MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Isolation
Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.
Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets.
Opportunities
| ID | Description |
|---|---|
| DOS0010 | There is an opportunity to test hardware additions in an isolated environment and ensure they can't be used by an adversary. |
| DOS0012 | There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems. |
| DOS0160 | There is an opportunity to detect an unknown process that is being used for command and control and disrupt it. |
Use Cases
| ID | Description |
|---|---|
| DUC0010 | A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors. |
| DUC0014 | A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive. |
| DUC0160 | A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet. |
Procedures
| ID | Description |
|---|---|
| DPR0040 | Unplug an infected system from the network and disable any other means of communication. |
| DPR0066 | Run all user applications in isolated containers to prevent a compromise from expanding beyond the container's boundaries. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1091 | Replication Through Removable Media | Lateral Movement, Initial Access |
| T1104 | Multi-Stage Channels | Command and Control |
| T1200 | Hardware Additions | Initial Access |