We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

Migrate Attack Vector

Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.

When a defender Migrates an Attack Vector, the defender intercepts a malicious element and moves it to a safe environment, such as a decoy system within a decoy network, for continued engagement or analysis. A defender may choose to migrate attack vectors, which may appear in the form of phishing emails, suspicious email attachments, or malicious USBs. For example, a defender might move a suspicious attachment from a corporate inbox to an inbox on a system that, while in the corporate IP space, is completely segmented from the enterprise network. This segregated environment will allow the adversary to move laterally throughout the environment without risk to enterprise resources.

Determining when an engagement should be moved to an engagement environment is a critical decision when calculating acceptable operational risk. However, if the adversary sent a custom malware sample to a phishing victim, but ultimately find themselves on an unrelated victim, they may be suspicious. Balancing this acceptable risk, believability, and operational goals is essential when determining if or when to migrate an attack vector.

ID: EAC0021
Type:  Engagement 
Goals:  Affect
Approaches:  Direction
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Migrate Attack Vector.

ATT&CK® Tactics Adversary Vulnerability Presented
Command and Control Initial Access When adversaries use hardware peripherals, they must rely on physical access or have limited control over when and where hardware additions are connected in the target network.
Persistence Command and Control When adversaries rely on particular resources to be enabled, accessible and/or vulnerable, they are vulnerable to their operations being disrupted if the resources is disabled, removed, or otherwise made invulnerable.
Initial Access When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated or from where a link is clicked.
Initial Access When adversaries manipulate supply chain mechanisms prior to receipt by a final consumer, they forfiet control over when and where the product is connected in the target network
Execution When the adversary's malware is detonated they may be encouraged to operate in an unintended environment.