Skip to content

Hide Navigation Hide TOC

Edit

MITRE Engage Framework

This galaxy contains all parts of the MITRE Engage framework, including Activities, Approaches, Goals, and Vulnerabilities.

Authors
Authors and/or Contributors
MITRE Corp.
DCG420
m3c4n1sm0

EAC0001 - API Monitoring

Monitor local APIs that might be used by adversary tools and activity.

Internal MISP references

UUID 810b5a19-2ebb-4025-a19c-5db671106353 which can be used as unique global reference for EAC0001 - API Monitoring in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description API Monitoring involves capturing an internal OS function for its usage, accompanying arguments, and result. When a defender captures this information, the data gathered can be analyzed to gain insights into the activity of an adversary at a level deeper than normal system activity monitoring. This type of monitoring can also be used to produce high-fidelity detections. For example, the defender can trace activity through WinSock TCP API functions to view potentially malicious network events or trace usage of the Win32 DeleteFile() function to log all attempts at deleting a given file.
url https://engage.mitre.org/matrix/?activity=api-monitoring

EAC0002 - Network Monitoring

Monitor network traffic in order to detect adversary activity.

Internal MISP references

UUID 5fdae805-82cd-42f9-9e77-189deb553eb5 which can be used as unique global reference for EAC0002 - Network Monitoring in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Network Monitoring involves capturing network activity data, including capturing server, firewall, and other relevant logs. A defender can send this data to a centralized collection location for further analysis. This analysis can be automated or manual. In either case, a defender can use Network Monitoring to identify anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary. Monitoring is essential to maintain situational awareness of adversary activities to ensure operational safety and make progress towards the defender’s goals. Careful pre-operational planning should be done to properly instrument the engagement environment to ensure that all key network traffic is collected. Some use cases of network monitoring include detecting unexpected outbound traffic, systems establishing connections using encapsulated protocols, and known adversary C2 protocols.
url https://engage.mitre.org/matrix/?activity=network-monitoring

EAC0003 - System Activity Monitoring

Collect system activity logs that can reveal adversary activity.

Internal MISP references

UUID 08378c32-d3b0-4405-8df5-9d077cfbc332 which can be used as unique global reference for EAC0003 - System Activity Monitoring in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Capturing system logs can show logins, user and system events, etc. A defender can use such inherent system logging to study and collect first-hand observations about the adversary’s actions and tools. This data can be sent to a centralized collection location for further analysis. Careful planning should be used to guide which system logs are collected and at what level. If the logging level is set too high or too many system logs are collected, the defender may be blinded by the excess data. For example, understanding the adversary’s known TTPs will highlight resources the adversary is likely to touch and therefore which system logs are likely to capture adversary activity. Overall, System Activity Monitoring is essential to maintain situational awareness of adversarial activities in order to ensure operational safety and progress towards operational goals. Careful pre-operational planning should be done to properly instrument the engagement environment. This will ensure that all key network traffic is collected.
url https://engage.mitre.org/matrix/?activity=system-activity-monitoring

EAC0004 - Network Analysis

Analyze network traffic to gain intelligence on communications between systems.

Internal MISP references

UUID 011446a0-819f-4365-a88f-95c70b89ca6f which can be used as unique global reference for EAC0004 - Network Analysis in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Network analysis can be an automated or manual task to review communications between systems to expose adversary activity, such as C2 or data exfiltration traffic. This analysis is normally done by capturing and analyzing traffic on the wire or from previously collected packet capture. When custom protocols are in use, defenders can leverage protocol decoder frameworks. These are customized code modules that can read network traffic and contextualize activity between the C2 operator and the implant. These frameworks are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret. Decoder creation requires malware analysis of the implant to understand the design of the protocol. While a high level of technical maturity is required to create such a decoder, once created they are invaluable to the defender. For example, a defender can use a protocol decode to decrypt network capture data and expose an adversary’s C2 or exfiltration activity. Not only does this data provide exquisite intelligence in regard to the adversary’s communications channels and targeting preferences, but it also provides future opportunities for data manipulation to further operational goals.
url https://engage.mitre.org/matrix/?activity=network-analysis

EAC0005 - Lures

Deceptive systems and artifacts intended to serve as decoys, breadcrumbs, or bait to elicit a specific response from the adversary.

Internal MISP references

UUID 257ac464-d27f-4d7e-a9e5-b9f9c0559964 which can be used as unique global reference for EAC0005 - Lures in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Lures are intended to elicit a particular response from the adversary. For example, the defender may utilize Lures to enable or block the adversary’s intended actions or encourage or discourage a specific action or response. Lures can take a variety of forms including credentials, accounts, files/directories, browser extensions/bookmarks, system processes, etc. Regardless of form, Lures provide opportunities to the defender to drive adversary behavior in ways that align with operational outcomes.
url https://engage.mitre.org/matrix/?activity=lures

EAC0006 - Application Diversity

Present the adversary with a variety of installed applications and services.

Internal MISP references

UUID b844fb8e-3cb5-485f-9f5e-740faf31ea65 which can be used as unique global reference for EAC0006 - Application Diversity in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Application Diversity presents an array of software targets to the adversary. On a single target system, defenders can configure multiple services or software applications. This diversity may include not only a variety of different types of applications, but also various versions of the same application. Application Diversity can be used to encourage engagement by offering a broad attack surface. By monitoring adversary activity in a diverse environment, the defender can gain information on the adversary’s capabilities and targeting preferences. For example, a defender can install one or more applications with a variety of patch levels to see how the adversary’s response differs across versions. Additionally, a diverse set of applications provides a variety of avenues for the defender to present additional information throughout an operation. This information can be used to introduce additional attack surfaces, motivate or demotivate the adversary, or further the engagement narrative. For example, if the adversary is close to uncovering something that might raise suspicion around a target, the defender can add an event to a shared calendar application or a message in a notes application that the system will be offline for scheduled maintenance. Having a variety of applications on the system provides the defender with multiple engagement avenues to handle whatever events happen during the operation. Finally, diversity can increase the adversary’s overall comfort level by adding to the believability of the environment.
url https://engage.mitre.org/matrix/?activity=application-diversity

EAC0007 - Network Diversity

Use a diverse set of devices on the network to help establish the legitimacy of a deceptive network.

Internal MISP references

UUID 778081d2-6fcc-429d-a269-09a29db2da97 which can be used as unique global reference for EAC0007 - Network Diversity in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Network Diversity involves the use of an assorted collection of network resources such as networking devices, firewalls, printers, phones, etc. Network Diversity can be used to encourage adversaries to engage by offering a broad attack surface. Additionally, diversity can increase the adversary’s overall comfort level by adding to the believability of the environment. By monitoring adversary activity in a diverse environment, the defender can gain information on the adversary’s capabilities and targeting preferences. For example, a defender can deploy a variety of network resources to identify which devices are targeted by the adversary.
url https://engage.mitre.org/matrix/?activity=network-diversity

EAC0008 - Burn-In

Exercise a target system in a manner where it will generate desirable system artifacts.

Internal MISP references

UUID a65d049f-5471-40a4-9c5a-edf0855ca942 which can be used as unique global reference for EAC0008 - Burn-In in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Burn-In involves exercising the system to create desirable system artifacts such as web browsing history, file system usage, or the running of user applications. At times, Burn-In can be accomplished by simply letting a system or application run for an extended period of time. Other times, the defender engages with the environment to produce the Burn-In artifacts, such as when the defender logs into a decoy account or accesses a decoy website to generate session cookies and browser history. These tasks can be accomplished manually or via automated tooling. Burn-In should occur pre-operation and continue as appropriate during the operation. The artifacts generated during the Burn-In process can reassure the adversary of the environment’s legitimacy by creating an environment that more closely resembles a real, lived in, system or network.
url https://engage.mitre.org/matrix/?activity=burn-in

EAC0009 - Email Manipulation

Modify the flow of email in the environment.

Internal MISP references

UUID 0860eae7-cfee-4a62-8387-1cda9e5e269b which can be used as unique global reference for EAC0009 - Email Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Email Manipulation covers the various ways email flows in the environment can be affected. Email Manipulation can affect which mail appliances process mail flows, where mail is forwarded, or what mail is present in an inbox. A common use case for email manipulation is as a vector to introduce malware into the engagement environment. Suspicious emails may be removed from production mailbox and placed into an inbox in an engagement environment. Then, any suspicious attachments or links could be detonated from within the environment. As another example, emails collected over a long period of time from a legitimate inbox outside the environment may be moved into the environment to reassure the adversary of the environment’s legitimacy by creating a mailbox that more closely resembles a real, lived-in inbox.
url https://engage.mitre.org/matrix/?activity=email-manipulation

EAC0010 - Peripheral Management

Manage peripheral devices used on systems within the network for engagement purposes.

Internal MISP references

UUID 7a277705-50a8-4937-bf5c-d87486414492 which can be used as unique global reference for EAC0010 - Peripheral Management in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Peripheral Management is the administration of peripheral devices used on systems within the engagement environment. A defender can choose to allow or deny certain types of peripherals from being used on systems to either motivate or demotivate adversary activity or to direct the adversary towards specific targets. Defenders can also introduce peripherals to an adversary-controlled system to see how the adversary reacts. For example, the defender can introduce external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes. Additionally, peripherals provide an avenue for the defender to present new or additional information to the adversary. This information can be used to introduce an additional attack surface, motivate or demotivate adversary activity, or to further the deception story. For example, the defender may include data on a connected USB device or stage an important conversation near an externally connected camera or microphone. Depending on the contents of this data, the adversary may be encouraged to take a specific action and/or reassured about the legitimacy of the environment.
url https://engage.mitre.org/matrix/?activity=peripheral-management

EAC0011 - Pocket Litter

Data used to support the engagement narrative.

Internal MISP references

UUID f365ed73-d872-4669-8e09-62f164956cd9 which can be used as unique global reference for EAC0011 - Pocket Litter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Pocket Litter is data placed on a system to help tell the engagement narrative, to increase the credibility of an environment, and/or to establish a cognitive bias to raise the adversary’s tolerance to weaknesses in the environment. Unlike Lures, Pocket Litter does not necessarily aim to encourage the adversary to take a specific action, but rather it supports the overall deception story. Pocket Litter can include documents, pictures, registry entries, installed software, log history, browsing history, connection history, and other user data that an adversary would expect to exist on a user’s computer. For example, a defender might conduct a series of web searches to generate browser artifacts, or scatter a variety of photos and documents across the desktop to make the computer feel lived in.
url https://engage.mitre.org/matrix/?activity=pocket-litter

EAC0012 - Personas

Create fictitious human user(s) through a combination of planted data and revealed behavior patterns.

Internal MISP references

UUID 402eb806-289f-4839-9d02-8ba18be18650 which can be used as unique global reference for EAC0012 - Personas in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description A Persona is used to establish background information about a victim to increase the believability of the target. To create a Persona, the defender must develop a backstory and seed the environment with varying data in support of this story. Depending on the need for realism, the constructed persona can be supported by evidence of hobbies, social and professional interactions, consumer transactions, employment, browsing habits, etc. In addition to lending legitimacy to the environment, personas can be used to engage directly with adversaries, such as during phishing email exchanges. Additionally, personas can make changes to the environment during the operation, such as adding or removing a USB device or introducing new decoy documents or credentials.
url https://engage.mitre.org/matrix/?activity=personas

EAC0013 - Malware Detonation

Execute malware under controlled conditions to analyze its functionality.

Internal MISP references

UUID d015c0a3-be25-4b28-92fa-8d359d9d6891 which can be used as unique global reference for EAC0013 - Malware Detonation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Malware can be detonated in a controlled and safe environment. Clear goals and safety procedures should always be established before detonation to ensure that the operation is focused and safe. The malware can be detonated in an execution environment ranging from a somewhat sterile commercial malware execution appliance to a bespoke engagement environment crafted to support an extended engagement. Depending on operational objectives, the outcome of a malware detonation operation can include: collecting new IOCs during dynamic analysis, observing additional TTPs by detonating the malware in a target rich environment, and/or negatively impacting the adversary and their operation.
url https://engage.mitre.org/matrix/?activity=malware-detonation

EAC0014 - Software Manipulation

Make changes to a system’s software properties and functions to achieve a desired effect.

Internal MISP references

UUID 61027f6d-9f5a-413d-8c02-acac240b91c1 which can be used as unique global reference for EAC0014 - Software Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Software Manipulation allows a defender to alter or replace elements of the OS, file system, or other software installed and executed on a system. These alterations can affect outputs, degrade effectiveness, and/or prevent the software from functioning altogether. For example, the defender can manipulate software by changing the output of commonly used discovery commands to hide legitimate systems and artifacts and/or reveal deceptive artifacts and systems. Alternatively, the defender can change the output of the password policy description for an adversary attempting to brute-force credentials. This manipulation may cause the adversary to waste resources brute-forcing passwords with inaccurate complexity requirements. If the defender wanted to degrade software effectiveness, they might weaken algorithms to expose data that is being archived, encoded, and/or encrypted. Finally, to prevent software from functioning altogether, the defender may cause failures in software typically used to delete data or hide adversary artifacts. For some Software Manipulation use cases, it may be possible to make changes in such a way that adversary actions and legitimate user actions are handled differently. For example, the defender could show all files when viewed in a graphical application but hide files or introduce decoy files when viewed via a terminal command. This setup would allow legitimate users full access to the file system, while manipulating access for adversaries using a reverse shell.
url https://engage.mitre.org/matrix/?activity=software-manipulation

EAC0015 - Information Manipulation

Conceal and reveal both facts and fictions to support a deception story

Internal MISP references

UUID cfc81be2-33b2-43f4-8302-cf6eab4b2c42 which can be used as unique global reference for EAC0015 - Information Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Information Manipulation is used to support the engagement narrative and directly impact adversary activities. Revealed facts and fictions can be used to adjust the adversary’s trust in the environment. Concealed facts and fiction can be used to adjust the adversary’s sense of uncertainty towards the environment. Revealed facts may include OS type and version, geographic location, hardware type and version, accounts, credentials, etc. Revealed fictions may include the content of decoy files, emails, messages, etc. Revealed facts and fictions may or may not be believed by the adversary. If an adversary believes a revealed fact or fiction, it may lend credibility to the environment or encourage a specific action. If an adversary is suspicious or does not believe a revealed fact or fiction, it may erode adversary trust in the environment or discourage a specific action. Therefore, revealed facts and fictions can be used to adjust the adversary’s trust in the environment in ways that support the operational objectives.

