Alter security controls to make the system more or less vulnerable to attack.
Manipulating Security Controls involves making configuration changes to a system's security settings including modifying Group Policies, disabling/enabling autorun for removable media, tightening or relaxing system firewalls, etc. Such security controls can be tightened to dissuade or prevent adversary activity. Conversely, security controls can be weakened or left overly permissive to encourage or enable adversary activity.
Tightening security controls can typically be done by implementing any of the mitigations described in MITRE ATT&CK. See https://attack.mitre.org/mitigations/enterprise/ for a full list of mitigation strategies. While loosening security controls may seem obvious (i.e., simply don't employ a given mitigation strategy), there is an additional level of nuance that must be considered. Some security controls are considered so routine that its absence may be suspicious.
For example, completely turning off Windows Defender would likely raise the adversary's suspicion. However, it is possible to turn off Windows Defender in certain shared drives to encourage adversary activity in predetermined locations. Therefore, it will likely be far less suspicious to turn off Windows Defender in a single directory or share. When assessing the likelihood that removing a given security control is overly suspicious, it is important to consider how prevalent that security control is, the target adversary's sophistication, and the deception story.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Collection, Defense Evasion, Execution, Privilege Escalation, Lateral Movement, Persistence, Credential Access, Discovery, Initial Access, Impact||When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment, they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource.|
|Command and Control, Defense Evasion, Execution, Privilege Escalation, Lateral Movement, Initial Access, Persistence, Credential Access||When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.|
|Exfiltration, Defense Evasion||When adversaries discover inaccessible but valuable data, they are vulnerable to wasting resources or revealing additional capabilities in an effort to access the content.|
|Execution, Privilege Escalation||When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation.|
|Credential Access||When adversaries move data across the network or interact with remote resources, they are vulnerable to network manipulations such as impacts to network availability, traffic filtering, degraded speeds, etc.|
|Privilege Escalation||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|