We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Information Manipulation

Conceal and reveal both facts and fictions to support a deception story

Information Manipulation is used to support the deception story. Revealed facts and fictions can be used to adjust the adversary’s trust in the environment. Concealed facts and fiction can be used to adjust the adversary’s sense of uncertainty towards the environment. Revealed facts may include OS type and version, geographic location, hardware type and version, accounts, credentials, etc. Revealed fictions may include the content of decoy files, emails, messages, etc. Revealed facts and fictions may or may not be believed by the adversary.

If an adversary believes a revealed fact or fiction, it may lend credibility to the environment or encourage a specific action. If an adversary is suspicious or does not believe a revealed fact or fiction, it may erode adversary trust in the environment. For example, if the adversary discovers that a collection of legitimate passwords all contain the phrase "honeytoken" or "canarytoken" they may lose trust in the legitimacy of the environment, even if the credentials are real and valid in the enterprise network. Conversely, if the adversary checks the timestamps on various files on the target and finds timestamps going back multiple years, they may trust that the environment is legitimate even if, in reality, the files are new and the timestamps were falsified. In this way, revealed facts and fictions can be used to adjust the adversary's trust in the environment in ways that support the defender's goals.

Concealed facts may include virtualized systems disguised as physical systems, monitoring software, or collection efforts. Concealed fictions may include an encrypted, interestingly named, decoy file or a partially deleted email thread referencing high value, but decoy, assets. Concealed facts and fictions may or may not be discovered by the adversary. If the adversary discovers a concealed fact or fiction, it may increase the ambiguity of the environment and affect the adversary's sense of uncertainty.

For example, if an adversary discovers a hidden monitoring solution is deployed, they may feel less comfortable engaging with that specific target. Conversely, if the defender deploys a hidden monitoring solution with an intentional blind spot that the adversary discovers, the adversary may feel a decrease in ambiguity and take additional actions believing that they will be undetected. In this way, concealed facts and fictions can be used to adjust the ambiguity and affect the adversary's sense of uncertainty in ways that support the defender's goals.

Details
ID: EAC0015
Type:  Engagement 
Goals:  Elicit
Approaches:  Reassurance Motivation
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Information Manipulation.

ATT&CK® Tactics Adversary Vulnerability Presented
Command and Control Collection Exfiltration Lateral Movement Discovery Impact When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities.
Collection Discovery Defense Evasion Execution Impact Reconnaissance When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Collection Discovery Execution Defense Evasion When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.
Collection When adversaries collect manipulated artifacts, they are vulnerable to revealing their presence when using or moving the artifacts elsewhere in the engagement environment.
Execution When adversaries interact directly with victims, they are vulnerable to being socially engineered or otherwise manipulated by an aware user.
Reconnaissance When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data.
Reconnaissance When adversaries collect targeting information from open or closed data sources, they may reveal their targeting preferences.
Defense Evasion When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource.