configurations. Most enterprise networks contain systems which utilize different types and versions of operating systems and applications (Microsoft Windows, MacOS, Linux, Microsoft Office, Adobe Reader, etc.) Deploying decoy systems with such variations allows you to present a realistic environment to an adversary. It also allows you to see if they use different TTPs on systems with different configurations.

Details
ID: DTE0013
Tactics:  Test Legitimize Facilitate

Opportunities

IDDescription
DOS0002 There is an opportunity to discover who or what is being targeting by an adversary.
DOS0008 There is an opportunity to present several public-facing application options to see what application(s) the adversary targets.
DOS0188 There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in.
DOS0191 There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use.

Use Cases

IDDescription
DUC0002 A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.
DUC0008 A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit.
DUC0188 A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc.
DUC0191 A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc.

Procedures

IDDescription
DPR0025 Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used.
DPR0026 Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1087 Account Discovery Discovery
T1135 Network Share Discovery Discovery
T1189 Drive-by Compromise Initial Access
T1190 Exploit Public-Facing Application Initial Access