Inside MITRE Shield
MITRE Shield is designed to be a knowledge base regarding cybersecurity active defense and attacker engagement. Active defense refers to activities designed to actively fight an attacker’s ability to hold a certain position. In the cybersecurity arena, this includes techniques such as the use of deceptive technologies and guiding an attacker down a desired path.
Like the ATT&CK framework, Shield uses an array of general tactics broken down into specific techniques. The eight Shield tactics include:
- Channel: Guide an adversary down a specific path or in a specific direction.
- Collect: Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary’s activity.
- Contain: Prevent an adversary from moving outside specific bounds or constraints.
- Detect: Establish or maintain awareness into what an adversary is doing.
- Disrupt: Prevent an adversary from conducting part or all of their mission.
- Facilitate: Enable an adversary to conduct part or all of their mission.
- Legitimize: Add authenticity to deceptive components to convince an adversary that something is real.
- Test: Determine the interests, capabilities, or behaviors of an adversary.
Each of these eight tactics contains multiple techniques. Within each technique is additional information, such as:
- Description: A description of the technique.
- Opportunities: Objectives that can be achieved by implementing the technique.
- Use Cases: Examples of applying the technique within an organization’s network.
- Procedures: Actions to take to implement the technique.
- ATT&CK Techniques: Attacker techniques from the ATT&CK framework that can be addressed using this Shield technique.
Additionally, MITRE provides a complete mapping between their ATT&CK and Shield frameworks. This enables Shield to be easily integrated into existing ATT&CK-based efforts to improve enterprise cybersecurity.
Operationalizing MITRE Shield
In previous articles, we discussed how to operationalize the MITRE ATT&CK framework, including taking advantage of the new sub-techniques introduced in the latest update. Many of these same principles and practices can be applied to MITRE Shield as well.
Implementing active defense with MITRE Shield enables an organization to take the next step in improving their cyber defense playbooks. Implementing protections against the techniques described in the ATT&CK framework can help to minimize the probability that an attacker will successfully exploit a target and achieve their objectives. Following the guidance outlined in MITRE Shield gives the defender tools for an active defense over the attacker’s operations and minimizes the probability that they reach their goals.