Present the adversary with a variety of installed applications and services.
Application Diversity presents an array of software targets to the adversary. On a single target, system defenders can configure multiple services or software applications. On a target network, defenders can present systems with a variety of OSs, OS versions, applications, and services. Application Diversity can be used to encourage engagement by offering a broad attack surface.
Additionally, diversity can increase the adversary's overall comfort level by adding to the believability of the environment. By monitoring adversary activity in a diverse environment, the defender can gain information on the adversary's capabilities and targeting preferences. For example, a defender can install one or more applications with a variety of patch levels to see how the adversary's response differs across versions.
Additionally, a diverse set of applications provides a variety of avenues for the defender to present additional information throughout an operation. This information can be used to introduce additional attack surfaces, motivate or demotivate the adversary, or further the deception story. For example, if the adversary is close to uncovering something that might raise suspicion around a target, the defender can add an event to a shared calendar application or a message in a notes application that the system will be offline for scheduled maintenance. Having a variety of applications on the system provides the defender with multiple engagement avenues to handle whatever events happen during the course of the operation.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Impact, Discovery, Collection, Persistence, Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement, Command and Control||When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to reveal their targetting preferences and capabilities|