We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Application Diversity

Present the adversary with a variety of installed applications and services.

Application Diversity presents an array of software targets to the adversary. On a single target, system defenders can configure multiple services or software applications. On a target network, defenders can present systems with a variety of OSs, OS versions, applications, and services. Application Diversity can be used to encourage engagement by offering a broad attack surface.

Additionally, diversity can increase the adversary's overall comfort level by adding to the believability of the environment. By monitoring adversary activity in a diverse environment, the defender can gain information on the adversary's capabilities and targeting preferences. For example, a defender can install one or more applications with a variety of patch levels to see how the adversary's response differs across versions.

Additionally, a diverse set of applications provides a variety of avenues for the defender to present additional information throughout an operation. This information can be used to introduce additional attack surfaces, motivate or demotivate the adversary, or further the deception story. For example, if the adversary is close to uncovering something that might raise suspicion around a target, the defender can add an event to a shared calendar application or a message in a notes application that the system will be offline for scheduled maintenance. Having a variety of applications on the system provides the defender with multiple engagement avenues to handle whatever events happen during the course of the operation.

Details
ID: EAC0006
Type:  Engagement 
Goals:  Elicit
Approaches:  Reassurance Motivation
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Application Diversity.

ATT&CK® Tactics Adversary Vulnerability Presented
Discovery Lateral Movement Credential Access Privilege Escalation Persistence Initial Access Execution Defense Evasion Command and Control Impact Collection When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities.