We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Network Monitoring

Monitor network traffic in order to detect adversary activity.

Network Monitoring involves capturing network activity data, including capturing server, firewall, and other relevant logs. A defender can send this data to a centralized collection location for further analysis. This analysis can be automated or manual. In either case, a defender can use Network Monitoring to identify anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.

Monitoring is essential to maintain situational awareness of adversary activities to ensure operational safety and make progress towards the defender's goals. Careful pre-operational planning should be done to properly instrument the engagement environment to ensure that all key network traffic is collected. Some use cases of network monitoring include detecting unexpected outbound traffic, systems establishing connections using encapsulated protocols, and known adversary C2 protocols.

Details
ID: EAC0002
Type:  Engagement 
Goals:  Expose
Approaches:  Collection
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Network Monitoring.

ATT&CK® Tactics Adversary Vulnerability Presented
Command and Control Lateral Movement Impact Collection Defense Evasion When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.
Command and Control Exfiltration Defense Evasion When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity.
Exfiltration Command and Control When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities.