Active Defense with MITRE Engage

Background

In the cybersecurity world, MITRE is perhaps best known for ATT&CK, a free knowledge base of adversary tactics and techniques that have been extracted from real-world observations. The framework has gained global adoption. Security teams around the world measure the efficacy of their threat detection programs by their ability to detect techniques documented in MITRE ATT&CK.

However, ATT&CK has largely been a reactive knowledge base—detailing techniques that adversaries are likely to use at a given stage of the attack, and how to detect them. We don’t use the word ‘reactive’ here in a negative sense. There’s no problem with using reactive strategies. If anything, MITRE ATT&CK has created the foundational framework for understanding attack techniques and creating a game plan to deal with them.

However, adding active defense to your security playbook, in addition to reactive strategies, opens up new opportunities for security teams to take action more quickly, effectively, and with greater confidence in high-pressure scenarios such as a breach.

 

Enter MITRE Shield

MITRE had been using deception-based active defense to defend its network for over a decade. In August 2020, the organization consolidated its techniques into a new knowledge base focused on active defense and launched Shield.

Much like ATT&CK, Shield was also a collection of techniques. But instead of taking an attacker’s view of how networks are penetrated and breached, Shield took the defender’s view of what can be done actively to derisk an environment by planting traps (decoys) and intercepting attacks instead of reacting to adversaries when they’re moving laterally.

By virtue of how Shield was organized (a collection of techniques), it was heavily catered to practitioners. However, technical feedback from the community revealed that security teams needed something that could help them understand, strategize, and plan active defense operations before they could dive head-first into techniques.

 

Evolving into MITRE Engage

The MITRE team went back to the drawing board and streamlined Shield into a new framework that could help cyber practitioners, leaders, and vendors plan and implement adversary engagement, deception, and denial activities. The new framework is called Engage and was beta launched in Aug 2021.

 

What has changed?

While MITRE Shield was a technique-heavy and execution-focused framework, Engage adds the much-needed layers of planning and analysis by bookending deception techniques with activities that can help defenders define the scope of their active defense operations and use the threat intelligence gathered to inform threat models and refine deception operations.

The framework is divided into three parts:

• Row 1 - Goals: What do you want to achieve? Do you want to expose adversaries, do you want to misdirect them once they are in your network, or do you want to elicit certain actions so that you can understand their motivations and goals? 
• Row 2 - Approaches: What will you do to achieve the goals of your active defense/adversary engagement program? Do you want to detect adversaries or prevent them from moving any further?
• Row 3 onwards - Activities: These are the different options you have under each approach. You can use one or more or combine several to meet the strategic goals defined under the ‘Prepare’ column.

 

 

What does this mean for defenders?

You can learn more about how MITRE Engage differs from Shield here, but here’s an overview of how the changes help you:

1. Provides the security community with a shared vocabulary that can help standardize the foundational thinking around active defense, deception, and adversary engagement.
2. Provides a framework for running end-to-end active defense programs that encompass planning, operations, and analysis.
3. Organizes activities under approaches to enable security teams to prioritize active defense techniques based on their maturity level and bandwidth.

 

Operationalizing MITRE Engage

Most security teams are heavily focused on prevention. More mature teams bend toward threat detection. While MITRE Engage will make it easier for teams to adopt active defense, it can be a little overwhelming at first.

Defenders can pick and choose from the different activities based on their appetite and then grow from there.

A great place to start is building detection capabilities. Threat detection is a difficult problem to solve because of the volume of alerts generated in a typical environment. Even after regular tuning, a quarter of all alerts are false positives.

Taking an active defense approach by using decoys to detect threats solves two problems:

1. Easy to get started: While traditional threat detection approaches take months to be fully operational and effective, deception-based threat detection can be operationalized in a matter of days.
2. Low false positives: Decoy assets are deployed in a manner that makes them invisible to the legitimate user. Any interaction with a decoy, therefore, is a high confidence indicator of a breach. Security teams can prioritize deception alerts to begin investigation and trigger orchestration.

Deception provides a variety of approaches for threat detection. Here are a few:

• Perimeter deception: Internet-facing decoys that heuristically detect pre-breach threats that are specifically targeting your organization.
• Application deception: Server system decoys that host services like SSH servers, databases, file shares, and more.
• Endpoint deception: A minefield for your endpoints. Includes decoy files, decoy credentials, decoy processes, etc.
• Active Directory deception: Fake users in active directory that detect enumeration activity and malicious access.
• Cloud deception: Decoys web servers, databases, file servers, etc. that detect lateral movement in your cloud environments.
• Email deception: Email decoys that intercept attackers attempting to mount social engineering or spear-phishing attacks.

Zscaler Deception delivers 99% of the capabilities covered in MITRE Engage. If you want to get started with deception, augment your threat detection program, or fully operationalize MITRE Engage, download this white paper to learn how you can use Zscaler Deception to implement all the active defense activities without doing any manual work.

We’re also hosting a webinar with, Dr. Stanley Barr, MITRE’s capability area lead for cyber denial, deception, and adversary engagement, and Bill Hill, CISO, MITRE where we’ll address the following questions:

• What are cyber deception and adversary engagement?
• What is MITRE Engage?
• How does deception fit into a zero-trust architecture?
• How do you integrate deception into your security toolkit?
• What does deception look like in action?

If you want to learn more about active defense, deception, and adversary engagement from the folks who invented the framework, this webinar is a great place to do so. Register here.