The not-for-profit organisation, best know for its ATT&CK® matrix, has been working with government and private-sector firms for more than 60 years. Its new knowledge base, dubbed Shield, is designed to help defenders understand their cybersecurity options and take proactive steps to defend their data and assets. Among the most common recommended techniques are cyber-deception and concealment technologies, and both feature extensively in the new Shield matrix.
The features of MITRE Shield
In essence, MITRE Shield is a freely available knowledge base that comprises information on common security techniques and tactics. More specifically, it is a guide to creating an Active Defence strategy based on adversary engagement and covers topics such as how adversaries mount attacks, the tools they use, what they do after they establish a beachhead, and their ultimate goals.
Like the widely used ATT&CK matrix, Shield is presented in a tabular format, featuring eight tactics and a wide range of techniques mapped to specific use cases. Shield helps organisations counter known attack patterns and assists defenders to better prepare for future attacks. In all, Shield covers 33 techniques and 190 use cases.
Rather than a defender merely focusing on detecting and removing attackers from a network, Shield recommends an active defense strategy. The matrix highlights the fact that there is much to learn from attackers, and actively and safely engaging them can create valuable learning opportunities.
Since deception technology is an active defence technology known for its effectiveness in engaging attackers, Shield spends a considerable amount of time and effort on deception tactics and principles.
Deception and concealment
Deception and concealment technologies distinguish themselves from other active defence measures by going beyond decoy techniques to achieve attack prevention and detection. Deception proactively diverts attackers away from their targets using lures and other false information, guiding them toward decoys. Meanwhile, concealment performs the allied task of hiding real objects so that an attacker cannot even see them.
These strategies align nicely with the tactics outlined in the MITRE Shield matrix. The matrix breaks the tactics into eight buckets:
- Channel: A deception tactic can channel adversaries away from important systems and toward decoy, wasting their time and resources and derailing the attack
- Collect: Defenders can use deceptive techniques to study an attacker, gathering intelligence on their behaviours and tactics
- Contain: When engaging with a deception environment, attacker activities remain contained within the specific bounds of the environment and away from production assets
- Detect: Unlike perimeter defences, deception technology detects intruders inside a network, capturing adversary tactics, techniques, and procedures
- Disrupt: Feeding deceptive content to attackers will disrupt their ability to accomplish their goals
- Facilitate: Deception helps facilitate an attack along specific lines, leading the attackers to believe that they have accomplished a part of their mission by creating a “vulnerable” decoy
- Legitimise: Deception makes attackers believe that the decoys, lures, and misdirections are real.
- Test: Engaging with attackers means testing them to determine their interests, capabilities, and behaviours to stop current and prevent future attacks.
Of the 33 defence techniques covered within these eight tactics categories, deception and concealment technology address 27 of them, while deception alone covers around ten. This difference underscores the importance of concealment for not just deceiving intruders but denying them access to the data and assets they seek. They cannot steal or encrypt what they cannot see.
Deception and concealment strategies have evolved from being things that are ‘nice’ to have into essential components. Guided by MITRE shield, organisations can be more effective in putting them in place and enjoying the security benefits they can deliver.