We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Network Analysis

Analyze network traffic to gain intelligence on communications between systems.

Network analysis can be an automated or manual task to review communications between systems to expose adversary activity, such as C2 or data exfiltration traffic. This analysis is normally done by capturing and analyzing traffic on the wire or from previously collected packet capture.

When custom protocols are in use, defenders can leverage protocol decoder frameworks. These are customized code modules that can read network traffic and contextualize activity between the C2 operator and the implant. These frameworks are often required to process complex encryption ciphers and custom protocols into a human-readable format for an analyst to interpret. Decoder creation requires malware analysis of the implant to understand the design of the protocol. While a high level of technical maturity is required to create such a decoder, once created they are invaluable to the defender.

For example, a defender can use a protocol decode to decrypt network capture data and expose an adversary's C2 or exfiltration activity. Not only does this data provide exquisite intelligence in regard to the adversary's communications channels and targeting preferences, but it also provides future opportunities for data manipulation to further operational goals.

ID: EAC0004
Type:  Engagement 
Goals:  Expose
Approaches:  Detection
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Network Analysis.

ATT&CK® Tactics Adversary Vulnerability Presented
Command and Control When adversaries use easily identifiable techniques, or generate signaturable patterns in data or traffic, they are vulnerable to detection of their activity.
Exfiltration When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.
Collection When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to wasting resources to accomplish the task.
Command and Control When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities.