MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Standard Operating Procedure

Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.

Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to.

Details
ID: DTE0033
Tactics:  Detect Disrupt

Opportunities

IDDescription
DOS0027 There is an opportunity to create a detection with a moderately high probability of success.
DOS0095 There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures.

Use Cases

IDDescription
DUC0047 A defender can detect user accounts created outside the acceptable process.
DUC0054 A defender can define operating procedures for adding services and alert when they are not followed.
DUC0061 A defender can define operating procedures for modifying GPOs and alert when they are not followed.
DUC0095 A defender can implement a standard operating procedure which restricts users from using 2FA or MFA more than once without another process being invoked.
DUC0254 A defender can define operating procedures for interacting with cloud services and alert when they are not followed.

Procedures

IDDescription
DPR0057 Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity.
DPR0058 Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1111 Two-Factor Authentication Interception Credential Access
T1136 Create Account Persistence
T1562 Impair Defenses Defense Evasion
T1569 System Services Execution
T1580 Cloud Infrastructure Discovery Discovery