MITRE is a federally funded research and development center (FFRDC) of the US government that performs research and development in many areas, including cybersecurity. MITRE is known for its ATT&CK framework, which breaks the cyberattack lifecycle into distinct phases and describes the various techniques that can be used to achieve the objective of each phase. This framework enables organizations to think strategically about their cybersecurity defenses and test them in an organized way.

Recently MITRE released another cybersecurity framework: Shield.  Like ATT&CK, Shield is geared toward the offensive aspect of cybersecurity, providing guidance for defenders.

Inside MITRE Shield

MITRE Shield is designed to be a knowledge base regarding cybersecurity active defense and attacker engagement. Active defense refers to activities designed to actively fight an attacker’s ability to hold a certain position.  In the cybersecurity arena, this includes techniques such as the use of deceptive technologies and guiding an attacker down a desired path.

Like the ATT&CK framework, Shield uses an array of general tactics broken down into specific techniques. The eight Shield tactics include:

  1. Channel: Guide an adversary down a specific path or in a specific direction.
  2. Collect: Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary’s activity.
  3. Contain: Prevent an adversary from moving outside specific bounds or constraints.
  4. Detect: Establish or maintain awareness into what an adversary is doing.
  5. Disrupt: Prevent an adversary from conducting part or all of their mission.
  6. Facilitate: Enable an adversary to conduct part or all of their mission.
  7. Legitimize: Add authenticity to deceptive components to convince an adversary that something is real.
  8. Test: Determine the interests, capabilities, or behaviors of an adversary.

Each of these eight tactics contains multiple techniques. Within each technique is additional information, such as:

  • Description: A description of the technique.
  • Opportunities: Objectives that can be achieved by implementing the technique.
  • Use Cases: Examples of applying the technique within an organization’s network.
  • Procedures: Actions to take to implement the technique.
  • ATT&CK Techniques: Attacker techniques from the ATT&CK framework that can be addressed using this Shield technique.

Additionally, MITRE provides a complete mapping between their ATT&CK and Shield frameworks. This enables Shield to be easily integrated into existing ATT&CK-based efforts to improve enterprise cybersecurity.

Operationalizing MITRE Shield

In previous articles, we discussed how to operationalize the MITRE ATT&CK framework, including taking advantage of the new sub-techniques introduced in the latest update.  Many of these same principles and practices can be applied to MITRE Shield as well.

Implementing active defense with MITRE Shield enables an organization to take the next step in improving their cyber defense playbooks.  Implementing protections against the techniques described in the ATT&CK framework can help to minimize the probability that an attacker will successfully exploit a target and achieve their objectives.  Following the guidance outlined in MITRE Shield gives the defender tools for an active defense over the attacker’s operations and minimizes the probability that they reach their goals.

How MorganFranklin Can Help

Like the ATT&CK framework, taking full advantage of MITRE Shield requires strategic planning and a deep understanding of cybersecurity and an organization’s unique cybersecurity and business needs.  MorganFranklin advisors can help with development of a strategy for implementing active defense using MITRE Shield and to deploy, configure, and maintain the required solutions within an organization’s network.