We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Security Controls

Alter security controls to make the system more or less vulnerable to attack.

Manipulating Security Controls involves making configuration changes to a system's security settings including modifying Group Policies, disabling/enabling autorun for removable media, tightening or relaxing system firewalls, etc. Such security controls can be tightened to dissuade or prevent adversary activity. Conversely, security controls can be weakened or left overly permissive to encourage or enable adversary activity.

Tightening security controls can typically be done by implementing any of the mitigations described in MITRE ATT&CK. See https://attack.mitre.org/mitigations/enterprise/ for a full list of mitigation strategies. While loosening security controls may seem obvious (i.e., simply don't employ a given mitigation strategy), there is an additional level of nuance that must be considered. Some security controls are considered so routine that its absence may be suspicious.

For example, completely turning off Windows Defender would likely raise the adversary's suspicion. However, it is possible to turn off Windows Defender in certain shared drives to encourage adversary activity in predetermined locations. Therefore, it will likely be far less suspicious to turn off Windows Defender in a single directory or share. When assessing the likelihood that removing a given security control is overly suspicious, it is important to consider how prevalent that security control is, the target adversary's sophistication, and the deception story.

Details
ID: EAC0018
Type:  Engagement 
Goals:  Affect
Approaches:  Prevention Direction
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Security Controls.

ATT&CK® Tactics Adversary Vulnerability Presented
Defense Evasion Persistence Execution Command and Control Privilege Escalation Lateral Movement Credential Access Initial Access When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.
Defense Evasion Privilege Escalation Impact Persistence Credential Access Execution Collection Lateral Movement Discovery Initial Access When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to reveal additional or more advanced capabilities when exploiting or using said resource
Exfiltration Defense Evasion When adversaries discover inaccessible, but valuable, data they are vulnerable to waste resources or reveal additional capabilities in an effort to access the content.
Execution Privilege Escalation When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation
Privilege Escalation When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Credential Access When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availibilty, traffic filtering, degraded speeds, etc.