From b58d1be67b45bf3e4d33d35dc2c1bc3c34528aeb Mon Sep 17 00:00:00 2001 From: Jan Pohl Date: Thu, 19 Sep 2024 16:18:33 +0200 Subject: [PATCH] D3fend galaxy update for PR --- clusters/engage-framework.json | 120 ++++++++++++++++----------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/clusters/engage-framework.json b/clusters/engage-framework.json index 2a8d540..319755f 100644 --- a/clusters/engage-framework.json +++ b/clusters/engage-framework.json @@ -18,7 +18,7 @@ "last_modified": "28 February 2022", "long_description": "API Monitoring involves capturing an internal OS function for its usage, accompanying arguments, and result. When a defender captures this information, the data gathered can be analyzed to gain insights into the activity of an adversary at a level deeper than normal system activity monitoring. This type of monitoring can also be used to produce high-fidelity detections. For example, the defender can trace activity through WinSock TCP API functions to view potentially malicious network events or trace usage of the Win32 DeleteFile() function to log all attempts at deleting a given file.", "url": "https://engage.mitre.org/matrix/?activity=api-monitoring", - "version": 1.0 + "version": 1 }, "uuid": "a92a31e3-4df7-4e75-9553-67dc080e3490", "value": "EAC0001 - API Monitoring" @@ -31,7 +31,7 @@ "last_modified": "28 February 2022", "long_description": "Network Monitoring involves capturing network activity data, including capturing server, firewall, and other relevant logs. A defender can send this data to a centralized collection location for further analysis. This analysis can be automated or manual. In either case, a defender can use Network Monitoring to identify anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. Monitoring is essential to maintain situational awareness of adversary activities to ensure operational safety and make progress towards the defender’s goals. Careful pre-operational planning should be done to properly instrument the engagement environment to ensure that all key network traffic is collected. Some use cases of network monitoring include detecting unexpected outbound traffic, systems establishing connections using encapsulated protocols, and known adversary C2 protocols.", "url": "https://engage.mitre.org/matrix/?activity=network-monitoring", - "version": 1.0 + "version": 1 }, "uuid": "26ffc08a-97ff-41be-afe9-70c2a14d56c6", "value": "EAC0002 - Network Monitoring" @@ -44,7 +44,7 @@ "last_modified": "28 February 2022", "long_description": "Capturing system logs can show logins, user and system events, etc. A defender can use such inherent system logging to study and collect first-hand observations about the adversary’s actions and tools. This data can be sent to a centralized collection location for further analysis. Careful planning should be used to guide which system logs are collected and at what level. If the logging level is set too high or too many system logs are collected, the defender may be blinded by the excess data. For example, understanding the adversary’s known TTPs will highlight resources the adversary is likely to touch and therefore which system logs are likely to capture adversary activity. Overall, System Activity Monitoring is essential to maintain situational awareness of adversarial activities in order to ensure operational safety and progress towards operational goals. Careful pre-operational planning should be done to properly instrument the engagement environment. This will ensure that all key network traffic is collected.", "url": "https://engage.mitre.org/matrix/?activity=system-activity-monitoring", - "version": 1.0 + "version": 1 }, "uuid": "fab89d5f-726f-4e50-bdfe-2e7041ea8e25", "value": "EAC0003 - System Activity Monitoring" @@ -57,7 +57,7 @@ "last_modified": "28 February 2022", "long_description": "Network analysis can be an automated or manual task to review communications between systems to expose adversary activity, such as C2 or data exfiltration traffic. This analysis is normally done by capturing and analyzing traffic on the wire or from previously collected packet capture. When custom protocols are in use, defenders can leverage protocol decoder frameworks. These are customized code modules that can read network traffic and contextualize activity between the C2 operator and the implant. These frameworks are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret. Decoder creation requires malware analysis of the implant to understand the design of the protocol. While a high level of technical maturity is required to create such a decoder, once created they are invaluable to the defender. For example, a defender can use a protocol decode to decrypt network capture data and expose an adversary’s C2 or exfiltration activity. Not only does this data provide exquisite intelligence in regard to the adversary’s communications channels and targeting preferences, but it also provides future opportunities for data manipulation to further operational goals.", "url": "https://engage.mitre.org/matrix/?activity=network-analysis", - "version": 1.0 + "version": 1 }, "uuid": "f7f230df-5ae6-4b88-9d48-554f2ea8ad82", "value": "EAC0004 - Network Analysis" @@ -70,7 +70,7 @@ "last_modified": "28 February 2022", "long_description": "Lures are intended to elicit a particular response from the adversary. For example, the defender may utilize Lures to enable or block the adversary’s intended actions or encourage or discourage a specific action or response. Lures can take a variety of forms including