From 805b19e65d169934035dc0a951294fbd65fc57d3 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Fri, 16 Aug 2024 14:48:57 +0200 Subject: [PATCH 1/6] Created taxo for MITRE Engage Created taxo for MITRE Engage --- Engage/machinetag.json | 89 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 Engage/machinetag.json diff --git a/Engage/machinetag.json b/Engage/machinetag.json new file mode 100644 index 0000000..3d1a5e3 --- /dev/null +++ b/Engage/machinetag.json @@ -0,0 +1,89 @@ +{ + "name": "Engage", + "description": "MITRE Engage Framework Taxonomy: A structured approach to influence and understand adversary behavior through proactive defense strategies.", + "version": 1, + "author": "DCG420", + "values": [ + { + "value": "approach", + "expanded": "Engage Approach", + "description": "The overarching strategies used in the Engage framework to influence adversary behavior and enhance defense postures.", + "children": [ + { + "value": "engage_defend", + "expanded": "Engage Defend", + "description": "Strategies and tactics focused on reinforcing the security posture to make it harder for adversaries to achieve their objectives. This includes hardening defenses, improving access controls, and deploying advanced threat detection systems. Example: Implementing multi-factor authentication across critical systems to prevent unauthorized access." + }, + { + "value": "engage_disrupt", + "expanded": "Engage Disrupt", + "description": "Actions aimed at interrupting or hindering adversary activities. This might involve disrupting communication channels, corrupting adversary data, or creating uncertainty in their operational environment. Example: Injecting false data into adversary's command and control (C2) channels to cause operational confusion." + }, + { + "value": "engage_detect", + "expanded": "Engage Detect", + "description": "Methods to improve the visibility and detection of adversary actions within the network. This includes deploying sensors, enhancing monitoring, and using behavioral analytics to detect unusual activities. Example: Utilizing machine learning models to detect deviations from normal user behavior indicating potential insider threats." + }, + { + "value": "engage_deceive", + "expanded": "Engage Deceive", + "description": "Techniques designed to mislead, confuse, or provide false information to adversaries, causing them to make poor decisions. This may include honeypots, decoy systems, or false narratives. Example: Deploying decoy systems that mimic critical infrastructure to lure attackers away from real assets." + } + ] + }, + { + "value": "goals", + "expanded": "Engage Goals", + "description": "The desired outcomes of employing Engage approaches, focused on reducing risks, understanding adversaries, and protecting assets.", + "children": [ + { + "value": "reduce_risk", + "expanded": "Reduce Risk", + "description": "Minimize the likelihood and impact of successful adversary actions by proactively managing vulnerabilities and threats. Example: Regularly updating and patching software to close known vulnerabilities that adversaries could exploit." + }, + { + "value": "increase_cost", + "expanded": "Increase Adversary's Cost", + "description": "Raise the resources (time, money, effort) adversaries must expend to achieve their objectives, thereby deterring attacks. Example: Implementing layered defenses that require adversaries to breach multiple barriers, increasing their operational complexity and cost." + }, + { + "value": "reduce_impact", + "expanded": "Reduce Impact", + "description": "Limit the damage or disruption caused by successful adversary actions through resilient design and rapid response. Example: Designing critical systems with redundancy to ensure continuous operation even if one component is compromised." + }, + { + "value": "understand_adversary", + "expanded": "Understand Adversary", + "description": "Gain insights into the tactics, techniques, procedures (TTPs), and motivations of adversaries to inform better defense strategies. Example: Analyzing threat intelligence reports to identify patterns in adversary behavior and anticipate future attacks." + } + ] + }, + { + "value": "actions", + "expanded": "Engage Actions", + "description": "Specific activities undertaken to implement the Engage approaches, aimed at countering or exploiting adversary actions.", + "children": [ + { + "value": "introduce_noise", + "expanded": "Introduce Noise", + "description": "Add misleading or irrelevant information into adversary operations to degrade their decision-making and operational efficiency. Example: Inserting fake credentials into the environment that adversaries might use, leading them to incorrect conclusions." + }, + { + "value": "control_information", + "expanded": "Control Information", + "description": "Manage and manipulate the information that adversaries can access, shaping their perception and actions. Example: Using data masking techniques to protect sensitive information while allowing adversaries to access less critical data." + }, + { + "value": "isolate_adversary", + "expanded": "Isolate Adversary", + "description": "Limit the adversary's ability to move laterally within the network or communicate with external command centers. Example: Segmenting networks to prevent adversaries from easily navigating between different systems and isolating compromised assets." + }, + { + "value": "monitor_adversary", + "expanded": "Monitor Adversary", + "description": "Continuously observe adversary activities to gather intelligence and adapt defense strategies. Example: Using honeynets to attract adversaries and study their techniques in a controlled environment." + } + ] + } + ] +} From 8c59781e4a5e490c7ff53c00ab80064dac0a1f74 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Fri, 16 Aug 2024 15:24:15 +0200 Subject: [PATCH 2/6] Update GrayZone to version 3.1 Update GrayZone to version 3.1 --- GrayZone/machinetag.json | 74 ++++++++++++++++++++++------------------ 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/GrayZone/machinetag.json b/GrayZone/machinetag.json index 7fc0c56..ca03995 100644 --- a/GrayZone/machinetag.json +++ b/GrayZone/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "GrayZone", "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", - "version": 3, + "version": 3.1, "predicates": [ { "value": "Adversary Emulation", @@ -24,12 +24,8 @@ "expanded": "Tarpits, Sandboxes and Honeypots" }, { - "value": "Threat Intelligence", - "expanded": "Threat Intelligence" - }, - { - "value": "Threat Hunting", - "expanded": "Threat Hunting" + "value": "Intelligence and Counterintelligence", + "expanded": "Intelligence and Counterintelligence" }, { "value": "Adversary Takedowns", @@ -126,11 +122,6 @@ "value": "CounterDeception", "expanded": "Answer to deception", "description": "Answer to deception from adversary is counter-deception, for example: answer to phish with shadow user account to uncover next adversary actions" - }, - { - "value": "Counter-Deception", - "expanded": "Active counterdeception", - "description": "Answer to adversary deception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)" } ] }, @@ -155,37 +146,52 @@ ] }, { - "predicate": "Threat Intelligence", + "predicate": "Intelligence and Counterintelligence", "entry": [ { - "value": "Passive - OSINT", - "expanded": "OpenSourceINTelligence", - "description": "Use of OSINT for creating of Threat Intelligence" + "value": "Intel Passive", + "expanded": "Passive gathering, managing etc. of threat intelligence. Ie. getting data from public, available resources", + "description": "Getting threat intel from open and publicly available resources" }, { - "value": "Passive - platforms", - "expanded": "Platforms for TI", - "description": "Save, share and collaborate on threat intelligence platforms" + "value": "Intel Active", + "expanded": "Active or proactive intel gathering, collecting etc. Ie. closed resources as private forums, gossip ...", + "description": "Getting threat intel from closed resources or trusted parties as private chats or exploitation of groups etc." }, { - "value": "Counter-Intelligence public", - "expanded": "Counter Intelligence", - "description": "Active retrieval of Threat Intelligence for purpose of defense collected with available public resources - example: active monitoring of web services to uncover action before happen (forum hacktivist group)" + "value": "Counterintel Defensive", + "expanded": "Includes subcategories as Deterrence and Detection ", + "description": "Focuses on detecting and neutralizing adversary efforts to compromise or exploit digital systems." }, { - "value": "Counter-Intelligence government", - "expanded": "Counter Intelligence", - "description": "Active retrieval of Threat Intelligence for purpose of defense collected with non-public resources - example: cooperation between secret services in EU" - } - ] - }, - { - "predicate": "Threat Hunting", - "entry": [ + "value": "Counterintel Defensive - Deterrence", + "expanded": "Deterrende in cyber space as part of strategy", + "description": "Aims to discourage adversary actions by demonstrating strong protective measures and potential consequences." + }, + { + "value": "Counterintel Defensive - Detection", + "expanded": "Detection Engineering", + "description": "Ideally focuses on identifying and exposing adversary activities before they can cause harm." + }, + { + "value": "Counterintel Offensive", + "expanded": "Includes subcategories as Detection, Deception and Neutralization", + "description": "Involves actively disrupting or deceiving adversary intelligence operations to gain strategic advantage" + }, + { + "value": "Counterintel Offensive - Detection", + "expanded": "Detect operations of adversary before they reach friendly environment", + "description": "Detection involves actively identifying and exposing adversary cyber operations to disrupt their efforts." + }, + { + "value": "Counterintel Offensive - Deception", + "expanded": "Creating deception campaigns, fake accounts, penetrating adversary communication with use of deception...", + "description": "Uses false information and tactics to mislead and confuse adversaries in their cyber operations." + }, { - "value": "Threat Hunting", - "expanded": "Threat Hunting", - "description": "Threat Hunting is the activity of active search for possible signs of adversary in environment" + "value": "Counterintel Offensive - Neutralization", + "expanded": "Adversary disruption as influence operation, environment disturbance to prevent adversary operations...", + "description": "Neutralization aims to disrupt and eliminate adversary cyber threats before they can inflict damage." } ] }, From 0b7e75981986ec113b506a317209fae0aaa63b87 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Fri, 16 Aug 2024 16:07:11 +0200 Subject: [PATCH 3/6] Fixed errors in taxonomy Errors in taxonomy. --- Engage/machinetag.json | 249 ++++++++++++++++++++++++++++++++--------- 1 file changed, 197 insertions(+), 52 deletions(-) diff --git a/Engage/machinetag.json b/Engage/machinetag.json index 3d1a5e3..f317ed0 100644 --- a/Engage/machinetag.json +++ b/Engage/machinetag.json @@ -1,87 +1,232 @@ { - "name": "Engage", - "description": "MITRE Engage Framework Taxonomy: A structured approach to influence and understand adversary behavior through proactive defense strategies.", + "name": "engage", + "description": "MITRE Engage Framework Taxonomy: Structured around Engage Goals, Approaches, and Actions.", "version": 1, - "author": "DCG420", + "author": "Your Name or Organization", + "category": "Mitigation", "values": [ { - "value": "approach", - "expanded": "Engage Approach", - "description": "The overarching strategies used in the Engage framework to influence adversary behavior and enhance defense postures.", + "value": "goals", + "expanded": "Engage Goals", + "description": "The high-level objectives aimed at influencing or understanding adversary behavior.", "children": [ { - "value": "engage_defend", - "expanded": "Engage Defend", - "description": "Strategies and tactics focused on reinforcing the security posture to make it harder for adversaries to achieve their objectives. This includes hardening defenses, improving access controls, and deploying advanced threat detection systems. Example: Implementing multi-factor authentication across critical systems to prevent unauthorized access." + "value": "expose", + "expanded": "Expose (EGO0001)", + "description": "Reveal adversary actions, intentions, or vulnerabilities." }, { - "value": "engage_disrupt", - "expanded": "Engage Disrupt", - "description": "Actions aimed at interrupting or hindering adversary activities. This might involve disrupting communication channels, corrupting adversary data, or creating uncertainty in their operational environment. Example: Injecting false data into adversary's command and control (C2) channels to cause operational confusion." + "value": "affect", + "expanded": "Affect (EGO0002)", + "description": "Influence or alter adversary behaviors, decisions, or operations." }, { - "value": "engage_detect", - "expanded": "Engage Detect", - "description": "Methods to improve the visibility and detection of adversary actions within the network. This includes deploying sensors, enhancing monitoring, and using behavioral analytics to detect unusual activities. Example: Utilizing machine learning models to detect deviations from normal user behavior indicating potential insider threats." + "value": "elicit", + "expanded": "Elicit (EGO0003)", + "description": "Draw out responses or actions from the adversary." + } + ] + }, + { + "value": "strategic_goals", + "expanded": "Strategic Goals", + "description": "Long-term objectives to ensure preparedness and understanding of adversary behavior.", + "children": [ + { + "value": "prepare", + "expanded": "Prepare (SGO0001)", + "description": "Establish readiness and resilience to address adversary activities." }, { - "value": "engage_deceive", - "expanded": "Engage Deceive", - "description": "Techniques designed to mislead, confuse, or provide false information to adversaries, causing them to make poor decisions. This may include honeypots, decoy systems, or false narratives. Example: Deploying decoy systems that mimic critical infrastructure to lure attackers away from real assets." + "value": "understand", + "expanded": "Understand (SGO0002)", + "description": "Gain insights into adversary tactics and motivations." } ] }, { - "value": "goals", - "expanded": "Engage Goals", - "description": "The desired outcomes of employing Engage approaches, focused on reducing risks, understanding adversaries, and protecting assets.", + "value": "approaches", + "expanded": "Engage Approaches", + "description": "The methods used to achieve the Engage Goals.", "children": [ { - "value": "reduce_risk", - "expanded": "Reduce Risk", - "description": "Minimize the likelihood and impact of successful adversary actions by proactively managing vulnerabilities and threats. Example: Regularly updating and patching software to close known vulnerabilities that adversaries could exploit." + "value": "collect", + "expanded": "Collect (EAP0001)", + "description": "Gather relevant information or intelligence.", + "children": [ + { + "value": "gather_intelligence", + "expanded": "Gather Intelligence from Open Sources", + "description": "Collecting information from publicly available sources to understand adversary activities." + }, + { + "value": "network_traffic_analysis", + "expanded": "Conduct Network Traffic Analysis", + "description": "Analyzing network traffic to identify suspicious activities or patterns." + } + ] + }, + { + "value": "detect", + "expanded": "Detect (EAP0002)", + "description": "Identify adversary activities or indicators of compromise.", + "children": [ + { + "value": "deploy_ids", + "expanded": "Deploy Intrusion Detection Systems", + "description": "Implementing IDS to monitor and detect unauthorized access or activities." + }, + { + "value": "monitor_user_behavior", + "expanded": "Monitor User Behavior for Anomalies", + "description": "Tracking user activities to identify unusual or suspicious behavior patterns." + }, + { + "value": "introduce_perception_of_detection", + "expanded": "Introduce Perception of Detection", + "description": "Making the adversary believe they have been or might be detected, influencing their behavior." + } + ] }, { - "value": "increase_cost", - "expanded": "Increase Adversary's Cost", - "description": "Raise the resources (time, money, effort) adversaries must expend to achieve their objectives, thereby deterring attacks. Example: Implementing layered defenses that require adversaries to breach multiple barriers, increasing their operational complexity and cost." + "value": "prevent", + "expanded": "Prevent (EAP0003)", + "description": "Implement measures to stop adversary actions before they occur.", + "children": [ + { + "value": "implement_access_controls", + "expanded": "Implement Access Controls", + "description": "Enforcing strict access policies to prevent unauthorized access." + }, + { + "value": "apply_patches", + "expanded": "Apply Patches and Updates Regularly", + "description": "Ensuring that all software and systems are up-to-date to close vulnerabilities." + } + ] }, { - "value": "reduce_impact", - "expanded": "Reduce Impact", - "description": "Limit the damage or disruption caused by successful adversary actions through resilient design and rapid response. Example: Designing critical systems with redundancy to ensure continuous operation even if one component is compromised." + "value": "direct", + "expanded": "Direct (EAP0004)", + "description": "Influence or guide adversary actions in a desired direction.", + "children": [ + { + "value": "create_decoy_systems", + "expanded": "Create Decoy Systems", + "description": "Deploying systems designed to attract adversaries and gather intelligence on their methods." + }, + { + "value": "deploy_misinformation", + "expanded": "Deploy Misinformation Campaigns", + "description": "Spreading false information to mislead adversaries." + } + ] }, { - "value": "understand_adversary", - "expanded": "Understand Adversary", - "description": "Gain insights into the tactics, techniques, procedures (TTPs), and motivations of adversaries to inform better defense strategies. Example: Analyzing threat