MITRE Shield is an active defense knowledge base developed from the experience MITRE staff gained by implementing the MITRE ATT&CK framework to improve operational planning. Many of the techniques described in the framework are foundational security controls, making MITRE Shield accessible and actionable to all organizations, regardless of size or sophistication.

MITRE noticed that the adversary actions described in MITRE ATT&CK present opportunities for the defending organizations to counteract. Out of this observation, the necessity to organize these counteractions was born which resulted in the development of MITRE Shield. This effort led to the mapping of Shield techniques to MITRE ATT&CK, enabling defending organizations to develop active defense plans to exploit these opportunities to their advantage.

Shield’s goal is to structure the active defense actions to avoid complexity and become a useful tool for every organization. To do so, the Shield is using terminology borrowed from the DOD Dictionary of Military and Associated Terms and the United States Government Compendium of Interagency and Associated Terms:

In accordance with the DoD, “active defense is the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Within Shield, active defense includes a handful of actions, ranging from basic cyber defense to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to counter ongoing attacks and to gather intelligence on adversarial actions to be better prepared in the future.

Like MITRE ATT&CK, Shield organizes active defense actions into tactics, techniques and procedures (TTPs).

  • Tactics are abstract defender goals and describe the desired effect of active defense activities. They are useful to describe why a defender would choose to use a specific active defense technique. Tactics serve as useful ways to classify individual defensive techniques.
  • Techniques are general actions that can be performed by a defender. A technique may have several different tactical effects depending on how they are implemented.
  • Procedures are implementations of a technique.

The relationship between Shield tactics and techniques is illustrated in the Shield matrix. The matrix consists of columns where we outline our defender tactics, and within each column are relevant techniques.

Figure 1: MITRE Shield matrix. Source: Medium.

In addition to the above terminology, Shield introduces the notions of Opportunity Spaces and Use Cases. Opportunity spaces are high-level active defense possibilities when attackers employ their techniques, while Use cases are high-level descriptions of how a defender could do something to take advantage of the opportunity that the attacker’s action presents.

The following table provides a quick overview of the Shield tactics.

Tactic Description
Channel Guide an adversary to follow a specific path
Collect Gather intelligence about adversarial actions
Contain Prevent an adversary from moving outside specific boundaries
Detect Establish and maintain awareness into adversarial actions
Disrupt Prevent an adversary from deploying all their toolset
Facilitate Enable an adversary to implement part of their mission
Legitimize Make deceptive components look like authentic to lure adversaries
Test Determine the interests, capabilities and behaviors of an adversary

Table 1: MITRE Shield Tactics. Adapted from https://shield.mitre.org/tactics/

As we touched upon before, Shield defensive techniques are related to ATT&CK adversarial techniques. For this reason, MITRE has developed a page devoted to ATT&CK tactics and techniques. For each ATT&CK tactic a page list has been created listing the adversary ATT&CK techniques associated with that tactic, and applicable active defense information.

Leveraging ATT&CK along with MITRE Shield offers the potential to create active defense playbooks to address specific adversaries. “We hope mapping Shield to ATT&CK will be a good addition to the collection of ways ATT&CK can be used. Using them in tandem can help defenders better understand adversary behavior and engagements and suggest ways the defender can mount a more active defense,” says Christina Fowler, MITRE’s chief cyber intelligence strategist.

What is worth noting is that approximately one-third of the suggested tactics in Shield are related to deception. The key to deception technology is that it goes beyond simply detecting, identifying, and preventing adversarial lateral movement. With digital transformation triggered by emerging technologies rendering business boundaries obsolete, detection has become one of the most difficult aspects of network defense.

As cyber criminals move laterally across the corporate network, they gather further information undetected, allowing them to develop more sophisticated and damaging attacks. This is where deception and active defense converge – hiding high value, real assets within numerous rogue assets that look and act exactly like the real ones. Attackers want to move fast, and they want to be 100% sure where to devote time and effort. A deceptive environment creates delays and the attackers risk revealing their identity to the defender.

Since traps do not touch real assets, they become a highly valued solution for even the most diverse and distributed environments, including IT, OT and IoT devices. Because decoys are not visible to legitimate users or systems and serve only to deceive attackers, they deliver high fidelity alerts and virtually no false positives.

Depending on the level of intelligence and forensics required, organizations should consider employing one of the three levels of deception:

  1. Low interaction, using simple fake assets designed to divert cybercriminals away from the real thing while consuming their time and resources.
  2. Medium interaction, offering greater insights into adversarial techniques, allowing security teams to identify attackers and respond to attacks.
  3. High interaction, which leverages extended interaction to collect information and provide insight into adversarial activity.

Organizations are not required to employ all active defense tactics outlined in MITRE Shield to prevent attacks. However, low interaction decoys are a good place to start and can be deployed in a matter of minutes. The effectiveness and speed offered by deception and active defense techniques should force CISOs to rethink their security strategy.

ITEGRITI is a firm believer that cybersecurity programs must be based on informed decisions and assessments. If you want to learn how we leverage MITRE Shield framework, you can visit us at itegriti.com.

You can also read our other guides in this MITRE Series:

What is the MITRE ATT&CK Framework and Why is it Important?

15 Ways MITRE’s PRE-ATT&CK Tactics Protect You

The Fabulous 11: How MITRE ATT&CK ICS Framework Makes a Difference