MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Decoy Network

Create a target network with a set of target systems, for the purpose of active defense.

Decoy networks are comprised of multiple computing resources that can be used for defensive or deceptive purposes. A decoy network can be used to safely perform dynamic analysis of suspected malicious code. A defender can also use a specially crafted decoy network to perform adversary engagement.

ID: DTE0014
Tactics:  Channel Contain Detect Disrupt Legitimize Collect Test


DOS0003 There is an opportunity to use a compromised drive-by site to start long term engagement with the adversary and observe the adversary's post-exploit TTPs.
DOS0020 Hardware and/or software additions can be tested and verified in controlled environments prior to deployment.
DOS0231 There is an opportunity to extend an adversary's engagement period by creating a decoy network that systems can discover when performing trust discovery.
DOS0251 There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them.

Use Cases

DUC0003 A defender seeking to learn about post compromise adversary activity could visit the compromised website with a system in a decoy network that has been designed to sustain an adversary engagement past the initial compromise.
DUC0020 A defender can install any suspect hardware or software on an isolated system or network and monitor for non-standard behaviors.
DUC0231 A defender can create a decoy network that contains systems which are easily discoverable and appealing to an adversary.
DUC0251 A defender can use a decoy network and seed it with cloud services to see how an adversary might exploit those resources.


DPR0027 Create an isolated network populated with decoy systems that can be used to study an adversary's tactics, techniques, and procedures (TTPs).
DPR0028 Use a segregated network to visit a compromised site. If the machine becomes infected, allow the machine to remain on with internet access to see if an adversary engages and takes action on the system.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1189 Drive-by Compromise Initial Access
T1195 Supply Chain Compromise Initial Access
T1482 Domain Trust Discovery Discovery
T1526 Cloud Service Discovery Discovery
T1590 Gather Victim Network Information Reconnaissance