Monitor network traffic in order to detect adversary activity.
Network monitoring involves capturing network activity data, including capturing of server, firewall, and other relevant logs. A defender can then review them or send them to a centralized collection location for further analysis.
|DOS0198||There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.|
|DUC0089||A defender can monitor network traffic for anomalies associated with known MiTM behavior.|
|DUC0159||A defender can monitor for systems establishing connections using encapsulated protocols not commonly used together such as RDP tunneled over TCP.|
|DUC0198||The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.|
|DPR0047||Capture network logs for internet-facing devices and send those logs to a central collection location.|
|DPR0048||Capture all network device (router, switches, proxy, etc.) logs on a decoy network and send those logs to a central collection location.|
|T1021||Remote Services||Lateral Movement|
|T1071||Application Layer Protocol||Command and Control|
|T1205||Traffic Signaling||Defense Evasion, Persistence, Command and Control|
|T1557||Man-in-the-Middle||Credential Access, Collection|
|T1570||Lateral Tool Transfer||Lateral Movement|
|T1571||Non-Standard Port||Command and Control|
|T1572||Protocol Tunneling||Command and Control|