MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
  1. Home

Papers

  • Introduction Paper: This whitepaper provides an introduction to MITRE Shield and how it relates to MITRE ATT&CK.
  • Getting Started with MITRE Shield: This paper gives defenders examples of how MITRE Shield can be leveraged. The examples start simple and build to show more complex solutions.

About Shield’s structure and terminology

A goal for Shield was to employ enough structure and rigor to be useful scientifically and to the practitioner, without becoming needlessly rigid or complex. We began with terminology found in the DOD Dictionary of Military and Associated Terms, as well as the United States Government Compendium of Interagency and Associated Terms:

  • Active Defense — The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.
  • Strategy — A prudent idea or set of ideas for employing the instruments of national power in a synchronized and integrated fashion to achieve theater, national, and/or multinational objectives.
  • Tactics — The employment and ordered arrangement of forces in relation to each other.
  • Techniques — Non-prescriptive ways or methods used to perform missions, functions, or tasks.
  • Procedures — Standard, detailed steps that prescribe how to perform specific tasks.

We modified those terms to fit the domain of cyber active defense. Our definitions:

  • Tactics are abstract defender goals. We have found it useful to have a categorization system that can describe the utility or purpose of various other elements in the knowledge base. For example, the tactic “channel” could be associated with a specific technique, or part of a planned set of techniques, or even part of an overall long-term engagement strategy.
  • Techniques are general actions that can be performed by a defender. A technique may have several different tactical effects depending on how they are implemented.
  • Procedures are implementations of a technique. In this release, we only include simple procedures to inspire additional thinking. Our goal is to not advocate for specific products, solutions, or outcomes, but to prompt organizations to think broadly about options that exist. The dataset included in Shield is by necessity incomplete, because too many possible variations exist to reliably document.

We also added some new terms:

  • Opportunity Spaces, which describe high-level active defense possibilities introduced when attackers employ their techniques.
  • Use Cases, which are high-level descriptions of how a defender could do something to take advantage of the opportunity that the attacker’s action presents. Use cases are helpful to move toward a specific implementation discussion. Note: We see a natural evolution of use cases becoming into plays in the next release of the knowledge base.

Using the Website

This site presents several different views into the Shield knowledge base across the top. Dropdown menus are available to access the site’s information quickly and easily. There is a matrix view, which provides a quick visual depiction of active defense tactics and techniques. Menus for both tactic and technique views are available for those wanting to go straight to a specific item. The ATT&CK Mapping section of Shield contains a list of the adversary tactics found in the ATT&CK framework. Each ATT&CK tactic has a dedicated page which lists the associated adversary techniques and how active defense can be applied to each one.