We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Peripheral Management

Manage peripheral devices used on systems within the network for engagement purposes.

Peripheral Management is the administration of peripheral devices used on systems within the engagement environment. A defender can choose to allow or deny certain types of peripherals from being used on systems to either motivate or demotivate adversary activity or to direct the adversary towards specific targets. Defenders can also introduce peripherals to an adversary-controlled system to see how the adversary reacts. For example, the defender can introduce external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes.

Additionally, peripherals provide an avenue for the defender to present new or additional information to the adversary. This information can be used to introduce an additional attack surface, motivate or demotivate adversary activity, or to further the deception story. For example, the defender may include data on a connected USB device or stage an important conversation near an externally connected camera or microphone. Depending on the contents of this data, the adversary may be encouraged to take a specific action and/or reassured about the legitimacy of the environment.

Details
ID: EAC0010
Type:  Engagement 
Goals:  Affect Elicit
Approaches:  Direction Reassurance
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Peripheral Management.

ATT&CK® Tactics Adversary Vulnerability Presented
Collection When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.
Command and Control Exfiltration Discovery Initial Access When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network.
Command and Control Discovery When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Collection Exfiltration When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource
Discovery When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc.
Discovery When adversaries interact with engagement environments and personas, their future capability, targetting, and/or infastructure requirements are vulnerable to influence
Initial Access When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior