Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable.
Standard Operating Procedures (SOPs) establish a structured way of interacting with systems and services. These procedures are in place for all users to ensure they can accomplish their goal in the approved manner. If an adversary attempts to perform any tasks which do not conform to the SOP, that activity will be easier to identify, alert on, and respond to.
|DOS0027||There is an opportunity to create a detection with a moderately high probability of success.|
|DOS0095||There is an opportunity to detect an adversary's activity if they are unable to follow a company's documented standard operating procedures.|
|DUC0047||A defender can detect user accounts created outside the acceptable process.|
|DUC0054||A defender can define operating procedures for adding services and alert when they are added outside of this procedure (i.e. by an adversary) to detect abnormal behavior.|
|DUC0061||A defender can provide a set of operating procedures for modifying GPOs and create an alert to detect unusual behavior when that procedure is not followed.|
|DUC0095||A defender can implement a standard operating procedure which restricts users from using 2FA or MFA more than once without another process being invoked.|
|DPR0057||Require approvals and waivers for users to make changes to their system which requires administrative access. Any changes not made through this process are suspect and immediately investigated as malicious activity.|
|DPR0058||Create a development library that all users must leverage in order to interact with any hosted databases. This library modifies queries to look difficult to write. Any queries made without the library will now be obvious to detect and are immediately investigated as malicious activity.|
|T1111||Two-Factor Authentication Interception||Credential Access|
|T1562||Impair Defenses||Defense Evasion|