We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Baseline

Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.

To determine the system Baseline, the defender must identify software and configuration elements that are critical to a set of objectives. The defender must define the proper values and be prepared to reset a running system to its intended state. Reverting to a Baseline configuration can be essential when restoring an operational environment to a safe state or when looking to impose a cost on adversaries by preventing their activity.

For example, the defender can watch for an adversary to make changes in the environment and then revert the environment with the goal of either forcing the adversary to target elsewhere in the network or to display a new, possibly more advanced TTP. The baseline values will also be crucial post-operation when analyzing changes to the environment over time.

Details
ID: EAC0019
Type:  Engagement 
Goals:  Affect
Approaches:  Prevention
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Baseline.

ATT&CK® Tactics Adversary Vulnerability Presented
Defense Evasion Privilege Escalation Persistence When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.
Defense Evasion Impact When adversaries interact with network or system resources, they are vulnerable to triggering tripwires or engaging in easily detectable, anomalous behavior.
Impact When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.
Impact When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation.