We have a blog! Check out MITRE Shield on Medium.

Network Monitoring

Monitor network traffic in order to detect adversary activity.

Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis.

Details
ID: DTE0027
Tactics:  Detect Collect

Opportunities

IDDescription
DOS0198 There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.

Use Cases

IDDescription
DUC0089 A defender can monitor network traffic for anomalies associated with known MiTM behavior.
DUC0159 A defender can monitor for systems establishing connections using encapsulated protocols not commonly used together such as RDP tunneled over TCP.
DUC0198 The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.

Procedures

IDDescription
DPR0047 Capture network logs for internet-facing devices and send those logs to a central collection location.
DPR0048 Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1021 Remote Services Lateral Movement
T1029 Scheduled Transfer Exfiltration
T1071 Application Layer Protocol Command and Control
T1205 Traffic Signaling Defense EvasionPersistenceCommand and Control
T1557 Man-in-the-Middle Credential AccessCollection
T1570 Lateral Tool Transfer Lateral Movement
T1571 Non-Standard Port Command and Control
T1572 Protocol Tunneling Command and Control