MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy Network
Create a target network with a set of target systems, for the purpose of active defense.
Decoy networks are comprised of multiple computing resources that can be used for defensive or deceptive purposes. A decoy network can be used to safely perform dynamic analysis of suspected malicious code. A defender can also use a specially crafted decoy network to perform adversary engagement.
Opportunities
| ID | Description |
|---|---|
| DOS0003 | There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs. |
| DOS0020 | Hardware and/or software additions can be tested and verified in controlled environments prior to deployment. |
| DOS0231 | There is an opportunity to extend an adversary's engagement period by creating a decoy network that systems can discover when performing trust discovery. |
| DOS0251 | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. |
Use Cases
| ID | Description |
|---|---|
| DUC0003 | A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise. |
| DUC0020 | A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors. |
| DUC0231 | A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary. |
| DUC0251 | A defender can use a decoy network and seed it with cloud services to see how an adversary might exploit those resources. |
Procedures
| ID | Description |
|---|---|
| DPR0027 | Create an isolated network populated with decoy systems that can be used to study an adversary's tactics, techniques, and procedures (TTPs). |
| DPR0028 | Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1189 | Drive-by Compromise | Initial Access |
| T1195 | Supply Chain Compromise | Initial Access |
| T1482 | Domain Trust Discovery | Discovery |
| T1526 | Cloud Service Discovery | Discovery |
| T1590 | Gather Victim Network Information | Reconnaissance |