Collect system activity logs that can reveal adversary activity.
Capturing system logs can show logins, user and system events, etc. A defender can use such inherent system logging to study and collect first-hand observations about the adversary's actions and tools.
This data can be sent to a centralized collection location for further analysis. Careful planning should be used to guide which system logs are collected and at what level. If the logging level is set too high or too many system logs are collected, the defender may be blinded by the excess data. For example, understanding the adversary's known TTPs will highlight resources the adversary is likely to touch and therefore which system logs are likely to capture adversary activity.
Overall, System Activity Monitoring is essential to maintain situational awareness of adversarial activities in order to ensure operational safety and progress towards operational goals. Careful pre-operational planning should be done to properly instrument the engagement environment. This will ensure that all key network traffic is collected.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Impact, Credential Access, Initial Access, Defense Evasion, Persistence, Privilege Escalation||When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior|
|Persistence||When adversaries collect manipulated artifacts, they are vulnerable to reveal their presence when they use or move the artifacts elsewhere in the engagement environment.|
|Credential Access||When adversaries use previously stolen information to access or move laterally within an environment they may reveal previous collection activities.|
|Command and Control, Defense Evasion||When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation|
|Persistence||When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity.|
|Lateral Movement||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|