Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
To determine the system Baseline, the defender must identify software and configuration elements that are critical to a set of objectives. The defender must define the proper values and be prepared to reset a running system to its intended state. Reverting to a Baseline configuration can be essential when restoring an operational environment to a safe state or when looking to impose a cost on adversaries by preventing their activity.
For example, the defender can watch for an adversary to make changes in the environment and then revert the environment with the goal of either forcing the adversary to target elsewhere in the network or to display a new, possibly more advanced TTP. The baseline values will also be crucial post-operation when analyzing changes to the environment over time.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Defense Evasion, Privilege Escalation, Persistence||When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.|
|Defense Evasion, Impact||When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.|
|Impact||When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.|
|Impact||When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation.|