Monitor network traffic in order to detect adversary activity.
Network Monitoring involves capturing network activity data, including capturing server, firewall, and other relevant logs. A defender can send this data to a centralized collection location for further analysis. This analysis can be automated or manual. In either case, a defender can use Network Monitoring to identify anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.
Monitoring is essential to maintain situational awareness of adversary activities to ensure operational safety and make progress towards the defender's goals. Careful pre-operational planning should be done to properly instrument the engagement environment to ensure that all key network traffic is collected. Some use cases of network monitoring include detecting unexpected outbound traffic, systems establishing connections using encapsulated protocols, and known adversary C2 protocols.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Command and Control, Lateral Movement, Impact, Collection, Defense Evasion||When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.|
|Command and Control, Exfiltration, Defense Evasion||When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity.|
|Exfiltration, Command and Control||When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities.|