Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.
Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets.
|DOS0010||There is an opportunity to test hardware additions in an isolated environment and ensure they can't be used by an adversary.|
|DOS0012||There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems.|
|DOS0160||There is an opportunity to detect an unknown process that is being used for command and control and disrupt it.|
|DUC0010||A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors.|
|DUC0014||A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive.|
|DUC0160||A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet.|
|DPR0040||Unplug an infected system from the network and disable any other means of communication.|
|DPR0066||Run all user applications in isolated containers to prevent a compromise from expanding beyond the container's boundaries.|
|T1091||Replication Through Removable Media||Lateral Movement, Initial Access|
|T1104||Multi-Stage Channels||Command and Control|
|T1200||Hardware Additions||Initial Access|