Preventions
- Home
- - Preventions
- -PV005
- ID: PV005
- Created: 25th May 2024
- Updated: 14th June 2024
- Contributor: The ITM Team
Install an Anti-Virus Solution
An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file.
Sections
ID | Name | Description |
---|---|---|
IF008.006 | Inappropriate Usage of Social Media | A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image. |
AF018.001 | Endpoint Tripwires | A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.
The tripwire software monitors various aspects of the endpoint to detect potential investigations:
Upon detecting security activity, the tripwire can initiate various evasive responses:
|
AF018.003 | Canary Tokens | A subject uses files with canary tokens as a tripwire mechanism to detect the presence of security personnel or investigation activities within a compromised environment. This method involves strategically placing files embedded with special identifiers (canary tokens) that trigger alerts when accessed. For example:
The subject creates files containing canary tokens—unique identifiers that generate an alert when they are accessed, opened, or modified. These files can appear as regular documents, logs, configurations, or other items that might attract the attention of an investigator during a security response.
The subject strategically places these files in various locations within the environment:
Once in place, the canary token within each file serves as a silent tripwire. The token monitors for access and automatically triggers an alert if an action is detected:
Upon receiving an alert from a triggered canary token, the subject can take immediate steps to evade detection:
By using files with canary tokens as tripwires, a subject can gain early warning of investigative actions and respond quickly to avoid exposure. This tactic allows them to outmaneuver standard security investigations by leveraging silent alerts that inform them of potential security team activity. |