We have a blog! Check out MITRE Shield on Medium.

Network Manipulation

Make changes to network properties and functions to achieve a desired effect.

Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed.

Details
ID: DTE0026
Tactics:  Contain Disrupt Facilitate Channel Detect Test

Opportunities

IDDescription
DOS0130 There is an opportunity to alter the network configuration in order to disrupt an adversary who is trying to saturate the network or a system via denial of service.
DOS0159 There is an opportunity to manipulate the network to allow/deny certain types of traffic, to degrade network traffic, or otherwise impact an adversary's activity.
DOS0164 There is an opportunity to block an adversary that is seeking to use a proxied connection.
DOS0174 There is an opportunity to disrupt or enable and adversary's exfiltration activities by blocking/unblocking the traffic to their Command and Control (C2) location.
DOS0246 An adversary may attempt to dynamically determine the C2 address to communicate with. This gives a defender an opportunity to discover additional infrastructure.

Use Cases

IDDescription
DUC0126 A defender can configure network devices to analyze network traffic, detect a potential DoS attack, and make appropriate adjustments to mitigate the situation.
DUC0152 A defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Alternative a defender could redirect outbound SMB requests to a decoy system to thwart attempted credential theft
DUC0153 A defender can identify and block specific adversary Command and Control (C2) traffic to see how an adversary responds, possibly exposing additional C2 information.
DUC0158 A defender can block certain adversary used protocols used between systems in order to prevent lateral tool transfer.
DUC0161 A defender could implement a protocol aware IPS to limit systems communicating to unknown locations on the internet.
DUC0164 A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists.
DUC0174 A defender can prevent or enable use of alternate protocols for exfiltration by blocking/unblocking unnecessary ports and protocols.
DUC0175 A defender can restrict network traffic making adversary exfiltration slow or unreliable.
DUC0246 A defender can block primary C2 domains and IPs to determine if the malware or adversary has the ability to reach out to additional infrastructure.

Procedures

IDDescription
DPR0045 Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope.
DPR0046 Introduce intermittent network packet loss on a decoy network to interfere with an adversary's activities.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1008 Fallback Channels Command and Control
T1041 Exfiltration Over C2 Channel Exfiltration
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1090 Proxy Command and Control
T1104 Multi-Stage Channels Command and Control
T1187 Forced Authentication Credential Access
T1498 Network Denial of Service Impact
T1499 Endpoint Denial of Service Impact
T1568 Dynamic Resolution Command and Control
T1570 Lateral Tool Transfer Lateral Movement