We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Isolation

Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.

Using Isolation, a defender can limit the effectiveness and scope of malicious activity and/or lower exposure to unintended risks. When a system or resource is isolated, a defender can observe adversary behaviors or tools without allowing lateral movement. For example, a defender may detonate a piece of malware on an isolated system to perform dynamic analysis without risk to other network resources.

Determining which systems should be isolated in an operation is a critical decision when calculating acceptable operational risk. However, if the adversary expects to find an entire corporate network but instead finds only an isolated system, they may not be interested in engaging with the target. Balancing acceptable risk, believability, and operational goals is essential when determining if or when a system should be isolated.

Details
ID: EAC0020
Type:  Engagement 
Goals:  Affect
Approaches:  Prevention Disruption
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Isolation.

ATT&CK® Tactics Adversary Vulnerability Presented
Initial Access Command and Control When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network.
Command and Control When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.
Initial Access When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfeit control over when and where the product is connected in the target network.
Execution When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.