MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Network Manipulation
Make changes to network properties and functions to achieve a desired effect.
Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed.
Opportunities
| ID | Description |
|---|---|
| DOS0130 | There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service. |
| DOS0159 | There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity. |
| DOS0164 | There is an opportunity to block an adversary that is seeking to use a proxied connection. |
| DOS0174 | There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location. |
| DOS0246 | An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure. |
Use Cases
| ID | Description |
|---|---|
| DUC0126 | A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation. |
| DUC0152 | A defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Alternative a defender could redirect outbound SMB requests to a decoy system to thwart attempted credential theft |
| DUC0153 | A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information. |
| DUC0158 | A defender can block certain adversary used protocols used between systems in order to prevent lateral tool transfer. |
| DUC0161 | A defender could implement a protocol aware IPS to limit systems communicating to unknown locations on the internet. |
| DUC0164 | A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists. |
| DUC0174 | A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols. |
| DUC0175 | A defender can restrict network traffic making adversary exfiltration slow or unreliable. |
| DUC0246 | A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure. |
Procedures
| ID | Description |
|---|---|
| DPR0045 | Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope. |
| DPR0046 | Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1008 | Fallback Channels | Command and Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1090 | Proxy | Command and Control |
| T1104 | Multi-Stage Channels | Command and Control |
| T1187 | Forced Authentication | Credential Access |
| T1498 | Network Denial of Service | Impact |
| T1499 | Endpoint Denial of Service | Impact |
| T1568 | Dynamic Resolution | Command and Control |
| T1570 | Lateral Tool Transfer | Lateral Movement |