Configure devices, systems, networks, etc. to contain activity and data, thus preventing the expansion an engagement beyond desired limits.
Using Isolation, a defender can limit the effectiveness and scope of malicious activity and/or lower exposure to unintended risks. When a system or resource is isolated, a defender can observe adversary behaviors or tools without allowing lateral movement. For example, a defender may detonate a piece of malware on an isolated system to perform dynamic analysis without risk to other network resources.
Determining which systems should be isolated in an operation is a critical decision when calculating acceptable operational risk. However, if the adversary expects to find an entire corporate network but instead finds only an isolated system, they may not be interested in engaging with the target. Balancing acceptable risk, believability, and operational goals is essential when determining if or when a system should be isolated.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Initial Access, Command and Control||When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network.|
|Command and Control||When adversaries rely on specific resources to be enabled, accessible, and/or vulnerable, they are vulnerable to their operations being disrupted if the resources are disabled, removed, or otherwise made invulnerable.|
|Initial Access||When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfeit control over when and where the product is connected in the target network.|
|Execution||When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.|