MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy Diversity
Deploy a set of decoy systems with different OS and software configurations.
Decoy diversity is the deployment of decoy systems with varying Operating Systems and software configurations. Most enterprise networks contain systems which utilize different types and versions of operating systems and applications (Microsoft Windows, MacOS, Linux, Microsoft Office, Adobe Reader, etc.) Deploying decoy systems with such variations allows you to present a realistic environment to an adversary. It also allows you to see if they use different TTPs on systems with different configurations.
Details
ID:
DTE0013
Opportunities
| ID | Description |
|---|---|
| DOS0002 | There is an opportunity to discover who or what is being targeting by an adversary. |
| DOS0008 | There is an opportunity to present several public-facing application options to see what application(s) the adversary targets. |
| DOS0188 | There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in. |
| DOS0191 | There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use. |
Use Cases
| ID | Description |
|---|---|
| DUC0002 | A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it. |
| DUC0008 | A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit. |
| DUC0078 | A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use. |
| DUC0188 | A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc. |
| DUC0191 | A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc. |
Procedures
| ID | Description |
|---|---|
| DPR0025 | Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used. |
| DPR0026 | Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1087 | Account Discovery | Discovery |
| T1135 | Network Share Discovery | Discovery |
| T1189 | Drive-by Compromise | Initial Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1601 | Modify System Image | Defense Evasion |