Concealed facts may include virtualized systems disguised as physical systems, monitoring software, or collection efforts. Concealed fictions may include an encrypted, interestingly named, decoy file or a partially deleted email thread referencing high value, but decoy, assets. Concealed facts and fictions may or may not be discovered by the adversary. If the adversary discovers a concealed fact or fiction, it may increase the ambiguity of the environment and affect the adversary’s sense of uncertainty. In this way, concealed facts and fictions can be used to adjust the ambiguity and affect the adversary’s sense of uncertainty in ways that support the operational objectives
url https://engage.mitre.org/matrix/?activity=information-manipulation

EAC0016 - Network Manipulation

Make changes to network properties and functions to achieve a desired effect.

Internal MISP references

UUID e0bb4fb8-59c2-4886-91e0-66365f736a39 which can be used as unique global reference for EAC0016 - Network Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, add a kill switch to cut off network access, etc. These types of manipulations can affect the adversary’s ability to achieve their operational objectives by incurring an increased resource cost, forcing them to change tactics, or stopping them altogether. For example, a defender can limit the allowed ports or network requests to force the adversary to alter their planned C2 or exfiltration channels. As another example, a defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Additionally, the defender can degrade network speeds and reliability to impose a resource cost as adversaries exfiltrate large quantities of data. Finally, a defender can block primary C2 domains and IPs to determine if the adversary has additional infrastructure. While there are a range of network manipulation options, in all cases, the defender has an opportunity to learn about or influence the adversaries operating in the environment.
url https://engage.mitre.org/matrix/?activity=network-manipulation

EAC0017 - Hardware Manipulation

Alter the hardware configuration of a system to limit what an adversary can do with the device.

Internal MISP references

UUID 0c47a705-168f-4f89-8049-f0cbe4cc1d4c which can be used as unique global reference for EAC0017 - Hardware Manipulation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Hardware Manipulation can include physical adjustments or configuration changes to the hardware in the environment. This manipulation can include physically removing a system’s microphone, camera, on-board Wi-Fi adapter, etc. or using software controls to disable those devices. These types of manipulations can affect the adversary’s ability to achieve their operational objectives by incurring an increased resource cost, forcing them to change tactics, or stopping them altogether. Hardware Manipulation is often required to maintain operational safety. For example, if the operation includes Malware Detonation using a laptop physically located in a shared space, it is likely that the defender will not have the ability to hide the legitimate conversations and individuals present in the space. Unless the defender can control the background sounds and visuals, it is likely too risky to leave the camera and microphone connected to the machine.
url https://engage.mitre.org/matrix/?activity=hardware-manipulation

EAC0018 - Security Controls

Alter security controls to make the system more or less vulnerable to attack.

Internal MISP references

UUID d39019ec-3d44-407a-ab52-77bd366fb632 which can be used as unique global reference for EAC0018 - Security Controls in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Manipulating Security Controls involves making configuration changes to a system’s security settings including modifying Group Policies, disabling/enabling autorun for removable media, tightening or relaxing system firewalls, etc. Such security controls can be tightened to dissuade or prevent adversary activity. Conversely, security controls can be weakened or left overly permissive to encourage or enable adversary activity. Tightening security controls can typically be done by implementing any of the mitigations described in MITRE ATT&CK. See https://attack.mitre.org/mitigations/enterprise/ for a full list of mitigation strategies. While loosening security controls may seem obvious (i.e., simply don’t employ a given mitigation strategy), there is an additional level of nuance that must be considered. Some security controls are considered so routine that its absence may be suspicious. For example, completely turning off Windows Defender would likely raise the adversary’s suspicion. However, it is possible to turn off Windows Defender in certain shared drives to encourage adversary activity in predetermined locations. Therefore, it will likely be far less suspicious to turn off Windows Defender in a single directory or share. When assessing the likelihood that removing a given security control is overly suspicious, it is important to consider how prevalent that security control is, the target adversary’s sophistication, and the engagement narrative.
url https://engage.mitre.org/matrix/?activity=security-controls

EAC0019 - Baseline

Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.

Internal MISP references

UUID 98e72a7d-8f0f-44dd-bad3-5bc7a82981d2 which can be used as unique global reference for EAC0019 - Baseline in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description To determine the system Baseline, the defender must identify software and configuration elements that are critical to a set of objectives. The defender must define the proper values and be prepared to reset a running system to its intended state. Reverting to a Baseline configuration can be essential when restoring an operational environment to a safe state or when looking to impose a cost on adversaries by preventing their activity. For example, the defender can watch for an adversary to make changes in the environment and then revert the environment with the goal of either forcing the adversary to target elsewhere in the network or to display a new, possibly more advanced, TTP. The Baseline values will also be crucial post-operation when analyzing changes to the environment over time.
url https://engage.mitre.org/matrix/?activity=baseline

EAC0020 - Isolation

Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion of an engagement beyond desired limits.

Internal MISP references

UUID 9a289ecf-34f3-494e-b656-9edf98ea4cb7 which can be used as unique global reference for EAC0020 - Isolation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Using Isolation, a defender can limit the effectiveness and scope of malicious activity and/or lower exposure to unintended risks. When a system or resource is isolated, a defender can observe adversary behaviors or tools with limited, or no, lateral movement allowed. For example, a defender may detonate a piece of malware on an isolated system to perform dynamic analysis without risk to other network resources. Determining which systems should be isolated in an operation is a critical decision when calculating acceptable operational risk. However, if the adversary expects to find an entire corporate network but instead finds only an isolated system, they may not be interested in engaging with the target. Balancing acceptable risk, believability, and operational objectives is essential when determining if or when a system should be isolated.
url https://engage.mitre.org/matrix/?activity=isolation

EAC0021 - Attack Vector Migration

Move a malicious link, file, or device from its intended location to an engagement system or network for execution/use.

