How the MITRE Shield can help organizations better address their adversaries [Q&A]
The MITRE ATT&CK framework is now used by many organizations to help them understand and counter threats. Less well known is the latest addition, MITRE Shield.
We spoke to Carolyn Crandall, chief deception officer and CMO at Attivo Networks to find out more about how this can be used along with MITRE ATT&CK to better address adversaries.
BN: It's reported that 57 percent of enterprises are now using the MITRE ATT&CK Framework, can you explain why it's gaining in popularity?
CC: The MITRE ATT&CK Framework provides a comprehensive view of the types of behaviors attackers use when compromising a network. Based on real-world observations, the framework categorizes these actions by the constituent parts of the cyber kill chain, enabling security professionals to understand how attackers might compromise their networks and build robust defenses to counter them. It effectively gives security professionals a glimpse at the threat actors' playbook, which is invaluable intelligence in the fight against cybercrime.
The framework's popularity stems from the fact that it provides an exhaustive catalog of threats and mitigation strategies presented in a clear and easily accessible way. Security pros can navigate several matrices for attack activity such as reconnaissance and lateral movement or go directly to specific techniques, tools, and mitigations.
BN: The MITRE ATT&CK Framework focuses on the offender, how does this help organizations in terms of terms of identifying gaps in strategies and how to defend against their adversaries?
CC: The MITRE Framework format makes it easy for security decision-makers to view common vulnerabilities and threats and apply these insights to their unique infrastructure and needs. They can discover the recommended processes and solutions for defense and mitigation and assess how their security stack measures up. These can quickly highlight gaps where the company may lack the ability to defend against specific kinds of threats.
Organizations can also go more in-depth, looking into specific threat actors and the tactics, techniques, and procedures (TTPs) they are most likely to use. For example, a firm in the financial sector could assess the top threat actors known for targeting the industry to ensure they have the solutions and response playbooks to mitigate these kinds of attacks.
BN: The latest addition is MITRE Shield what does this add to the knowledge base and how can they be used in tandem?
CC: MITRE Shield uses the same successful matrix format as ATT&CK, but focuses on active defense and adversary engagement. Like ATT&CK, Shield is built on many years of real experience with threat actors and aims to provide a comprehensive and accessible knowledge base that can be used by any level security professional.
ATT&CK is focused on the potential paths attackers might follow, while Shield concentrates on what the defender wants to achieve, making it a much more proactive, assertive course of action. Using the two frameworks together can create a more effective, multi-layered defensive strategy.
The new framework is still a work in progress but will continue to grow and develop as more practitioners provide it with threat data. The hope is that Shield will foster conversation around active defense and bring more prominence to this new but growing field.
BN: The MITRE Shield frames situations around the defender and what they want to accomplish, for example how to contain and disrupt an operation, how does this differ as an approach?
CC: The MITRE ATT&CK Framework matrices start with different elements of the cyber kill chain. For example, a CISO could navigate to privilege escalation, investigate the various attack methods that attackers could use, and then decide how to counter and mitigate them.
Juxtaposing this, MITRE Shield starts with the security capabilities the organization wants to achieve. A CISO can begin with the detection matrix and look into various tools and techniques such as API monitoring, behavioral analytics, and the use of decoy networks.
Notably, Shield puts a great deal of emphasis on the use of decoys and other active defense strategies, resulting in a stronger focus on proactively engaging and combating adversaries. This focus ultimately changes the dialogue from what an attacker did to what an attacker might do and to whether the organization’s defenses are inadequate.
BN: What's meant by 'active defense' and what are the benefits of engaging with attackers in order to better understand and disrupt their activities?
CC: Cybersecurity has long focused on passive strategies. CISOs and their teams will assess their infrastructure and the critical assets they need to defend and build the defenses to protect it as best they can, updating and adjusting as they receive new threat data. It has then traditionally been a case of waiting for an attack to occur and hoping that the defenses will hold up. MITRE ATT&CK accordingly focused on helping decision-makers make the most informed strategic choices and investments possible.
Active defense is a more pre-emptive style of security. When an attacker attempts to breach the network, active defenses such as deception and concealment technology will protect critical assets by derailing the attacker, raising the alarm, and enabling the security team to gain vital threat intelligence by observing the attacker’s activity.
BN: How does deception fit into this framework?
CC: Deception technology has a prominent role in all eight of Shield's matrices, from collection and containment to detection and disruption.
The technology enables organizations to create decoy versions of their networks and the assets they contain. The aim is to lead the attacker in the wrong direction, tricking them into wasting their time and resources probing a fake environment. These decoys can be extremely authentic, fooling automated sniffer tools and standing up to the attacker's direct interaction.