OVERVIEW
MITRE a non-profit organisation has recently developed an active defence mechanism for ATT&CK Tactics for their corresponding techniques. Mitre Shield mainly focus on limited offensive action and counterattacks to emerging cyber-attacks. As with the MITRE ATT&CK framework, MITRE SHIELD is also included with some specialized Tactics and Techniques to defend against Adversaries groups.
The main focus is to proactively defend against the emerging cyberattacks to safeguard the organization networks and its IT assets It is a similar approach to present active defence concepts as MITRE ATT&CK®,
MITRE ATT&CK framework
MITRE | ATTACK is an open-source framework that mainly focuses to understand or familiarize yourself with adversary tactics and techniques based on real-world observations, In general, MITRE ATTACK is a collection of attack techniques used by an adversary during breaches or even for defensive engagement like [Threat modelling, Threat Hunting]. Readmore
Active Defence framework
MITRE SHIELD is also a publicly hosted proactive countermeasures to actively defend against cyberattacks, the primary focus of the active defence framework is to apply A Good Cyber Defense. MITRE SHIELD currently contains 34 techniques mapped against 8 active defence tactics.
- Channel
- Collect
- Contain
- Detect
- Disrupt
- Facilitate
- Legitimize
- Test
MITRE ATT&CK * MITRE SHIELD = The combination of the two frameworks will offer the potential to create active defence playbooks to address specific adversaries.
FEATURES OF MITRE SHIELD
- To get familiar yourself with Defence Tactics and Techniques
- To learn about active defense and adversary engagement
- Adversary Group mappings
- To limited offensive action and add counterattacks
- Helps to prepare for new attacks in the future
ACTIVE DEFENSE TACTICS
A well categorized tactics of active defense which allow the defenders to choose a specific active defense technique to apply active defense and adversary engagements. These tactics serve as useful ways to classify individual defensive techniques.
| Tactics ID | Name | Description |
| DTA0001 | Channel | Guide an adversary down a specific path or in a specific direction. |
| DTA0002 | Collect | Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary’s activity. |
| DTA0003 | Contain | Prevent an adversary from moving outside specific bounds or constraints. |
| DTA0004 | Detect | Establish or maintain awareness into what an adversary is doing. |
| DTA0005 | Disrupt | Prevent an adversary from conducting part or all of their mission. |
| DTA0006 | Facilitate | Enable an adversary to conduct part or all of their mission. |
| DTA0007 | Legitimize | Add authenticity to deceptive components to convince an adversary that something is real. |
| DTA0008 | Test | Determine the interests, capabilities, or behaviors of an adversary. |
ACTIVE DEFENSE TECHNIQUE
A well categorized technique of active defense describes things that can be done (by defenders) in active defense, The detailed information of each technique will provide a clear ideology about which tactics it supports.
| Techniques ID | Name | Description |
| DTE0001 | Admin Access | Modify a user’s administrative privileges. |
| DTE0003 | API Monitoring | Monitor local APIs that might be used by adversary tools and activity. |
| DTE0004 | Application Diversity | Present the adversary with a variety of installed applications and services. |
| DTE0005 | Backup and Recovery | Make copies of key system software, configuration, and data to enable rapid system restoration. |
| DTE0006 | Baseline | Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary. |
| DTE0007 | Behavioral Analytics | Deploy tools that detect unusual system or user behavior. |
| DTE0008 | Burn-In | Exercise a target system in a manner where it will generate desirable system artifacts. |
| DTE0010 | Decoy Account | Create an account that is used for active defense purposes. |
| DTE0011 | Decoy Content | Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc. |
| DTE0012 | Decoy Credentials | Create user credentials that are used for active defense purposes. |
| DTE0013 | Decoy Diversity | Deploy a set of decoy systems with different OS and software configurations. |
| DTE0012 | Decoy Network | Create a target network with a set of target systems, for the purpose of active defense. |
| DTE0013 | Decoy Persona | Develop personal information (aka a backstory) about a user and plant data to support that backstory. |
| DTE0014 | Decoy Process | Execute software on a target system for the purposes of the defender. |
| DTE0015 | Decoy System | Configure a computing system to serve as an attack target or experimental environment. |
| DTE0016 | Detonate Malware | Execute malware under controlled conditions to analyze its functionality. |
| DTE0017 | Email Manipulation | Modify the flow or contents of email. |
| DTE0018 | Hardware Manipulation | Alter the hardware configuration of a system to limit what an adversary can do with the device. |
| DTE0019 | Hunting | Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc. |
| DTE0020 | Isolation | Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits. |
| DTE0021 | Migrate Attack Vector | Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use. |
| DTE0022 | Network Diversity | Use a diverse set of devices on the network to help establish the legitimacy of a decoy network. |
| DTE0023 | Network Manipulation | Make changes to network properties and functions to achieve a desired effect. |
| DTE0024 | Network Monitoring | Monitor network traffic in order to detect adversary activity. |
| DTE0025 | PCAP Collection | Collect full network traffic for future research and analysis. |
| DTE0026 | Peripheral Management | Manage peripheral devices used on systems within the network for active defense purposes. |
| DTE0027 | Pocket Litter | Place data on a system to reinforce the legitimacy of the system or user. |
| DTE0028 | Protocol Decoder | Use software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic. |
| DTE0029 | Security Controls | Alter security controls to make the system more or less vulnerable to attack. |
| DTE0030 | Standard Operating Procedure | Establish a structured way of interacting with systems so that non-standard interactions are more easily detectable. |
| DTE0031 | System Activity Monitoring | Collect system activity logs which can reveal adversary activity. |
| DTE0032 | User Training | Train users to detect malicious intent or activity, how to report it, etc. |
| DTE0033 | Software Manipulation | Make changes to a system’s software properties and functions to achieve a desired effect. |