Make changes to network properties and functions to achieve a desired effect.
Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, add a kill switch to cut off network access, etc. These types of manipulations can affect the adversary's ability to achieve their operational objectives by incurring an increased resource cost, forcing them to change tactics, or stopping them altogether.
For example, a defender can limit the allowed ports or network requests to force the adversary to alter their planned C2 or exfiltration channels. As another example, a defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Additionally, the defender can degrade network speeds and reliability to impose a resource cost as adversaries exfiltrate large quantities of data. Finally, a defender can block primary C2 domains and IPs to determine if the adversary has additional infrastructure. While there are a range of network manipulation options, in all cases, the defender has an opportunity to learn about or influence the adversaries operating in the environment.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Reconnaissance, Command and Control, Collection, Exfiltration, Discovery, Impact, Credential Access, Initial Access, Lateral Movement, Defense Evasion||When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc.|
|Exfiltration, Command and Control||When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities|
|Execution, Command and Control||When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.|
|Command and Control||When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity.|
|Command and Control||When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task|
|Lateral Movement||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|