Last week, MITRE released MITRE Shield, an active defense knowledgebase that captures and organizes what they’re learning about active defense adversaries. In this post, I want to emphasize ‘Active Engagement.’
MITRE uses the U.S. Department of Defense definition of Active Defense as, the “employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Engage the enemy to deny them a contested position. By comparison, controls frameworks are passive. Clearly, it’s necessary to improve your security posture. You can say the same thing about locking your doors and windows, installing surveillance cameras and putting your valuables in a safe. Depending on where you live, you’d be foolish not to do at least some of these things, but these are passive measures. Shield is different. It’s a framework for proactively engaging and disrupting attackers.
MITRE Shield & Deception
Five minutes into MITRE’s knowledgebase you’ll see why, as a Deception advocate, I’m so excited about Shield. MITRE Shield currently contains 34 techniques mapped against 8 active defense tactics: Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize and Test. Deception currently comprises about a third of the techniques in the framework. Decoy Accounts, Content, Credentials, Networks, Personas, Processes and Systems, as well as Decoy Diversity and Burn In are all listed and mapped to approximately 70 ATT&CK techniques. (Shown in the figure below.)
So, while NIST Special Publication 800-172 recommends Deception to, “impede the adversary’s ability to conduct meaningful reconnaissance of the targeted organization, delay or degrade an adversary’s ability to move laterally through a system or from one system to another system, divert the adversary away from systems or system components…, and increase observability of the adversary to the defender—revealing the presence of the adversary along with its TTPs,” MITRE Shield provides a complementary and actionable framework for an integrated Deception strategy.
A Virtuous Circle
Used together, ATT&CK and Shield are a powerful combination that offers practitioners a playbook to harden their environment against likely groups and their TTPs, and a complementary framework for actively disrupting attacker TTPs. TrapX DeceptionGrid ™ completes the circle. It’s a comprehensive platform for deploying and managing deceptive accounts, content, credentials, networks, personas, processes and systems. It disrupts an adversary’s ability to conduct reconnaissance and move laterally while revealing their presence along with their TTPs. In addition, TrapX alerts are tagged with ATT&CK techniques, creating a dynamic closed loop between active techniques, active defensive countermeasures, and mitigation.
Evaluating Commercial Solutions
Shield prescribes a broad range of deceptive capabilities that can be applied across all eight Shield Tactics. The vendor community can meet these needs today with what we can generically call low interaction, medium interaction and high interaction deceptive assets, integrated into a realistic and deceptive environment. These deceptive assets are different and valuable, and they should work together. For the sake of brevity, here’s a simple description of each.
- Low Interaction: Fake data, credentials, files, traffic, browser histories, etc. designed to channel attacks away from real assets by making fake assets appear more realistic and attractive.
- Medium Interaction: Network assets that allow for interaction sufficient to collect enough information to identify attackers, expose TTPs and respond.
- High Interaction: Network assets that allow for extended interaction primarily to collect information in order to learn about an adversary and their TTPs.
One Size Does Not Fit All
Each approach is valid, but taken alone, might force an organization into trade-offs between scale, time-to-value and insight. Look for solutions that offer a blended approach and that can be integrated with your current security stack.
Call to Action: Reconsider Honeypots
Put aside what you think you know about honeypots. Modern deception solutions are highly effective, and easy to deploy and manage. Insist on a proof of concept and make agility and time-to-value key criteria for your evaluation. Your solution can be as dynamic as the IT environment you protect and the attackers you defend against. See for yourself. Click here to schedule a demo.