Dynamically Changing Network Configuration

Engage Goals: EGO0002 Affect

Engage Approach: EAP0005 Disrupt

Engage Actions: EAC0007 Network Diversity, EAC0016 Network Manipulation

Name of Element: Dynamically Changing Network Configuration

Description of Element:

Implement a system that dynamically alters network configurations, such as IP addresses, DNS server settings, or routing tables, in response to detected attacker activity. This can be used to confuse attackers, disrupt their reconnaissance efforts, or redirect them to decoy systems.

Technical Context:

Placement: Integrated within the operating system’s networking stack or implemented as a user-mode service.

Utilize the GetAdaptersAddresses and SetAdaptersAddresses functions to dynamically change IP addresses and DNS server settings. Employ the CreateIpForwardEntry and DeleteIpForwardEntry functions to manipulate routing tables. Implement a mechanism to detect attacker activity, such as monitoring firewall logs or analyzing network traffic patterns. Trigger configuration changes based on predefined rules or heuristics.

Other:

Att&ck/Engage Mapping: T1046 Network Service Scanning, E1505 Decoy Network

Dynamically Changing Network Configuration

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense