Shield is a verb meaning to protect from a danger or risk, as well as a noun, meaning one that protects or defends. Like the word, our Shield knowledge base can be used in a variety of ways depending on a defender’s exact need.
This project began as the team documented techniques that could be useful in adversary engagement operations. MITRE has a rich history of work in cyber deception and adversary engagement so for the team, creating this knowledge base was a natural progression.
We wanted to raise awareness and stimulate conversation about defenders taking a less passive, more active mindset. We defenders are in a contest with adversaries who are determined and constantly evolving. To succeed, we need to better understand what cyber adversaries do, what’s working (and not working) in our defense strategies, and how we might shift the game in our advantage. That is what we see as the heart of an active defense. We recognize that to some “active defense” implies doing things that we simply do not touch upon, like offensive techniques. We feel these techniques fall outside the scope of what a typical organization might do and therefore do not fit into our current focus for MITRE Shield.
To be successful at deception and adversary engagement, you must use basic cyber defense techniques like collecting system and network logs, PCAP, performing data backups, etc.
We think looking for opportunities in what attackers do is central to an effective active defense mindset. This has been somewhat organic or instinctive in our approach, but as we began formalizing what we are learning in Shield, we wanted to make it explicit. We’ve already heard comments like 'I hadn’t thought of attacks as an opportunity before' so we’re hopeful people are going to find this mindset useful!
Opportunity Spaces are high-level active defense possibilities when attackers employ their techniques, while Use Cases are high-level descriptions of how a defender could do something to take advantage of the opportunity that the attacker's action presents.
In designing MITRE Shield, we tried to choose techniques that were “multi-use,” meaning the same technique could deliver different results depending on how it was applied. Our goal was to show that an organization armed with a core set of techniques could produce various outcomes depending on how their approached to a problem and how they applied those techniques. We tried to choose techniques that were attainable and actionable for a wide array of organizations.
For the initial version of MITRE Shield, we decided to show how individual techniques could be applied, based on an adversary’s actions. We believe Shield’s modular design will allow organizations to combine techniques together as their skills and tools allow. In the next version of Shield, we envision creating plays which involve one or more techniques. These plays will give defenders more robust options to have in their active defense arsenal.
We see the possibility of a future enhancement in this area. If you would find this to be useful or would like to contribute to this effort, please contact us.
All of the data used to generate this website can be found on our GitHub repo. The JSON data specifically can be found in the _data folder.