Shield is an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement. Derived from over 10 years of adversary engagement experience, it spans the range from high level, CISO ready considerations of opportunities and objectives, to practitioner friendly discussions of the TTPs available to defenders.
We are developing this knowledge base as both unstructured (think writings like blogs and papers) and structured (think tables of things, related to each other with links) data. Our first release (see more below) focuses on the structured elements. Working with the data can be awkward, so our presentation here is in the form of a couple of organizing views or “mappings”, including a mapping between MITRE ATT&CK® and Shield. We foresee additional views into the knowledge base we are developing.
Shield is very much a work in progress; it is being released now not because it is complete, but because we think it is ready enough to stimulate conversations about active defense, adversary engagement, and the ways defenders can use them to change the game.
The U.S. Department of Defense defines active defense as “The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.”1 Within MITRE Shield, active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.
Adversary Group mappings have been added to MITRE Shield! Group mappings are based on information found in MITRE ATT&CK. This new information can be accessed via the ATT&CK Mapping menu or directly using this link.
In addition, we now include coverage for recently added ATT&CK Tactics Reconnaissance and Resource Development and many of their corresponding techniques.
Last, but not least, you can track all these changes using our new Updates page.
First and foremost, we are hoping for conversation. Our work is in service of a safer world, and we are interested in talking to others that think active defense and adversary engagement might be useful paths to that goal.
For the knowledge base, we have already seen opportunities in tweaking our data model, that is next, and we hope to share it in late 2020 or early 2021. As we continue to work with opportunity spaces, use cases, and procedures we see a natural progression to develop a playbook.
Of course, there will be additional knowledge base content. For the record, this will likely never be close to finished; the subject area is nearly infinite and limited more by imagination than anything. We do hope to analyze the coverage we are giving the landscape and ensure that we are including at least a bit of every type of thing that needs exposure.
We are very interested in feedback and suggestions. If you have information you think may be useful, please reach us at Shield@mitre.org.