Internal MISP references

UUID f0c50eae-2d2b-4534-a72d-647bf4eb470e which can be used as unique global reference for EAC0021 - Attack Vector Migration in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description When a defender Migrates an Attack Vector, the defender intercepts a malicious element and moves it to a safe environment, such as a decoy system within a decoy network, for continued engagement or analysis. A defender may choose to Attack Vector Migrations, which may appear in the form of phishing emails, suspicious email attachments, or malicious USBs. For example, a defender might move a suspicious attachment from a corporate inbox to an inbox on a system that, while in the corporate IP space, is completely segmented from the enterprise network. This segregated environment will allow the adversary to move laterally throughout the environment without risk to enterprise resources. Determining when an engagement should be moved to an engagement environment is a critical decision when calculating acceptable operational risk. However, if the adversary sent a custom malware sample to a phishing victim, but ultimately find themselves on an unrelated victim, they may be suspicious. Balancing this acceptable risk, believability, and operational goals is essential when determining if or when to migrate an attack vector.
url https://engage.mitre.org/matrix/?activity=attack-vector-migration

EAC0022 - Artifact Diversity

Present the adversary with a variety of network and system artifacts.

Internal MISP references

UUID 7bccaf10-de23-4c66-a8d5-4c1a58944a55 which can be used as unique global reference for EAC0022 - Artifact Diversity in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Artifact Diversity means presenting multiple network and system artifacts to the adversary including accounts, files/directories, credentials, logs, web browsing history, browser cookies, etc. These artifacts can be legitimate artifacts created as the result of natural usage over time or manually added to the environment by the defender. Artifact Diversity can be used to encourage the adversary to engage by offering a broad attack surface or can increase the adversary’s overall comfort level by adding to the believability of the environment. Additionally, these artifacts may be Lures intended to elicit a specific response from the adversary. In any case, by monitoring adversary activity in a diverse environment, the defender can gain information on the adversary’s capabilities and targeting preferences. For example, a defender can include a diverse set of accounts and credentials and then monitor to determine which accounts the adversary targets in the future.
url https://engage.mitre.org/matrix/?activity=artifact-diversity

EAC0023 - Introduced Vulnerabilities

Intentionally introduce vulnerabilities into the environment for the adversary to exploit.

Internal MISP references

UUID 04cf4be6-dabc-452a-a1f4-467290d6fe85 which can be used as unique global reference for EAC0023 - Introduced Vulnerabilities in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description By intentionally Introducing Vulnerabilities into the engagement environment, the defender can attempt to motivate the adversary to target specific resources. This targeting may serve to move the adversary towards a particular resource, or away from another resource. At other times, the defender may Introduce Vulnerabilities as a mean of encouraging the adversary to reveal targeting preferences, available capabilities, or even to influence future targeting decisions. The operational objectives will drive how and why the defender Introduces Vulnerabilities in the engagement environment.
url https://engage.mitre.org/matrix/?activity=introduced-vulnerabilities

SAC0001 - Operational Objective

Define the objective of the desired end-state of your adversary engagement operations.

Internal MISP references

UUID 8e23d442-100a-49b2-a949-a039e72dadca which can be used as unique global reference for SAC0001 - Operational Objective in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description The Operational Objective is the goal(s) that drive all of the approaches and activities used in an adversary engagement operation. Articulating the operational objective allows the defender to align their actions to reach the desired end-state. There are three high-level Engagement Goals in adversary engagement operations: to Expose adversaries on the network, to Affect adversaries on the network, or to Elicit new information about adversaries. These larger themes should help the defender create more focused operational objectives. For example, realistic operational objectives include: protecting a specific high-value technology or person by exposing adversaries targeting that technology or person, protecting against insider threats by affecting the adversary’s ability to steal sensitive data, or increasing the defender’s understanding of the threat landscape by eliciting new adversary TTPs, etc. Every action taken in the planning, execution, and analysis of an operation should be aligned with the operational objective. It is important to define this objective early on. Input from any involved stakeholders should be considered when choosing the operational objectives.
url https://engage.mitre.org/matrix/?activity=operational-objective

SAC0002 - Persona Creation

Plan and create a fictitious human user through a combination of planted data and revealed behavior patterns.

Internal MISP references

UUID 7b9c8ef2-57db-44fc-a418-e5c0f7db7355 which can be used as unique global reference for SAC0002 - Persona Creation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Persona Creation is the process of planning for and creating the personas required to support the engagement narrative. This process should be informed by the previously generated threat model for the defender’s target adversary. For example, if the adversary targets a specific industry, the persona might be created to look like someone who works in that industry. The persona outline should include basic information about the persona itself such as their name, their relationship to the environment, and geographic location. Often, and especially for a short-term engagement operation, these persona traits can be broad. For example, it is unlikely that a persona used in a short-term ransomware detonation operation would require a lot of details to be effective. However, for a longer-term insider threat protection operation, the defender may need to create a persona with the online presence of a corporate employee, including name, birthday, address, etc. Many factors should be considered when determining how in-depth a persona should be, including adversary sophistication, defender resources, and engagement narrative. Once the persona traits have been decided, the planning process should determine how these traits will manifest in the environment. Persona creation is important to running an operation, as personas are often the predominant means through which the defender can engage with the adversary or change the environment during the operation. Careful planning is important as personas can be resource intensive to create and maintain and can reveal the ruse if discovered as fake by the adversary.
url https://engage.mitre.org/matrix/?activity=persona-creation

SAC0003 - Storyboarding

Plan and create the deception story.

Internal MISP references

UUID 05a5c185-33eb-4996-9f3b-6ad7e5fd9b2c which can be used as unique global reference for SAC0003 - Storyboarding in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Storyboarding is the process of creating the deception story through a sequence of events, interactions, the persona’s pattern of life, etc. A large part of Storyboarding is creating this pattern of life for the persona(s) using the system(s). The pattern of life can include behaviors such as using email or chat software, browsing the Internet, using system software, or physically moving the device (particularly important for mobile devices and laptops). The defender must determine how the Persona’s behavior and other events in the environment will be generated. Personas may be generated automatically with tooling, manually with human operators, or some combination of both. The availability of defender resources may greatly impact the frequency of manually executing behaviors. Not every action taken in the environment needs to be planned in advance. However, the defender should have a general idea of what actions will be taken. Setting up a storyboard early in the planning process will allow the operation to run smoothly, efficiently, and most importantly, consistently, regardless of operator, so as not to reveal the ruse.
url https://engage.mitre.org/matrix/?activity=storyboarding

SAC0004 - Cyber Threat Intelligence

The process of analyzing actionable knowledge about adversaries and their malicious activities, enabling defenders and their organizations to reduce harm through better security decision-making

Internal MISP references

UUID 05cdbc8c-6ba4-4fb1-a081-42a7138342fa which can be used as unique global reference for SAC0004 - Cyber Threat Intelligence in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Cyber Threat Intelligence (CTI) allows an organization to understand the threat landscape. CTI data can be informed by a combination of open and closed source research. Additionally, it can be supplemented with internal and external threat intelligence feeds, including information gleaned from previous engagement operations. The understanding gained through CTI data allows the defender to identify and understand the target adversary for a given operation. For example, if the defender’s intended operational outcome is to expose adversaries on the network, the defender should prioritize adversaries that historically target their organization or similar organizations and/or have displayed TTPs that are likely to evade current defenses. Additionally, storyboarding should look at CTI data for the target adversary to make informed estimations on what the adversary may do in the environment and how they might react to what they find. Once one or more adversaries have been selected as the target adversary, the relevant CTI data should guide the creation of the engagement environment and storyboard including hardware and software requirements, the required level of realism for lures and pocket Litter, and acceptable operational risk. This definition was based on the work presented by MITRE ATT&CK as seen here.
url https://engage.mitre.org/matrix/?activity=cyber-threat-intelligence

SAC0005 - Gating Criteria

Define the set of events that would lead to the unnegotiable pause or conclusion to the operation.

Internal MISP references

UUID 291f2c48-bdaa-4de1-b1bc-30232e017d6a which can be used as unique global reference for SAC0005 - Gating Criteria in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Gating Criteria are the event or sequence of events that are agreed to be the unnegotiable immediate pause or end to the operation. Sometimes, these events include the successful completion of the agreed upon operational objectives. Other times, these events may signify the operation has reached a hard stop. This stop is often necessary because future operational safety cannot be guaranteed. Alternatively, the operation may need to end because events have occurred that outweigh the agreed upon acceptable risk. Finally, it may just be that if the adversary operates any longer, they may learn something the defender doesn’t want them to know. Multiple parties from the technical operations, threat intel, legal, and management perspectives should be included when defining Gating Criteria. For example, if an adversary begins to use the engagement environment as a platform to operate against other targets, stakeholders may decide that the operation must be suspended until the unacceptable traffic can be blocked. Defining the operational Gating Criteria is an essential step to ensure operational safety.
url https://engage.mitre.org/matrix/?activity=gating-criteria

SAC0006 - After-Action Review

Review of operational activities.

Internal MISP references

UUID efa2df47-fa0d-4011-91ce-52b0d75c0b8c which can be used as unique global reference for SAC0006 - After-Action Review in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description The After Action Review (AAR) is the opportunity for the team to review the events of the operation to ensure progress towards strategic outcomes. This retrospective can include a review of the entire operational process from planning, implementation, execution, and impact. In addition to the operation itself, the AAR is an important time to assess the communication and teamwork of the operations team and all contributing stakeholders. While an AAR should always occur at the end of an operation, periodic reviews during long-running operations are vital to ensure alignment and progress towards the operational objectives.
url https://engage.mitre.org/matrix/?activity=after-action-review

SAC0012 - Engagement Environment

Design the systems and network for the operation.

Internal MISP references

UUID 859d00ce-0a47-48dd-90ed-13891a2476e5 which can be used as unique global reference for SAC0012 - Engagement Environment in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description The Engagement Environment is the set of carefully tailored, highly instrumented systems designed on an engagement-by-engagement basis as the backdrop to the engagement narrative. It is the actual environment that the adversary will operate in. It is important to ensure that the Engagement Environment complements, rather than competes with, the engagement narrative. Additionally, these systems should provide conduits to allow the target adversary necessary movement throughout the environment, as needed to meet operational outcomes.

While not strictly part of the Engagement Environment, the collection system is the set of systems used to gather artifacts and other data from an operation to monitor the engagement to ensure operational safety. It is important to consider the collection system while designing the engagement environment. By designing these environments in lockstep, the defender guarantees that all aspects of the engagement environment can be monitored. This is essential to ensure operations remain within the guardrails set by the Rules of Engagement. For example, available resources, capabilities, or skills may limit the type of assets in, or size of, the engagement environment.
url https://engage.mitre.org/matrix/?activity=engagement-environment

SAC0009 - Threat Model

A risk assessment that models organizational strengths and weaknesses   

Internal MISP references

UUID df87d02c-a9bb-4863-9253-b9d91a973bfc which can be used as unique global reference for SAC0009 - Threat Model in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Activity
created 28 February 2022
last_modified 28 February 2022
long_description Among other things, threat models require that the defender assesses the strengths, weaknesses, and importance of the their own organization, including trusted partners, infrastructure, and critical cyber assets. This understanding will inform operational objectives by outlining the defender’s attack surface and highlighting areas that may be of particular interest to a given adversary. The organization’s threat model should be understood at the onset of an operation to drive operational objective development and revisited at the conclusion of an operation to ensure operational outcomes are captured. These process of defining and informing the organization’s threat model should enable better security decision-making both in future operations and elsewhere in the organization.
url https://engage.mitre.org/matrix/?activity=threat-model

EAP0001 - Collect

Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary’s activity.

Internal MISP references

UUID cc4828c4-6334-4a6e-a670-43967f88a87f which can be used as unique global reference for EAP0001 - Collect in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Collection activities are used to gather information about an adversary or their activities. This collection can include gathering system logs, network traffic, adversary artifacts, or other data that can be used to expose adversary activity. In many cases, collection activities are also good cybersecurity practices. However, in Engage, these activities will focus exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Expose the adversary.
url https://engage.mitre.org/matrix/?approach=collect

EAP0002 - Detect

Establish or maintain awareness regarding adversary activity.

Internal MISP references

UUID cb2b485d-5d61-48e5-a418-b03adccb3dcc which can be used as unique global reference for EAP0002 - Detect in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Detection activities focus on the defender’s ability to monitor adversary activity throughout an environment, often by creating high-fidelity detections. These detections can be produced in several ways. For example, a defender can deploy lures as tripwires in the environment. The defender may create custom alerts based on TTPs or IOCs observed during a malware detonation operation. Finally, the defender may write customer decoders to analyze and alert on malicious traffic.

In all these cases, detection activities allow the defender to produce a high-fidelity alert to monitor adversary activities. Often Detection activities are also good cybersecurity practices. However, in Engage, these activities will focus exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Expose the adversary.
url https://engage.mitre.org/matrix/?approach=detect

EAP0003 - Prevent

Stop all or part of the adversary’s ability to conduct their operation as intended.

Internal MISP references

UUID aa5e0dec-3114-4456-a062-7b96b92f03d7 which can be used as unique global reference for EAP0003 - Prevent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Prevention activities focus on stopping the adversary’s ability to conduct their operations as intended. The defender can physically or virtually remove or disable resources, tighten security controls, or otherwise impair the adversary’s ability to operate. A defender might prevent an adversary from operating to force them to reveal different, possibly more advanced, capabilities. Additionally, a defender can use prevention activities to discourage the adversary from operating against a specific target. In this case, the defender may be attempting to encourage the adversary to focus elsewhere in the engagement environment. There are many more prevention activities that are also good cybersecurity practices. However, in Engage, we are focused on a subset of activities. Those are focused exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Affect the adversary.
url https://engage.mitre.org/matrix/?approach=prevent

EAP0004 - Direct

Encourage or discourage the adversary from conducting their operation as intended.

Internal MISP references

UUID a7389870-4ad2-40e7-8a5b-068d73ed954a which can be used as unique global reference for EAP0004 - Direct in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Direction activities focus on moving the adversary towards or away from an intended path. This forced direction can be accomplished by removing or disabling some resources, while adding or enabling others. The defender can add lures or otherwise manipulate the environment to attempt to elicit specific responses from the adversary. Additionally, the defender can tighten some security controls while leaving others overly permissive or weakened. Finally, the defender can physically move the adversary by moving threats from their intended environment and into a safe engagement environment. For example, a suspicious email attachment can be moved from the intended target to an engagement environment for analysis. No matter how the direction is achieved, the defender hopes to force the adversary to take unintended actions or stop intended actions.
url https://engage.mitre.org/matrix/?approach=direct

EAP0005 - Disrupt

Impair an adversary’s ability to conduct their operation as intended.

Internal MISP references

UUID 498cad8d-3af0-4f41-9946-fc03b2936b60 which can be used as unique global reference for EAP0005 - Disrupt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Disruption activities are used to stop or discourage an adversary from conducting part or all of their mission. This disruption may increase the time, skills, or resources needed for the adversary to accomplish a specific task. For example, a defender may degrade network speeds as the adversary attempts to exfiltrate large blocks of data. As a second example, the defender may manipulate the output of commonly used discovery commands to show targets that do not exist or to hide real targets. In either case, the adversary may waste resources acting on partial or falsified data. Disruptions may also include planting misinformation designed to influence the adversary’s decision-makers to make the wrong decisions or to waste resources.
url https://engage.mitre.org/matrix/?approach=disrupt

EAP0006 - Reassure

Add authenticity to deceptive components to convince an adversary that an environment is real.

Internal MISP references

UUID c993388b-227b-444d-ba0f-88b2f0fd17ad which can be used as unique global reference for EAP0006 - Reassure in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Reassurance activities are used to add authenticity to deceptive components to reduce adversary suspicion about the legitimacy of the environment. Activities include adding realistic user accounts, files, system activity, and any other content that an adversary might expect to find on the system. These activities may add new artifacts, such as peripherals and pocket litter, while concealing others, such as how recently an environment was stood up. If done correctly, reassuring an adversary may help to make them feel more comfortable upon landing in a new environment. This initial level of comfort can help anchor the adversary in the environment, increasing their tolerance to faults or weaknesses discovered later.
url https://engage.mitre.org/matrix/?approach=reassure

EAP0007 - Motivate

Encourage an adversary to conduct part or all of their mission.

Internal MISP references

UUID 87e3b3fe-9232-41ec-b00f-8a516ba2b4c4 which can be used as unique global reference for EAP0007 - Motivate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Motivating activities is used to encourage an adversary to conduct part or all of their mission by providing a target-rich environment. To do this, the defender can use unpatched versions of operating systems and software, remove end-point detection software, and use weak passwords. Additionally, the defender can open firewall ports, add proxy capabilities, or introduce elements that an adversary can easily leverage to bypass an obstacle in their operations. Finally, the defender can include enticing data to the environment to encourage the adversary to steal the data.
url https://engage.mitre.org/matrix/?approach=motivate

SAP0001 - Plan

Identify and align an operation with a desired end-state.

Internal MISP references

UUID 5a0fca54-9af1-48ec-98ab-165f40ada64f which can be used as unique global reference for SAP0001 - Plan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Planning is used to identify and align an operation within the context of strategic goals. By helping the defender to first identify their goals, Planning ensures that all engagement activities are focused and driving forward progress. Additionally, planning ensures that the defender can integrate the inputs of the various stakeholders at the beginning of an operation to ensure that the operation is efficient, effective, and safe. Finally, Planning activities ensure that each operation is informed by the successes and learns from the failures of past operations.
url https://engage.mitre.org/matrix/?approach=plan

SAP0002 - Analyze

Retrospective review of information gained from an operation .

Internal MISP references

UUID 1e046a9a-4832-423b-9838-8416c77e432d which can be used as unique global reference for SAP0002 - Analyze in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Approach
created 28 February 2022
last_modified 28 February 2022
long_description Analysis is used to aggregate, examine, and evaluate the results of an operation. Analysis is useful for improving the defender’s security posture through the synthesis of operational data. Additionally, analysis can be used to turn data into actionable intelligence about an adversary’s motivators, behaviors, tactics, and techniques. Defenders can use analysis to gain insight into adversary activity and thus inform detection and analytics refinements. Reviewing the execution of an operation also provides feedback for the team to improve the quality of future operations. Finally, Analysis activities ensure that each operation is informed by the successes and learns from the failures of past operations.
url https://engage.mitre.org/matrix/?approach=analyze

EGO0001 - Expose

Reveal the presence of ongoing adversary operations.

Internal MISP references

UUID 1afbdb39-8eca-43da-9726-2f15a9343f6b which can be used as unique global reference for EGO0001 - Expose in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Goal
created 28 February 2022
last_modified 28 February 2022
long_description Expose is about discovering previously undetected adversaries engaging in one of two behaviors. First, the adversary may be attempting to gain access to the networks. Second, the adversary may be currently operating on the networks. Both categories of adversary behavior contain vulnerabilities that can be advantageous for a defender seeking to expose the adversary.

As an example of such a vulnerability, when an adversary interacts with network or system resources, they are vulnerable to trigger tripwires. The defender can make and leak fake credentials both inside and outside of the network. The defender can then monitor for the use of these credentials. Then, when an adversary uses a fake credential, the defender will receive a high-fidelity alert. In addition, if the credentials are unique, a defender may be able to detect how and when an adversary collected the credentials. Whenever a defender seeks to engage with an adversary, operational safety is paramount. To maintain this safety, it is a best practice to monitor adversaries as they operate in an engagement environment. Additionally, the defender must be able to observe the adversary. Therefore, collection and detection activities can often be utilized even when a defender may have other strategic goals in mind.

Engage defines two approaches to make progress towards the Expose goal.

Collection allows the defender to capture and review data that the adversary produces during their operations.

Detection takes this collected data and turns it into an alert that the defender can use to their advantage.

In many cases, the activities that support such Collection and Detection approaches are also good cybersecurity practices. However, in Engage, these activities will focus exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Expose the adversary.
url https://engage.mitre.org/matrix/?activity=expose

EGO0002 - Affect

Negatively impact the adversaries operations.

