In the cybersecurity world, MITRE is perhaps best known for ATT&CK, a free knowledge base of adversary tactics and techniques that have been extracted from real-world observations. The framework has gained global adoption. Security teams around the world measure the efficacy of their threat detection programs by their ability to detect techniques documented in MITRE ATT&CK.
However, ATT&CK has largely been a reactive knowledge base—detailing techniques that adversaries are likely to use at a given stage of the attack, and how to detect them. We don’t use the word ‘reactive’ here in a negative sense. There’s no problem with using reactive strategies. If anything, MITRE ATT&CK has created the foundational framework for understanding attack techniques and creating a game plan to deal with them.
However, adding active defense to your security playbook, in addition to reactive strategies, opens up new opportunities for security teams to take action more quickly, effectively, and with greater confidence in high-pressure scenarios such as a breach.
MITRE had been using deception-based active defense to defend its network for over a decade. In August 2020, the organization consolidated its techniques into a new knowledge base focused on active defense and launched Shield.
Much like ATT&CK, Shield was also a collection of techniques. But instead of taking an attacker’s view of how networks are penetrated and breached, Shield took the defender’s view of what can be done actively to derisk an environment by planting traps (decoys) and intercepting attacks instead of reacting to adversaries when they’re moving laterally.
By virtue of how Shield was organized (a collection of techniques), it was heavily catered to practitioners. However, technical feedback from the community revealed that security teams needed something that could help them understand, strategize, and plan active defense operations before they could dive head-first into techniques.
The MITRE team went back to the drawing board and streamlined Shield into a new framework that could help cyber practitioners, leaders, and vendors plan and implement adversary engagement, deception, and denial activities. The new framework is called Engage and was beta launched in Aug 2021.
While MITRE Shield was a technique-heavy and execution-focused framework, Engage adds the much-needed layers of planning and analysis by bookending deception techniques with activities that can help defenders define the scope of their active defense operations and use the threat intelligence gathered to inform threat models and refine deception operations.
The framework is divided into three parts:
You can learn more about how MITRE Engage differs from Shield here, but here’s an overview of how the changes help you:
Most security teams are heavily focused on prevention. More mature teams bend toward threat detection. While MITRE Engage will make it easier for teams to adopt active defense, it can be a little overwhelming at first.
Defenders can pick and choose from the different activities based on their appetite and then grow from there.
A great place to start is building detection capabilities. Threat detection is a difficult problem to solve because of the volume of alerts generated in a typical environment. Even after regular tuning, a quarter of all alerts are false positives.
Taking an active defense approach by using decoys to detect threats solves two problems:
Deception provides a variety of approaches for threat detection. Here are a few:
Zscaler Deception delivers 99% of the capabilities covered in MITRE Engage. If you want to get started with deception, augment your threat detection program, or fully operationalize MITRE Engage, download this white paper to learn how you can use Zscaler Deception to implement all the active defense activities without doing any manual work.
We’re also hosting a webinar with, Dr. Stanley Barr, MITRE’s capability area lead for cyber denial, deception, and adversary engagement, and Bill Hill, CISO, MITRE where we’ll address the following questions:
If you want to learn more about active defense, deception, and adversary engagement from the folks who invented the framework, this webinar is a great place to do so. Register here.