Establish or maintain awareness in regard to adversary activity.
Detection focuses on the defender's ability to monitor adversary activity throughout an environment, often by creating high-fidelity detections. These detections can be produced in several ways. For example, a defender can deploy decoy artifacts as tripwires in the environment. The defender may create custom alerts based on TTPs or IOCs observed during a malware detonation operation. Finally, the defender may write customer decoders to analyze and alert on malicious traffic.
In all these cases, detection activities allow the defender to produce a high-fidelity alert to monitor adversary activities. Often Detection activities are also good cybersecurity practices. However, in Engage, these activities will focus exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Expose the adversary.
|Decoy Artifacts and Systems||Introduce impersonations to expand the scope of a deceptive story.||EAC0005|
|Detonate Malware||Execute malware under controlled conditions to analyze its functionality.||EAC0013|
|Network Analysis||Analyze network traffic to gain intelligence on communications between systems.||EAC0004|