Internal MISP references

UUID 039b8e09-3cd3-4fa4-9653-97540c236923 which can be used as unique global reference for EGO0002 - Affect in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Goal
created 28 February 2022
last_modified 28 February 2022
long_description Affect is ultimately about changing the cost-value proposition in cyber operations for the adversary. The defender may want to increase the adversary’s cost to operate or drive down the value they derive from their operations. For example, the defender can negatively impact the adversary’s on-network operations to drive up the resource cost of doing operations by slowing down or selectively resetting connections to impact exfiltration. This type of activity increases the adversary’s time on target and wastes their resources. To drive down the value of stolen data, a defender could provide an adversary deliberately conflicting information. Providing such information requires an adversary to either choose to believe one piece of data over another, disregard both, collect more data, or continue with uncertainty.

All these options increase operational costs and decrease the value of collected data. Engage defines three approaches to make progress towards the Affect goal.

Prevent, focuses on setting up mitigations that stop some portion of an adversary’s operation’s from even starting.

Direct, attempts to maneuver an adversary into a better position for the defender.

Disrupt, seeks to cause problems in an adversary’s operations.
url https://engage.mitre.org/matrix/?activity=affect

EGO0003 - Elicit

Learn about adversaries tactics, techniques, and procedures (TTPs).

Internal MISP references

UUID 3e3ea319-b8e1-4845-addf-c70bda5dcf75 which can be used as unique global reference for EGO0003 - Elicit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Goal
created 28 February 2022
last_modified 28 February 2022
long_description Elicit encourages adversaries to reveal additional or more advanced TTPs and goals while operating in defender-controlled engagement environments. These high-fidelity, synthetic engagement environments are uniquely tailored to engage with specific adversaries. They may contain a combination of documents, browser artifacts, etc. to reassure an adversary and reduce suspicion. Further, they may offer enticing data and exploitable vulnerabilities to motivate an adversary to operate in the defender’s environment.

These environments can either be left as a dangle, i.e., honeypot. Other times, the defender may self-infect with malware. In either case, observing an adversary as they operate can provide organizations with actionable cyber threat intelligence and potential understanding of the adversary’s goals.

Engage defines two approaches to make progress towards the Elicit goal.

Reassurance focuses on providing an environment that reduces adversary suspicion by meeting expectations and creating an artifact rich environment.

Motivation seeks to create a target rich environment that encourages the adversary to engage in new TTPs.
url https://engage.mitre.org/matrix/?activity=elicit

SGO0001 - Prepare

Help the defender think about what they want to accomplish with operations.

Internal MISP references

UUID a2b1b336-b6f8-4d9c-82a1-51ef70fc3161 which can be used as unique global reference for SGO0001 - Prepare in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Goal
created 28 February 2022
last_modified 28 February 2022
long_description Prepare is used to ensure the defender drives progress during adversary engagement operations towards a desired end-state or Strategic Goal. To support this aim, the defender must first generate a clear picture of their organization and the threat landscape. This understanding should include their current security posture, including known strengths and weaknesses, and an inventory of priority cyber assets, including key intellectual property. The defender should then examine and update the threat models for any identified adversaries.

These various assessments and models should enable the defender to identify their strategic goal. At this point, all activities should be aligned with this goal. Once a goal has been selected, the defender must work to plan for the operation by identifying a target adversary, creating the necessary Personas, generating an operational storyboard, etc. Finally, the key stakeholders should be called on to establish rules for operational safety and acceptable risk. At each step in the planning process, the defender should incorporate intelligence gained from previous operations to ensure that future operations can run more effectively and efficiently.

Engage defines a single approach to make progress towards the Prepare goal.

Planning focuses collecting the various existing sources of intelligence together to inform the selection of a strategic goal and then to drive progress towards that goal.

Unlike the Engagement Goals, Prepare has only a single approach. This laser focus is intentional for the first release of Engage.

Engage seeks to highlight that denial, deception, and adversary engagement activities cannot be viewed as “fire and forget”. Unlike many defensive technologies, these activities must be viewed only in context of how they inform and drive progress towards larger strategic goals. To this end, Prepare is essential to ensure that every action taken in an engagement operation drives progress towards a unified goal.
url https://engage.mitre.org/matrix/?activity=prepare

SGO0002 - Understand

Make sure that the defender is capturing, utilizing, and refining knowledge learned to improve the defender’s posture.

Internal MISP references

UUID 05af045d-b149-40b6-86ec-2e1670ac4ae5 which can be used as unique global reference for SGO0002 - Understand in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Goal
created 28 February 2022
last_modified 28 February 2022
long_description Understand frames how raw operational outputs can be collected, synthesized, and used to inform future operations and defensive strategies. The Understand goal helps the defender to assess their progress towards Strategic Goals. At its core, the Understand goal ensures that operational outputs can connect to and inform a larger strategy. To do this, the defender must turn the raw outputs from an operation into useful and actionable intelligence. These outputs may be in the form of collected PCAP, logs, qualitative defender observations, etc. Applying analytics to raw data can help the defender to map this data to adversary behavior. Now the behavior can be analyzed to contextualize the intelligence and inform the existing threat model. For example, the defender may look at raw PCAP data and identify a new IP address that the adversary uses for exfiltration. This IOC can be added to the existing threat model. After applying behavioral analytics to the data, the defender might see that the adversary used a new Defense Evasion technique. In that case, the defender should update the threat model to include this new intelligence. At this point, the defender should assess if this new intelligence will affect any ongoing operations. For example, the defender should ensure that current collection efforts will detect this new TTP. Other opportunities to increase the defender’s understanding post-operation include efforts to refine and update individual engagement activities based on qualitative and quantitative outputs. The defender can reflect on how the overall engagement went and refine future activities to maximize the usefulness. Finally, the defenders should assess their own coordination and communication. Teamwork is essential during an operation. The defender should seek to improve coordination and skills with each operation. Engage defines a single approach to make progress towards the Understand goal.

Analysis, focuses on turning raw outputs into useful intelligence that drives future progress.

Unlike the Engagement Goals, Understand has only a single approach. This laser focus is intentional for the first release of Engage. Engage seeks to highlight that denial, deception, and adversary engagement activities cannot be viewed as ““fire and forget”“. Unlike many defensive technologies, these activities must be viewed only in context of how they inform and drive progress towards larger strategic goals. To this end, Analysis is essential to turn the raw operational outputs into intelligence that drives progress towards these strategic goals.
url https://engage.mitre.org/matrix/?activity=understand

EAV0001 -

When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.

Internal MISP references

UUID ace52fa2-9338-4836-b558-2b9d87144c7b which can be used as unique global reference for EAV0001 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0002 -

When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.

Internal MISP references

UUID b0c62e4d-9c34-49d9-b11b-c549a5152758 which can be used as unique global reference for EAV0002 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0003 -

When adversaries exploit a trusted relationship, such as using an account to access or move in the environment, they are vulnerable to triggering tripwires or engaging in anomalous behavior.

Internal MISP references

UUID e737e0bd-1123-4bd8-92ac-4a4376d40635 which can be used as unique global reference for EAV0003 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0004 -

When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.

Internal MISP references

UUID f420a0fe-04e7-49e6-b4dd-181391914392 which can be used as unique global reference for EAV0004 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0005 -

When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.

Internal MISP references

UUID bdb79151-3739-46b9-b185-7c9d84d3189c which can be used as unique global reference for EAV0005 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0006 -

When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data.

Internal MISP references

UUID 9b6b151c-5b85-4cdd-ba17-bc6c73dfbb93 which can be used as unique global reference for EAV0006 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022
long_description
url

EAV0007 -

When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.

Internal MISP references

UUID 5aa4c915-c7d9-4ec9-8e56-74719b67812d which can be used as unique global reference for EAV0007 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0008 -

When adversaries maintain drive-by sites, they provide a pathway for beginning engagements and may be unable to differentiate real from deceptive victims.

Internal MISP references

UUID c1abb452-8864-4d5a-b4c7-8db5669a6631 which can be used as unique global reference for EAV0008 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0009 -

When adversaries maintain drive-by sites and collect information about potential victims, they may reveal information about their targeting preferences by selecting or rejecting an arbitrary victim.

Internal MISP references

UUID 053e6dda-d963-4c15-94f0-0beb8e419d3e which can be used as unique global reference for EAV0009 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0010 -

When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.

Internal MISP references

UUID 600296ee-0800-45f2-8dbc-bd46aabd240a which can be used as unique global reference for EAV0010 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0011 -

When adversaries use previously stolen information to access or move laterally within an environment, they may reveal previous collection activities.

Internal MISP references

UUID 87b9a0fe-bc4c-41ee-a735-8d2a7f7b8fa5 which can be used as unique global reference for EAV0011 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0012 -

When adversaries use hardware peripherals, removable media, or connected transient cyber assets, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network.

Internal MISP references

UUID 9cb391e0-07f5-4dda-abd1-d8b1992b7c03 which can be used as unique global reference for EAV0012 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 2024-03-28 00:00:00

EAV0013 -

When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.

Internal MISP references

UUID 2f9a7838-0322-41ee-9450-ac70f80eed33 which can be used as unique global reference for EAV0013 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0014 -

When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfeit control over when and where the product is connected in the target network.

Internal MISP references

UUID 1b810b36-b823-4a4b-be5b-cf1f42bfb898 which can be used as unique global reference for EAV0014 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0015 -

When adversaries exploit a trusted relationship, they are vulnerable to collecting and acting on manipulated data provided by the trusted party.

Internal MISP references

UUID 93f0c0ef-4b69-4c25-aa8f-7e995ec7832b which can be used as unique global reference for EAV0015 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0016 -

When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation.

Internal MISP references

UUID c168e468-f206-41a4-a258-0d29ff2c26ee which can be used as unique global reference for EAV0016 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0017 -

When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment (production or isolated), they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource.

Internal MISP references

UUID 2f97460f-49e4-461b-8893-117761c19c98 which can be used as unique global reference for EAV0017 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 2024-03-28 00:00:00

EAV0018 -

When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user.

Internal MISP references

UUID 72dea191-30aa-4950-9ceb-530e0d5c8675 which can be used as unique global reference for EAV0018 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0019 -

When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities.

Internal MISP references

UUID db03271c-f6e5-4a1c-9de9-406d1d22c942 which can be used as unique global reference for EAV0019 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0020 -

When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc.

Internal MISP references

UUID febd1a0c-70e1-43e2-949d-46b230f4cdb1 which can be used as unique global reference for EAV0020 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0021 -

When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities.

Internal MISP references

UUID 978e6782-caa9-4909-b7b5-5b462d52fd92 which can be used as unique global reference for EAV0021 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0022 -

When adversaries use brute-force techniques to access accounts or encrypted data, they are vulnerable to wasting resources if the artifact has no valid credentials or is locked in some other way.

Internal MISP references

UUID 15ebde4a-439e-4ffa-8e84-6603f7a57850 which can be used as unique global reference for EAV0022 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0023 -

When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity.

Internal MISP references

UUID 0c3f2b3e-1c5b-4843-badb-3ab88c6ac759 which can be used as unique global reference for EAV0023 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0024 -

When adversaries discover inaccessible but perceived as interesting data or data streams, they are vulnerable to wasting resources or revealing additional capabilities in an effort to access the content.

Internal MISP references

UUID 4a21b023-c57e-40fe-b369-dea4ef5c117f which can be used as unique global reference for EAV0024 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 2024-03-28 00:00:00

EAV0025 -

When adversaries collect targeting information from open or closed data sources, they may reveal their targeting preferences.

Internal MISP references

UUID e812ef24-2b22-4430-b38e-c5b84149ab52 which can be used as unique global reference for EAV0025 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0026 -

When adversaries maintain drive-by sites, they reveal information about their targeting capabilities.

Internal MISP references

UUID b51c4941-3c01-47e9-bb62-c449ea420753 which can be used as unique global reference for EAV0026 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0027 -

When adversaries’ malware is detonated, they are vulnerable to dynamic analysis, which can reveal how the malware interacts with system resources.

Internal MISP references

UUID 289078ce-e01f-4a1e-a3a5-92f0dc00de6d which can be used as unique global reference for EAV0027 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0028 -

When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment.

Internal MISP references

UUID 0b1434c7-704c-4fd1-86cc-2d6782388398 which can be used as unique global reference for EAV0028 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0029 -

When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task.

Internal MISP references

UUID 81ef6541-8da7-48ce-b760-37352de9989c which can be used as unique global reference for EAV0029 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 28 February 2022
last_modified 28 February 2022

EAV0030 -

When adversaries discover inaccessible (but possibly valuable) data or data streams, they are vulnerable to wasting resources or revealing additional capabilities in an effort to access the content.

Internal MISP references

UUID 53af4148-b3e4-4747-b2bc-70326648d6e8 which can be used as unique global reference for EAV0030 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 2024-03-28 00:00:00
last_modified 2024-03-28 00:00:00

EAV0031 -

When adversaries gain physical access to a device or environment they are vulnerable to observation or other physical domain consequences.

Internal MISP references

UUID 1ee99284-392a-4fba-96c6-42c7cafa3ab3 which can be used as unique global reference for EAV0031 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 2024-03-28 00:00:00
last_modified 2024-03-28 00:00:00

EAV0032 -

When adversaries attempt to remotely manipulate, damage or effect some change in the physical environment, they are vulnerable to Man-in-the-Middle manipulations.

Internal MISP references

UUID 1510e3fa-67d3-448b-a9ae-26045c47b734 which can be used as unique global reference for EAV0032 - in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
category Vulnerability
created 2024-03-28 00:00:00
last_modified 2024-03-28 00:00:00