intelligence reports to identify patterns in adversary behavior and anticipate future attacks." + "value": "disrupt", + "expanded": "Disrupt (EAP0005)", + "description": "Interrupt or hinder adversary operations.", + "children": [ + { + "value": "disrupt_c2", + "expanded": "Disrupt Command and Control Channels", + "description": "Targeting adversary communication channels to break their operational effectiveness." + }, + { + "value": "disable_infrastructure", + "expanded": "Disable Adversary Infrastructure", + "description": "Taking down or disabling servers, networks, or tools used by adversaries." + }, + { + "value": "introduce_friction", + "expanded": "Introduce Friction", + "description": "Adding delays or complications to disrupt adversary activities." + } + ] + }, + { + "value": "reassure", + "expanded": "Reassure (EAP0006)", + "description": "Provide confidence to stakeholders or allies.", + "children": [ + { + "value": "issue_public_statements", + "expanded": "Issue Public Statements", + "description": "Communicating openly to reassure the public or stakeholders of ongoing efforts." + }, + { + "value": "engage_diplomatic_measures", + "expanded": "Engage in Diplomatic Measures", + "description": "Working with international partners to address cybersecurity concerns." + } + ] + }, + { + "value": "motivate", + "expanded": "Motivate (EAP0007)", + "description": "Encourage or drive certain behaviors.", + "children": [ + { + "value": "incentivize_compliance", + "expanded": "Incentivize Compliance", + "description": "Offering rewards or benefits to encourage adherence to security policies." + }, + { + "value": "support_allied_efforts", + "expanded": "Support Allied Cybersecurity Efforts", + "description": "Providing assistance or resources to partners or allies in their cybersecurity efforts." + }, + { + "value": "increase_opportunity_cost", + "expanded": "Increase Opportunity Cost", + "description": "Raising the resources required by the adversary to achieve their objectives, making the attack less appealing." + } + ] + }, + { + "value": "confuse", + "expanded": "Confuse (EAP0008)", + "description": "Provide misleading or contradictory information to disrupt the adversary’s understanding and decision-making.", + "children": [ + { + "value": "mislead", + "expanded": "Mislead", + "description": "Directing the adversary toward incorrect conclusions through false information or deceptive practices." + }, + { + "value": "introduce_ambiguity", + "expanded": "Introduce Ambiguity", + "description": "Creating uncertainty for the adversary by altering the information or environment they rely on." + } + ] + }, + { + "value": "exhaust", + "expanded": "Exhaust (EAP0009)", + "description": "Deplete the adversary’s resources, such as time, effort, or tools, to reduce their effectiveness.", + "children": [ + { + "value": "exhaust_resources", + "expanded": "Exhaust Resources", + "description": "Using tactics to drain adversary resources and reduce their operational effectiveness." + } + ] } ] }, { - "value": "actions", - "expanded": "Engage Actions", - "description": "Specific activities undertaken to implement the Engage approaches, aimed at countering or exploiting adversary actions.", + "value": "strategic_approaches", + "expanded": "Strategic Approaches", "children": [ { - "value": "introduce_noise", - "expanded": "Introduce Noise", - "description": "Add misleading or irrelevant information into adversary operations to degrade their decision-making and operational efficiency. Example: Inserting fake credentials into the environment that adversaries might use, leading them to incorrect conclusions." - }, - { - "value": "control_information", - "expanded": "Control Information", - "description": "Manage and manipulate the information that adversaries can access, shaping their perception and actions. Example: Using data masking techniques to protect sensitive information while allowing adversaries to access less critical data." - }, - { - "value": "isolate_adversary", - "expanded": "Isolate Adversary", - "description": "Limit the adversary's ability to move laterally within the network or communicate with external command centers. Example: Segmenting networks to prevent adversaries from easily navigating between different systems and isolating compromised assets." + "value": "plan", + "expanded": "Plan (SAP0001)", + "description": "Develop strategies and actions to address adversary behavior." }, { - "value": "monitor_adversary", - "expanded": "Monitor Adversary", - "description": "Continuously observe adversary activities to gather intelligence and adapt defense strategies. Example: Using honeynets to attract adversaries and study their techniques in a controlled environment." + "value": "analyze", + "expanded": "Analyze (SAP0002)", + "description": "Examine information and intelligence to understand adversary TTPs." } ] } From 5f1cb059df2ad9c9a03ff7b425f9a5c393422092 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Sat, 17 Aug 2024 19:56:47 +0200 Subject: [PATCH 4/6] Update machinetag.json Fixed typo and Org Name --- Engage/machinetag.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Engage/machinetag.json b/Engage/machinetag.json index f317ed0..bf776c4 100644 --- a/Engage/machinetag.json +++ b/Engage/machinetag.json @@ -1,8 +1,8 @@ { - "name": "engage", + "name": "Engage", "description": "MITRE Engage Framework Taxonomy: Structured around Engage Goals, Approaches, and Actions.", "version": 1, - "author": "Your Name or Organization", + "author": "DCG420", "category": "Mitigation", "values": [ { From 4039bcc705627ad78f398dac65165b2eab80797c Mon Sep 17 00:00:00 2001 From: th3r3d Date: Thu, 22 Aug 2024 11:42:17 +0200 Subject: [PATCH 5/6] Delete Engage directory --- Engage/machinetag.json | 234 ----------------------------------------- 1 file changed, 234 deletions(-) delete mode 100644 Engage/machinetag.json diff --git a/Engage/machinetag.json b/Engage/machinetag.json deleted file mode 100644 index bf776c4..0000000 --- a/Engage/machinetag.json +++ /dev/null @@ -1,234 +0,0 @@ -{ - "name": "Engage", - "description": "MITRE Engage Framework Taxonomy: Structured around Engage Goals, Approaches, and Actions.", - "version": 1, - "author": "DCG420", - "category": "Mitigation", - "values": [ - { - "value": "goals", - "expanded": "Engage Goals", - "description": "The high-level objectives aimed at influencing or understanding adversary behavior.", - "children": [ - { - "value": "expose", - "expanded": "Expose (EGO0001)", - "description": "Reveal adversary actions, intentions, or vulnerabilities." - }, - { - "value": "affect", - "expanded": "Affect (EGO0002)", - "description": "Influence or alter adversary behaviors, decisions, or operations." - }, - { - "value": "elicit", - "expanded": "Elicit (EGO0003)", - "description": "Draw out responses or actions from the adversary." - } - ] - }, - { - "value": "strategic_goals", - "expanded": "Strategic Goals", - "description": "Long-term objectives to ensure preparedness and understanding of adversary behavior.", - "children": [ - { - "value": "prepare", - "expanded": "Prepare (SGO0001)", - "description": "Establish readiness and resilience to address adversary activities." - }, - { - "value": "understand", - "expanded": "Understand (SGO0002)", - "description": "Gain insights into adversary tactics and motivations." - } - ] - }, - { - "value": "approaches", - "expanded": "Engage Approaches", - "description": "The methods used to achieve the Engage Goals.", - "children": [ - { - "value": "collect", - "expanded": "Collect (EAP0001)", - "description": "Gather relevant information or intelligence.", - "children": [ - { - "value": "gather_intelligence", - "expanded": "Gather Intelligence from Open Sources", - "description": "Collecting information from publicly available sources to understand adversary activities." - }, - { - "value": "network_traffic_analysis", - "expanded": "Conduct Network Traffic Analysis", - "description": "Analyzing network traffic to identify suspicious activities or patterns." - } - ] - }, - { - "value": "detect", - "expanded": "Detect (EAP0002)", - "description": "Identify adversary activities or indicators of compromise.", - "children": [ - { - "value": "deploy_ids", - "expanded": "Deploy Intrusion Detection Systems", - "description": "Implementing IDS to monitor and detect unauthorized access or activities." - }, - { - "value": "monitor_user_behavior", - "expanded": "Monitor User Behavior for Anomalies", - "description": "Tracking user activities to identify unusual or suspicious behavior patterns." - }, - { - "value": "introduce_perception_of_detection", - "expanded": "Introduce Perception of Detection", - "description": "Making the adversary believe they have been or might be detected, influencing their behavior." - } - ] - }, - { - "value": "prevent", - "expanded": "Prevent (EAP0003)", - "description": "Implement measures to stop adversary actions before they occur.", - "children": [ - { - "value": "implement_access_controls", - "expanded": "Implement Access Controls", - "description": "Enforcing strict access policies to prevent unauthorized access." - }, - { - "value": "apply_patches", - "expanded": "Apply Patches and Updates Regularly", - "description": "Ensuring that all software and systems are up-to-date to close vulnerabilities." - } - ] - }, - { - "value": "direct", - "expanded": "Direct (EAP0004)", - "description": "Influence or guide adversary actions in a desired direction.", - "children": [ - { - "value": "create_decoy_systems", - "expanded": "Create Decoy Systems", - "description": "Deploying systems designed to attract adversaries and gather intelligence on their methods." - }, - { - "value": "deploy_misinformation", - "expanded": "Deploy Misinformation Campaigns", - "description": "Spreading false information to mislead adversaries." - } - ] - }, - { - "value": "disrupt", - "expanded": "Disrupt (EAP0005)", - "description": "Interrupt or hinder adversary operations.", - "children": [ - { - "value": "disrupt_c2", - "expanded": "Disrupt Command and Control Channels", - "description": "Targeting adversary communication channels to break their operational effectiveness." - }, - { - "value": "disable_infrastructure", - "expanded": "Disable Adversary Infrastructure", - "description": "Taking down or disabling servers, networks, or tools used by adversaries." - }, - { - "value": "introduce_friction", - "expanded": "Introduce Friction", - "description": "Adding delays or complications to disrupt adversary activities." - } - ] - }, - { - "value": "reassure", - "expanded": "Reassure (EAP0006)", - "description": "Provide confidence to stakeholders or allies.", - "children": [ - { - "value": "issue_public_statements", - "expanded": "Issue Public Statements", - "description": "Communicating openly to reassure the public or stakeholders of ongoing efforts." - }, - { - "value": "engage_diplomatic_measures", - "expanded": "Engage in Diplomatic Measures", - "description": "Working with international partners to address cybersecurity concerns." - } - ] - }, - { - "value": "motivate", - "expanded": "Motivate (EAP0007)", - "description": "Encourage or drive certain behaviors.", - "children": [ - { - "value": "incentivize_compliance", - "expanded": "Incentivize Compliance", - "description": "Offering rewards or benefits to encourage adherence to security policies." - }, - { - "value": "support_allied_efforts", - "expanded": "Support Allied Cybersecurity Efforts", - "description": "Providing assistance or resources to partners or allies in their cybersecurity efforts." - }, - { - "value": "increase_opportunity_cost", - "expanded": "Increase Opportunity Cost", - "description": "Raising the resources required by the adversary to achieve their objectives, making the attack less appealing." - } - ] - }, - { - "value": "confuse", - "expanded": "Confuse (EAP0008)", - "description": "Provide misleading or contradictory information to disrupt the adversary’s understanding and decision-making.", - "children": [ - { - "value": "mislead", - "expanded": "Mislead", - "description": "Directing the adversary toward incorrect conclusions through false information or deceptive practices." - }, - { - "value": "introduce_ambiguity", - "expanded": "Introduce Ambiguity", - "description": "Creating uncertainty for the adversary by altering the information or environment they rely on." - } - ] - }, - { - "value": "exhaust", - "expanded": "Exhaust (EAP0009)", - "description": "Deplete the adversary’s resources, such as time, effort, or tools, to reduce their effectiveness.", - "children": [ - { - "value": "exhaust_resources", - "expanded": "Exhaust Resources", - "description": "Using tactics to drain adversary resources and reduce their operational effectiveness." - } - ] - } - ] - }, - { - "value": "strategic_approaches", - "expanded": "Strategic Approaches", - "children": [ - { - "value": "plan", - "expanded": "Plan (SAP0001)", - "description": "Develop strategies and actions to address adversary behavior." - }, - { - "value": "analyze", - "expanded": "Analyze (SAP0002)", - "description": "Examine information and intelligence to understand adversary TTPs." - } - ] - } - ] -} From 88c36e44a7204202e82c903e8e8e203f69380e1a Mon Sep 17 00:00:00 2001 From: Jan Pohl Date: Thu, 19 Sep 2024 16:34:54 +0200 Subject: [PATCH 6/6] Updated GrayZone to right version --- GrayZone/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GrayZone/machinetag.json b/GrayZone/machinetag.json index ca03995..cd5fe7e 100644 --- a/GrayZone/machinetag.json +++ b/GrayZone/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "GrayZone", "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", - "version": 3.1, + "version": 3, "predicates": [ { "value": "Adversary Emulation",