credentials, accounts, files/directories, browser extensions/bookmarks, system processes, etc. Regardless of form, Lures provide opportunities to the defender to drive adversary behavior in ways that align with operational outcomes.", "url": "https://engage.mitre.org/matrix/?activity=lures", - "version": 1.0 + "version": 1 }, "uuid": "d052c8f1-c1ec-4af7-809a-bbf1241871dd", "value": "EAC0005 - Lures" @@ -83,7 +83,7 @@ "last_modified": "28 February 2022", "long_description": "Application Diversity presents an array of software targets to the adversary. On a single target system, defenders can configure multiple services or software applications. This diversity may include not only a variety of different types of applications, but also various versions of the same application. Application Diversity can be used to encourage engagement by offering a broad attack surface. By monitoring adversary activity in a diverse environment, the defender can gain information on the adversary’s capabilities and targeting preferences. For example, a defender can install one or more applications with a variety of patch levels to see how the adversary’s response differs across versions. Additionally, a diverse set of applications provides a variety of avenues for the defender to present additional information throughout an operation. This information can be used to introduce additional attack surfaces, motivate or demotivate the adversary, or further the engagement narrative. For example, if the adversary is close to uncovering something that might raise suspicion around a target, the defender can add an event to a shared calendar application or a message in a notes application that the system will be offline for scheduled maintenance. Having a variety of applications on the system provides the defender with multiple engagement avenues to handle whatever events happen during the operation. Finally, diversity can increase the adversary’s overall comfort level by adding to the believability of the environment. ", "url": "https://engage.mitre.org/matrix/?activity=application-diversity", - "version": 1.0 + "version": 1 }, "uuid": "cd885bd4-b008-435f-a8c5-2921b480e15e", "value": "EAC0006 - Application Diversity" @@ -96,7 +96,7 @@ "last_modified": "28 February 2022", "long_description": "Network Diversity involves the use of an assorted collection of network resources such as networking devices, firewalls, printers, phones, etc. Network Diversity can be used to encourage adversaries to engage by offering a broad attack surface. Additionally, diversity can increase the adversary’s overall comfort level by adding to the believability of the environment. By monitoring adversary activity in a diverse environment, the defender can gain information on the adversary’s capabilities and targeting preferences. For example, a defender can deploy a variety of network resources to identify which devices are targeted by the adversary.", "url": "https://engage.mitre.org/matrix/?activity=network-diversity", - "version": 1.0 + "version": 1 }, "uuid": "a7af45af-9a48-488a-8c4f-d3bc695079b3", "value": "EAC0007 - Network Diversity" @@ -109,7 +109,7 @@ "last_modified": "28 February 2022", "long_description": "Burn-In involves exercising the system to create desirable system artifacts such as web browsing history, file system usage, or the running of user applications. At times, Burn-In can be accomplished by simply letting a system or application run for an extended period of time. Other times, the defender engages with the environment to produce the Burn-In artifacts, such as when the defender logs into a decoy account or accesses a decoy website to generate session cookies and browser history. These tasks can be accomplished manually or via automated tooling. Burn-In should occur pre-operation and continue as appropriate during the operation. The artifacts generated during the Burn-In process can reassure the adversary of the environment’s legitimacy by creating an environment that more closely resembles a real, lived in, system or network.", "url": "https://engage.mitre.org/matrix/?activity=burn-in", - "version": 1.0 + "version": 1 }, "uuid": "8a7d05b7-23a9-4b9a-a310-331c78ad6320", "value": "EAC0008 - Burn-In" @@ -122,7 +122,7 @@ "last_modified": "28 February 2022", "long_description": "Email Manipulation covers the various ways email flows in the environment can be affected. Email Manipulation can affect which mail appliances process mail flows, where mail is forwarded, or what mail is present in an inbox. A common use case for email manipulation is as a vector to introduce malware into the engagement environment. Suspicious emails may be removed from production mailbox and placed into an inbox in an engagement environment. Then, any suspicious attachments or links could be detonated from within the environment. As another example, emails collected over a long period of time from a legitimate inbox outside the environment may be moved into the environment to reassure the adversary of the environment’s legitimacy by creating a mailbox that more closely resembles a real, lived-in inbox.", "url": "https://engage.mitre.org/matrix/?activity=email-manipulation", - "version": 1.0 + "version": 1 }, "uuid": "33f618e5-6d65-4659-8cdc-d1b9cb553629", "value": "EAC0009 - Email Manipulation" @@ -135,7 +135,7 @@ "last_modified": "28 February 2022", "long_description": "Peripheral Management is the administration of peripheral devices used on systems within the engagement environment. A defender can choose to allow or deny certain types of peripherals from being used on systems to either motivate or demotivate adversary activity or to direct the adversary towards specific targets. Defenders can also introduce peripherals to an adversary-controlled system to see how the adversary reacts. For example, the defender can introduce external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes. Additionally, peripherals provide an avenue for the defender to present new or additional information to the adversary. This information can be used to introduce an additional attack surface, motivate or demotivate adversary activity, or to further the deception story. For example, the defender may include data on a connected USB device or stage an important conversation near an externally connected camera or microphone. Depending on the contents of this data, the adversary may be encouraged to take a specific action and/or reassured about the legitimacy of the environment.", "url": "https://engage.mitre.org/matrix/?activity=peripheral-management", - "version": 1.0 + "version": 1 }, "uuid": "eed9b6e3-fa7b-4b62-b7b3-db6b38e391ad", "value": "EAC0010 - Peripheral Management" @@ -148,7 +148,7 @@ "last_modified": "28 February 2022", "long_description": "Pocket Litter is data placed on a system to help tell the engagement narrative, to increase the credibility of an environment, and/or to establish a cognitive bias to raise the adversary’s tolerance to weaknesses in the environment. Unlike Lures, Pocket Litter does not necessarily aim to encourage the adversary to take a specific action, but rather it supports the overall deception story. Pocket Litter can include documents, pictures, registry entries, installed software, log history, browsing history, connection history, and other user data that an adversary would expect to exist on a user’s computer. For example, a defender might conduct a series of web searches to generate browser artifacts, or scatter a variety of photos and documents across the desktop to make the computer feel lived in.", "url": "https://engage.mitre.org/matrix/?activity=pocket-litter", - "version": 1.0 + "version": 1 }, "uuid": "03c8609b-b181-451b-a9c2-529189365733", "value": "EAC0011 - Pocket Litter" @@ -161,7 +161,7 @@ "last_modified": "28 February 2022", "long_description": "A Persona is used to establish background information about a victim to increase the believability of the target. To create a Persona, the defender must develop a backstory and seed the environment with varying data in support of this story. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, browsing habits, etc. In addition to lending legitimacy to the environment, personas can be used to engage directly with adversaries, such as during phishing email exchanges. Additionally, personas can make changes to the environment during the operation, such as adding or removing a USB device or introducing new decoy documents or credentials.", "url": "https://engage.mitre.org/matrix/?activity=personas", - "version": 1.0 + "version": 1 }, "uuid": "4ffbcd1f-c905-4371-b33f-9fcabaa09d84", "value": "EAC0012 - Personas" @@ -174,7 +174,7 @@ "last_modified": "28 February 2022", "long_description": "Malware can be detonated in a controlled and safe environment. Clear goals and safety procedures should always be established before detonation to ensure that the operation is focused and safe. The malware can be detonated in an execution environment ranging from a somewhat sterile commercial malware execution appliance to a bespoke engagement environment crafted to support an extended engagement. Depending on operational objectives, the outcome of a malware detonation operation can include: collecting new IOCs during dynamic analysis, observing additional TTPs by detonating the malware in a target rich environment, and/or negatively impacting the adversary and their operation. ", "url": "https://engage.mitre.org/matrix/?activity=malware-detonation", - "version": 1.0 + "version": 1 }, "uuid": "721d4c18-cde5-4189-bcfa-f240a75abe1c", "value": "EAC0013 - Malware Detonation" @@ -187,7 +187,7 @@ "last_modified": "28 February 2022", "long_description": "Software Manipulation allows a defender to alter or replace elements of the OS, file system, or other software installed and executed on a system. These alterations can affect outputs, degrade effectiveness, and/or prevent the software from functioning altogether. For example, the defender can manipulate software by changing the output of commonly used discovery commands to hide legitimate systems and artifacts and/or reveal deceptive artifacts and systems. Alternatively, the defender can change the output of the password policy description for an adversary attempting to brute-force credentials. This manipulation may cause the adversary to waste resources brute-forcing passwords with inaccurate complexity requirements. If the defender wanted to degrade software effectiveness, they might weaken algorithms to expose data that is being archived, encoded, and/or encrypted. Finally, to prevent software from functioning altogether, the defender may cause failures in software typically used to delete data or hide adversary artifacts. For some Software Manipulation use cases, it may be possible to make changes in such a way that adversary actions and legitimate user actions are handled differently. For example, the defender could show all files when viewed in a graphical application but hide files or introduce decoy files when viewed via a terminal command. This setup would allow legitimate users full access to the file system, while manipulating access for adversaries using a reverse shell.", "url": "https://engage.mitre.org/matrix/?activity=software-manipulation", - "version": 1.0 + "version": 1 }, "uuid": "5b6f96bf-81fe-4a2d-aa9a-929211f0e003", "value": "EAC0014 - Software Manipulation" @@ -200,7 +200,7 @@ "last_modified": "28 February 2022", "long_description": "Information Manipulation is used to support the engagement narrative and directly impact adversary activities. Revealed facts and fictions can be used to adjust the adversary’s trust in the environment. Concealed facts and fiction can be used to adjust the adversary’s sense of uncertainty towards the environment. Revealed facts may include OS type and version, geographic location, hardware type and version, accounts, credentials, etc. Revealed fictions may include the content of decoy files, emails, messages, etc. Revealed facts and fictions may or may not be believed by the adversary. If an adversary believes a revealed fact or fiction, it may lend credibility to the environment or encourage a specific action. If an adversary is suspicious or does not believe a revealed fact or fiction, it may erode adversary trust in the environment or discourage a specific action. Therefore, revealed facts and fictions can be used to adjust the adversary’s trust in the environment in ways that support the operational objectives.

Concealed facts may include virtualized systems disguised as physical systems, monitoring software, or collection efforts. Concealed fictions may include an encrypted, interestingly named, decoy file or a partially deleted email thread referencing high value, but decoy, assets. Concealed facts and fictions may or may not be discovered by the adversary. If the adversary discovers a concealed fact or fiction, it may increase the ambiguity of the environment and affect the adversary’s sense of uncertainty. In this way, concealed facts and fictions can be used to adjust the ambiguity and affect the adversary’s sense of uncertainty in ways that support the operational objectives", "url": "https://engage.mitre.org/matrix/?activity=information-manipulation", - "version": 1.0 + "version": 1 }, "uuid": "f84a4b99-c3ab-4b49-9f8a-6f57b5af1b0f", "value": "EAC0015 - Information Manipulation" @@ -213,7 +213,7 @@ "last_modified": "28 February 2022", "long_description": "Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, add a kill switch to cut off network access, etc. These types of manipulations can affect the adversary’s ability to achieve their operational objectives by incurring an increased resource cost, forcing them to change tactics, or stopping them altogether. For example, a defender can limit the allowed ports or network requests to force the adversary to alter their planned C2 or exfiltration channels. As another example, a defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Additionally, the defender can degrade network speeds and reliability to impose a resource cost as adversaries exfiltrate large quantities of data. Finally, a defender can block primary C2 domains and IPs to determine if the adversary has additional infrastructure. While there are a range of network manipulation options, in all cases, the defender has an opportunity to learn about or influence the adversaries operating in the environment.", "url": "https://engage.mitre.org/matrix/?activity=network-manipulation", - "version": 1.0 + "version": 1 }, "uuid": "6ad7247a-fb1d-4a8a-be7e-9d323b1a391a", "value": "EAC0016 - Network Manipulation" @@ -226,7 +226,7 @@ "last_modified": "28 February 2022", "long_description": "Hardware Manipulation can include physical adjustments or configuration changes to the hardware in the environment. This manipulation can include physically removing a system’s microphone, camera, on-board Wi-Fi adapter, etc. or using software controls to disable those devices. These types of manipulations can affect the adversary’s ability to achieve their operational objectives by incurring an increased resource cost, forcing them to change tactics, or stopping them altogether. Hardware Manipulation is often required to maintain operational safety. For example, if the operation includes Malware Detonation using a laptop physically located in a shared space, it is likely that the defender will not have the ability to hide the legitimate conversations and individuals present in the space. Unless the defender can control the background sounds and visuals, it is likely too risky to leave the camera and microphone connected to the machine.", "url": "https://engage.mitre.org/matrix/?activity=hardware-manipulation", - "version": 1.0 + "version": 1 }, "uuid": "48406d1d-f27e-4bdf-b4db-a51702bd3c26", "value": "EAC0017 - Hardware Manipulation" @@ -239,7 +239,7 @@ "last_modified": "28 February 2022", "long_description": "Manipulating Security Controls involves making configuration changes to a system’s security settings including modifying Group Policies, disabling/enabling autorun for removable media, tightening or relaxing system firewalls, etc. Such security controls can be tightened to dissuade or prevent adversary activity. Conversely, security controls can be weakened or left overly permissive to encourage or enable adversary activity. Tightening security controls can typically be done by implementing any of the mitigations described in MITRE ATT&CK. See https://attack.mitre.org/mitigations/enterprise/ for a full list of mitigation strategies. While loosening security controls may seem obvious (i.e., simply don’t employ a given mitigation strategy), there is an additional level of nuance that must be considered. Some security controls are considered so routine that its absence may be suspicious. For example, completely turning off Windows Defender would likely raise the adversary’s suspicion. However, it is possible to turn off Windows Defender in certain shared drives to encourage adversary activity in predetermined locations. Therefore, it will likely be far less suspicious to turn off Windows Defender in a single directory or share. When assessing the likelihood that removing a given security control is overly suspicious, it is important to consider how prevalent that security control is, the target adversary’s sophistication, and the engagement narrative.", "url": "https://engage.mitre.org/matrix/?activity=security-controls", - "version": 1.0 + "version": 1 }, "uuid": "840cc6e3-317c-431a-bd98-a3f0152335f0", "value": "EAC0018 - Security Controls" @@ -252,7 +252,7 @@ "last_modified": "28 February 2022", "long_description": "To determine the system Baseline, the defender must identify software and configuration elements that are critical to a set of objectives. The defender must define the proper values and be prepared to reset a running system to its intended state. Reverting to a Baseline configuration can be essential when restoring an operational environment to a safe state or when looking to impose a cost on adversaries by preventing their activity. For example, the defender can watch for an adversary to make changes in the environment and then revert the environment with the goal of either forcing the adversary to target elsewhere in the network or to display a new, possibly more advanced, TTP. The Baseline values will also be crucial post-operation when analyzing changes to the environment over time.", "url": "https://engage.mitre.org/matrix/?activity=baseline", - "version": 1.0 + "version": 1 }, "uuid": "0b561d95-2a6d-4ab6-89c0-06adb4657e5f", "value": "EAC0019 - Baseline" @@ -265,7 +265,7 @@ "last_modified": "28 February 2022", "long_description": "Using Isolation, a defender can limit the effectiveness and scope of malicious activity and/or lower exposure to unintended risks. When a system or resource is isolated, a defender can observe adversary behaviors or tools with limited, or no, lateral movement allowed. For example, a defender may detonate a piece of malware on an isolated system to perform dynamic analysis without risk to other network resources. Determining which systems should be isolated in an operation is a critical decision when calculating acceptable operational risk. However, if the adversary expects to find an entire corporate network but instead finds only an isolated system, they may not be interested in engaging with the target. Balancing acceptable risk, believability, and operational objectives is essential when determining if or when a system should be isolated.", "url": "https://engage.mitre.org/matrix/?activity=isolation", - "version": 1.0 + "version": 1 }, "uuid": "cfd2f05c-42cc-47b0-b14c-ad74e62e4cd3", "value": "EAC0020 - Isolation" @@ -278,7 +278,7 @@ "last_modified": "28 February 2022", "long_description": "When a defender Migrates an Attack Vector, the defender intercepts a malicious element and moves it to a safe environment, such as a decoy system within a decoy network, for continued engagement or analysis. A defender may choose to Attack Vector Migrations, which may appear in the form of phishing emails, suspicious email attachments, or malicious USBs. For example, a defender might move a suspicious attachment from a corporate inbox to an inbox on a system that, while in the corporate IP space, is completely segmented from the enterprise network. This segregated environment will allow the adversary to move laterally throughout the environment without risk to enterprise resources. Determining when an engagement should be moved to an engagement environment is a critical decision when calculating acceptable operational risk. However, if the adversary sent a custom malware sample to a phishing victim, but ultimately find themselves on an unrelated victim, they may be suspicious. Balancing this acceptable risk, believability, and operational goals is essential when determining if or when to migrate an attack vector.", "url": "https://engage.mitre.org/matrix/?activity=attack-vector-migration", - "version": 1.0 + "version": 1 }, "uuid": "08a2b882-a564-451a-917a-1bec827af52a", "value": "EAC0021 - Attack Vector Migration" @@ -291,7 +291,7 @@ "last_modified": "28 February 2022", "long_description": "Artifact Diversity means presenting multiple network and system artifacts to the adversary including accounts, files/directories, credentials, logs, web browsing history, browser cookies, etc. These artifacts can be legitimate artifacts created as the result of natural usage over time or manually added to the environment by the defender. Artifact Diversity can be used to encourage the adversary to engage by offering a broad attack surface or can increase the adversary’s overall comfort level by adding to the believability of the environment. Additionally, these artifacts may be Lures intended to elicit a specific response from the adversary. In any case, by monitoring adversary activity in a diverse environment, the defender can gain information on the adversary’s capabilities and targeting preferences. For example, a defender can include a diverse set of accounts and credentials and then monitor to determine which accounts the adversary targets in the future.", "url": "https://engage.mitre.org/matrix/?activity=artifact-diversity", - "version": 1.0 + "version": 1 }, "uuid": "ec7432d1-c6f3-499b-8c2e-f9642287b1af", "value": "EAC0022 - Artifact Diversity" @@ -304,7 +304,7 @@ "last_modified": "28 February 2022", "long_description": "By intentionally Introducing Vulnerabilities into the engagement environment, the defender can attempt to motivate the adversary to target specific resources. This targeting may serve to move the adversary towards a particular resource, or away from another resource. At other times, the defender may Introduce Vulnerabilities as a mean of encouraging the adversary to reveal targeting preferences, available capabilities, or even to influence future targeting decisions. The operational objectives will drive how and why the defender Introduces Vulnerabilities in the engagement environment.", "url": "https://engage.mitre.org/matrix/?activity=introduced-vulnerabilities", - "version": 1.0 + "version": 1 }, "uuid": "044d6331-d9ab-4c59-b0fd-94e393c7634b", "value": "EAC0023 - Introduced Vulnerabilities" @@ -317,7 +317,7 @@ "last_modified": "28 February 2022", "long_description": "The Operational Objective is the goal(s) that drive all of the approaches and activities used in an adversary engagement operation. Articulating the operational objective allows the defender to align their actions to reach the desired end-state. There are three high-level Engagement Goals in adversary engagement operations: to Expose adversaries on the network, to Affect adversaries on the network, or to Elicit new information about adversaries. These larger themes should help the defender create more focused operational objectives. For example, realistic operational objectives include: protecting a specific high-value technology or person by exposing adversaries targeting that technology or person, protecting against insider threats by affecting the adversary’s ability to steal sensitive data, or increasing the defender’s understanding of the threat landscape by eliciting new adversary TTPs, etc. Every action taken in the planning, execution, and analysis of an operation should be aligned with the operational objective. It is important to define this objective early on. Input from any involved stakeholders should be considered when choosing the operational objectives. ", "url": "https://engage.mitre.org/matrix/?activity=operational-objective", - "version": 1.0 + "version": 1 }, "uuid": "02fd278a-cbd0-406b-b582-ced348cfcf73", "value": "SAC0001 - Operational Objective" @@ -330,7 +330,7 @@ "last_modified": "28 February 2022", "long_description": "Persona Creation is the process of planning for and creating the personas required to support the engagement narrative. This process should be informed by the previously generated threat model for the defender’s target adversary. For example, if the adversary targets a specific industry, the persona might be created to look like someone who works in that industry. The persona outline should include basic information about the persona itself such as their name, their relationship to the environment, and geographic location. Often, and especially for a short-term engagement operation, these persona traits can be broad. For example, it is unlikely that a persona used in a short-term ransomware detonation operation would require a lot of details to be effective. However, for a longer-term insider threat protection operation, the defender may need to create a persona with the online presence of a corporate employee, including name, birthday, address, etc. Many factors should be considered when determining how in-depth a persona should be, including adversary sophistication, defender resources, and engagement narrative. Once the persona traits have been decided, the planning process should determine how these traits will manifest in the environment. Persona creation is important to running an operation, as personas are often the predominant means through which the defender can engage with the adversary or change the environment during the operation. Careful planning is important as personas can be resource intensive to create and maintain and can reveal the ruse if discovered as fake by the adversary. ", "url": "https://engage.mitre.org/matrix/?activity=persona-creation", - "version": 1.0 + "version": 1 }, "uuid": "6a2e0a96-9769-48ce-86ff-4b713619f1cc", "value": "SAC0002 - Persona Creation" @@ -343,7 +343,7 @@ "last_modified": "28 February 2022", "long_description": "Storyboarding is the process of creating the deception story through a sequence of events, interactions, the persona’s pattern of life, etc. A large part of Storyboarding is creating this pattern of life for the persona(s) using the system(s). The pattern of life can include behaviors such as using email or chat software, browsing the Internet, using system software, or physically moving the device (particularly important for mobile devices and laptops). The defender must determine how the Persona’s behavior and other events in the environment will be generated. Personas may be generated automatically with tooling, manually with human operators, or some combination of both. The availability of defender resources may greatly impact the frequency of manually executing behaviors. Not every action taken in the environment needs to be planned in advance. However, the defender should have a general idea of what actions will be taken. Setting up a storyboard early in the planning process will allow the operation to run smoothly, efficiently, and most importantly, consistently, regardless of operator, so as not to reveal the ruse.", "url": "https://engage.mitre.org/matrix/?activity=storyboarding", - "version": 1.0 + "version": 1 }, "uuid": "0c0d0bdf-d2b3-41ae-9d13-13e89856a706", "value": "SAC0003 - Storyboarding" @@ -356,7 +356,7 @@ "last_modified": "28 February 2022", "long_description": "Cyber Threat Intelligence (CTI) allows an organization to understand the threat landscape. CTI data can be informed by a combination of open and closed source research. Additionally, it can be supplemented with internal and external threat intelligence feeds, including information gleaned from previous engagement operations. The understanding gained through CTI data allows the defender to identify and understand the target adversary for a given operation. For example, if the defender’s intended operational outcome is to expose adversaries on the network, the defender should prioritize adversaries that historically target their organization or similar organizations and/or have displayed TTPs that are likely to evade current defenses. Additionally, storyboarding should look at CTI data for the target adversary to make informed estimations on what the adversary may do in the environment and how they might react to what they find. Once one or more adversaries have been selected as the target adversary, the relevant CTI data should guide the creation of the engagement environment and storyboard including hardware and software requirements, the required level of realism for lures and pocket Litter, and acceptable operational risk. This definition was based on the work presented by MITRE ATT&CK as seen here.", "url": "https://engage.mitre.org/matrix/?activity=cyber-threat-intelligence", - "version": 1.0 + "version": 1 }, "uuid": "ff9f211b-2cd9-458d-8a60-81bae3c7b72f", "value": "SAC0004 - Cyber Threat Intelligence" @@ -369,7 +369,7 @@ "last_modified": "28 February 2022", "long_description": "Gating Criteria are the event or sequence of events that are agreed to be the unnegotiable immediate pause or end to the operation. Sometimes, these events include the successful completion of the agreed upon operational objectives. Other times, these events may signify the operation has reached a hard stop. This stop is often necessary because future operational safety cannot be guaranteed. Alternatively, the operation may need to end because events have occurred that outweigh the agreed upon acceptable risk. Finally, it may just be that if the adversary operates any longer, they may learn something the defender doesn’t want them to know. Multiple parties from the technical operations, threat intel, legal, and management perspectives should be included when defining Gating Criteria. For example, if an adversary begins to use the engagement environment as a platform to operate against other targets, stakeholders may decide that the operation must be suspended until the unacceptable traffic can be blocked. Defining the operational Gating Criteria is an essential step to ensure operational safety.", "url": "https://engage.mitre.org/matrix/?activity=gating-criteria", - "version": 1.0 + "version": 1 }, "uuid": "11de0f22-f16b-471f-8098-a283cdc3f38d", "value": "SAC0005 - Gating Criteria" @@ -382,7 +382,7 @@ "last_modified": "28 February 2022", "long_description": "The After Action Review (AAR) is the opportunity for the team to review the events of the operation to ensure progress towards strategic outcomes. This retrospective can include a review of the entire operational process from planning, implementation, execution, and impact. In addition to the operation itself, the AAR is an important time to assess the communication and teamwork of the operations team and all contributing stakeholders. While an AAR should always occur at the end of an operation, periodic reviews during long-running operations are vital to ensure alignment and progress towards the operational objectives.", "url": "https://engage.mitre.org/matrix/?activity=after-action-review", - "version": 1.0 + "version": 1 }, "uuid": "af55180b-fd56-47c4-af07-ae5a5374ce03", "value": "SAC0006 - After-Action Review" @@ -395,7 +395,7 @@ "last_modified": "28 February 2022", "long_description": "The Engagement Environment is the set of carefully tailored, highly instrumented systems designed on an engagement-by-engagement basis as the backdrop to the engagement narrative. It is the actual environment that the adversary will operate in. It is important to ensure that the Engagement Environment complements, rather than competes with, the engagement narrative. Additionally, these systems should provide conduits to allow the target adversary necessary movement throughout the environment, as needed to meet operational outcomes.

While not strictly part of the Engagement Environment, the collection system is the set of systems used to gather artifacts and other data from an operation to monitor the engagement to ensure operational safety. It is important to consider the collection system while designing the engagement environment. By designing these environments in lockstep, the defender guarantees that all aspects of the engagement environment can be monitored. This is essential to ensure operations remain within the guardrails set by the Rules of Engagement. For example, available resources, capabilities, or skills may limit the type of assets in, or size of, the engagement environment.", "url": "https://engage.mitre.org/matrix/?activity=engagement-environment", - "version": 1.0 + "version": 1 }, "uuid": "9c823db9-16b7-4aa5-acc6-2795407ea828", "value": "SAC0012 - Engagement Environment" @@ -408,7 +408,7 @@ "last_modified": "28 February 2022", "long_description": "Among other things, threat models require that the defender assesses the strengths, weaknesses, and importance of the their own organization, including trusted partners, infrastructure, and critical cyber assets. This understanding will inform operational objectives by outlining the defender’s attack surface and highlighting areas that may be of particular interest to a given adversary. The organization’s threat model should be understood at the onset of an operation to drive operational objective development and revisited at the conclusion of an operation to ensure operational outcomes are captured. These process of defining and informing the organization’s threat model should enable better security decision-making both in future operations and elsewhere in the organization.", "url": "https://engage.mitre.org/matrix/?activity=threat-model", - "version": 1.0 + "version": 1 }, "uuid": "9414f454-c053-48da-aa4e-806596c61d4e", "value": "SAC0009 - Threat Model" @@ -603,7 +603,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "b5666d2e-f959-4e39-b745-35a20f893e42", "value": "EAV0001 - Vulnerability" @@ -616,7 +616,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "7de8fb9e-50d8-4ec0-a69e-fc862a12eb62", "value": "EAV0002 - Vulnerability" @@ -629,7 +629,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "603284cb-b12a-4e26-a8ef-21cb4b006011", "value": "EAV0003 - Vulnerability" @@ -642,7 +642,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "b304ea95-fcf0-4ac5-ad3c-369bf2078460", "value": "EAV0004 - Vulnerability" @@ -655,7 +655,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "8b47c3eb-2e15-444a-9d79-32871c9a08c3", "value": "EAV0005 - Vulnerability" @@ -668,7 +668,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "1234bd4c-b6d6-4dca-a93d-889b9b35c2d9", "value": "EAV0006 - Vulnerability" @@ -681,7 +681,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "6e84868a-8a72-42a1-abd2-2e7aaa43783c", "value": "EAV0007 - Vulnerability" @@ -694,7 +694,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "a0951566-a2e4-4433-bf7b-34eed95fd33e", "value": "EAV0008 - Vulnerability" @@ -707,7 +707,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "4426c6be-0741-4876-841c-e0d6e1a760ff", "value": "EAV0009 - Vulnerability" @@ -720,7 +720,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "e60e98e7-6f8d-41ce-9122-da1214f13d3c", "value": "EAV0010 - Vulnerability" @@ -733,7 +733,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "b9ebd77b-7d6b-47a4-a9d1-744afc98a633", "value": "EAV0011 - Vulnerability" @@ -759,7 +759,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "b749478e-9158-4461-9889-b10815f2bf01", "value": "EAV0013 - Vulnerability" @@ -772,7 +772,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "d93be1b9-e6ad-417f-8283-755645fcc7a4", "value": "EAV0014 - Vulnerability" @@ -785,7 +785,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "cc116762-5f21-4673-97b2-ad320e782b5f", "value": "EAV0015 - Vulnerability" @@ -798,7 +798,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "abbda1e4-1054-486c-a40f-e851e3e2e31e", "value": "EAV0016 - Vulnerability" @@ -824,7 +824,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "fcf280a9-429f-46e9-9fe6-f22e323bcb76", "value": "EAV0018 - Vulnerability" @@ -837,7 +837,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "a1d33143-36bc-4e33-aa8d-a567ed48d139", "value": "EAV0019 - Vulnerability" @@ -850,7 +850,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "945485eb-f52c-486d-ae25-9e544f8c3d7c", "value": "EAV0020 - Vulnerability" @@ -863,7 +863,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "815fa744-dc68-40d2-96ac-9981b09634ca", "value": "EAV0021 - Vulnerability" @@ -876,7 +876,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "29628134-cbd0-445d-8df3-f1a313265943", "value": "EAV0022 - Vulnerability" @@ -889,7 +889,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "24b098af-d164-40e9-9d6b-b2429ac74861", "value": "EAV0023 - Vulnerability" @@ -915,7 +915,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "69a6cb81-1804-46ff-bdf5-6d6bdc764176", "value": "EAV0025 - Vulnerability" @@ -928,7 +928,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "6c659ad9-129b-4225-aac4-7cf0bf27f64f", "value": "EAV0026 - Vulnerability" @@ -941,7 +941,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "c121ab3b-ddc8-433d-82b9-eb863b824865", "value": "EAV0027 - Vulnerability" @@ -954,7 +954,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "2e626210-a8ac-4918-bfbf-0f53cbb34586", "value": "EAV0028 - Vulnerability" @@ -967,7 +967,7 @@ "last_modified": "28 February 2022", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "fdc50146-36a9-42d8-8485-a1d23fb44228", "value": "EAV0029 - Vulnerability" @@ -980,7 +980,7 @@ "last_modified": "2024-03-28 00:00:00", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "5fbed2b9-3bad-4686-95de-0df754b429c7", "value": "EAV0030 - Vulnerability" @@ -993,7 +993,7 @@ "last_modified": "2024-03-28 00:00:00", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "2f593e50-cc03-4baa-af21-acee6cc48db8", "value": "EAV0031 - Vulnerability" @@ -1006,7 +1006,7 @@ "last_modified": "2024-03-28 00:00:00", "long_description": "", "url": "", - "version": 1.0 + "version": 1 }, "uuid": "a4c3306a-aa48-4060-a4a6-b52e26a02715", "value": "EAV0032 - Vulnerability"