We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Baseline

Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.

To determine the system Baseline, the defender must identify software and configuration elements that are critical to a set of objectives. The defender must define the proper values and be prepared to reset a running system to its intended state. Reverting to a Baseline configuration can be essential when restoring an operational environment to a safe state or when looking to impose a cost on adversaries by preventing their activity.

For example, the defender can watch for an adversary to make changes in the environment and then revert the environment with the goal of either forcing the adversary to target elsewhere in the network or to display a new, possibly more advanced TTP. The baseline values will also be crucial post-operation when analyzing changes to the environment over time.

Details
ID: EAC0019
Type:  Engagement 
Goals:  Affect
Approaches:  Prevention
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Baseline.

ATT&CK® Tactics Adversary Vulnerability Presented
Privilege Escalation Persistence Defense Evasion When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.
Impact When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation
Impact Defense Evasion When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior
Impact When the adversary's malware is detonated they may be encouraged to operate in an unintended environment.