Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
To determine the system Baseline, the defender must identify software and configuration elements that are critical to a set of objectives. The defender must define the proper values and be prepared to reset a running system to its intended state. Reverting to a Baseline configuration can be essential when restoring an operational environment to a safe state or when looking to impose a cost on adversaries by preventing their activity.
For example, the defender can watch for an adversary to make changes in the environment and then revert the environment with the goal of either forcing the adversary to target elsewhere in the network or to display a new, possibly more advanced TTP. The baseline values will also be crucial post-operation when analyzing changes to the environment over time.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Privilege Escalation, Persistence, Defense Evasion||When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.|
|Impact||When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation|
|Impact, Defense Evasion||When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior|
|Impact||When the adversary's malware is detonated they may be encouraged to operate in an unintended environment.|