We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Network Manipulation

Make changes to network properties and functions to achieve a desired effect.

Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, add a kill switch to cut off network access, etc. These types of manipulations can affect the adversary's ability to achieve their operational objectives by incurring an increased resource cost, forcing them to change tactics, or stopping them altogether.

For example, a defender can limit the allowed ports or network requests to force the adversary to alter their planned C2 or exfiltration channels. As another example, a defender could allow or deny outbound SMB requests from a network to affect the success of forced authentication. Additionally, the defender can degrade network speeds and reliability to impose a resource cost as adversaries exfiltrate large quantities of data. Finally, a defender can block primary C2 domains and IPs to determine if the adversary has additional infrastructure. While there are a range of network manipulation options, in all cases, the defender has an opportunity to learn about or influence the adversaries operating in the environment.

Details
ID: EAC0016
Type:  Engagement 
Goals:  Affect
Approaches:  Prevention Direction Disruption
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Network Manipulation.

ATT&CK® Tactics Adversary Vulnerability Presented
Reconnaissance Command and Control Collection Exfiltration Discovery Impact Credential Access Initial Access Lateral Movement Defense Evasion When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc.
Exfiltration Command and Control When adversaries exfiltrate data, their data are vulnerable to observation or manipulation via Man-in-the-Middle activities
Execution Command and Control When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.
Command and Control When adversaries use easily identifiable techniques or generate signaturable patterns in data or traffic they are vulnerable to detection of their activity.
Command and Control When adversaries attempt to exfiltrate, manipulate, or move massive data objects, they are vulnerable to waste resources to accomplish the task
Lateral Movement When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.