Create a target network with a set of target systems, for the purpose of active defense.
Decoy networks are comprised of multiple computing resources that can be used for defensive or deceptive purposes. A decoy network can be used to safely perform dynamic analysis of suspected malicious code. A defender can also use a specially crafted decoy network to perform adversary engagement.
|DOS0003||There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs.|
|DOS0020||Hardware and/or software additions can be tested and verified in controlled environments prior to deployment.|
|DOS0231||There is an opportunity to extend an adversary's engagement period by creating a decoy network that systems can discover when performing trust discovery.|
|DOS0251||There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them.|
|DUC0003||A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.|
|DUC0020||A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors.|
|DUC0231||A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary.|
|DUC0251||A defender can use a decoy network and seed it with cloud services to see how an adversary might exploit those resources.|
|DPR0027||Create an isolated network populated with decoy systems that can be used to study an adversary's tactics, techniques, and procedures (TTPs).|
|DPR0028||Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system.|
|T1189||Drive-by Compromise||Initial Access|
|T1195||Supply Chain Compromise||Initial Access|
|T1482||Domain Trust Discovery||Discovery|
|T1526||Cloud Service Discovery||Discovery|