Liars and Saints: Demystifying Cyber Deception, MITRE Shield, and Active Defense (Part 1)
How MITRE Shield has turned cyber deception technology into a business imperative to deny a contested network to adversaries.
Just when you began to fully wrap your head around the MITRE ATT&CK framework, MITRE went and published a brand new framework for you to understand that it's called MITRE Shield.
Have you seen MITRE Shield mentioned in a recent publication or heard about it in a vendor pitch but were too embarrassed to ask what the heck it was? Don't understand deception technology and what it's relevancy to MITRE Shield is? You aren't alone. With Shield in its infancy, there's still much to be written and understood about this new framework and the concept its founded upon of active defense.
This is part 1 in a series of articles I'm publishing on MITRE Shield, active defense, and how cyber deception technology fits into this narrative.
Who is MITRE
MITRE is a non-profit with beginnings in 1958 whose mission was to support U.S. government agencies through research and development. MITRE was a brainchild of the late Robert Everrett that today, has grown to manage federally funded research and development centers (FRDCs) based in Bedford, MA and McLean VA.
In short, FRDCs are public-private partnerships, which conduct research for the U.S. government around specific issues of national security, technology, and other challenges that have resulted in evolutions in radar, aircraft, computing, and most famously, the development of nuclear weapons.
MITRE gained significant popularity as a "household name" in cybersecurity in 2013 when it announced its new MITRE ATT&CK framework, which today has become the litmus test that cybersecurity vendors align their products to and for defenders to perform gap analysis of their cybersecurity controls. Today, ATT&CK has become a center of gravity for both vendors on how to position their cybersecurity products and for defenders to effectively instrument defenses against adversarial tactics, techniques, and procedures (TTPs).
What is MITRE Shield
MITRE Shield is a new matrix of tactics, techniques, and procedures designed for defenders in how to instrument their network for an active defense security posture. Shield is the product of ten years of MITRE's analysis into adversarial maneuvers taken against their own networks ranging from basic cyber defensive capabilities to cyber deception and adversary engagement.
The premise behind Shield is to arm defenders with a new concept of active defense by employing limited offensive actions and counterattacks to deny their network and its assets to adversaries. While the abstraction of active defense is a novel idea in cybersecurity, it isn't new in military operations. The U.S. Department of Defense, as well as the Chinese military among other nations have been using active defense for the last century and was first popularized in the book by M. Taylor Fravel on how the Chinese military has used it as a defensive tactic since 1949.
In summary, Shield is a matrix of tactics, techniques, and procedures for defenders and has since been coupled with MITRE ATT&CK to form a more complete picture between adversarial tactics and techniques and those applied by defenders in their mapped opportunity space.
There are currently 8 tactics defined in Shield. Each one an organized container of related techniques in service of the tactic's end goal. It's important to note the repetition in techniques defined in the Shield framework as Shield is a many-to-many mapping of techniques to tactics. One technique can relate to multiple tactics, just as many techniques can relate to a single tactic and vice-versa.
Channel: This tactic is a container of techniques that guides an adversary down a specific path in the network to move laterally away from production systems or network segments using decoys or other "bread crumbs" created by deception technology. Bread crumbs employed by deception technologies can be considered bait, that can act as a synthetic file, credential, or even system that takes the adversary's attention away from real, production systems in the environment.
Collect: This tactic defines techniques used to gather information about an adversary, specifically to learn their tactics, techniques, and procedures and the tools they use to achieve their goals. An example would be the analysis of custom malware or human-centric spyware they use to achieve their goals.
Contain: Containment is the employment of techniques to limit an adversary to a confined space in the control of the defender, limiting pivoting potential to a synthetic environment created by the defender or even a specific enclave that's isolated from production systems.
Detect: Leveraging network and endpoint detection and response systems, or any other security control to lower the mean-time-to-detection (MTTD) of an adversary that's established a "beach head" in the network.
Disruption: Techniques used to make life more difficult to practically impossible for the adversary to complete their objectives. This is typically done through layers of different security controls combined with deception technology that makes the real-environment indistinguishable from the synthetic.
Facilitate: Antithetical to disruption's techniques, facilitate is used to enable an adversary to successfully complete part or all of their objectives, using unpatched operating systems, applications, or removing security controls completely in a controlled environment, such as decoy systems where activities can be controlled and monitored.
Legitimize: This tactic is used to add authenticity to synthetic environments created by deception technology, such as synthetic activity logs of interactive user logins, running processes, kerberos golden tickets, credentials in the SAM hive, etc. These techniques attempt to give legitimacy to synthetic environments in order to increase the amount of time and attention an adversary employs against a target before realizing it's a decoy.
What is Deception Technology
Deception technology is a relatively new product space of security controls capable of creating a high fidelity detection system using bread crumbs to bait adversaries away from real, production systems in order to decrease the MTTD by identifying their lateral movement in the environment.
Up until just recently, it was difficult for chief information security officers (CISOs) to understand where in their budget deception technology fits -- where in their security control framework it sits -- effectively, whether or not it's a need to have or nice to have in their arsenal. Shield has made it clear that deception technology is now a business imperative with today's reality of "when" advanced ransomware or an adversary will establish a beach head rather than "if." In 2020, prevention is no longer a realistic goal, leaving CISOs to try and lower the amount of time it takes to detect the adversary once a breach occurs.
Deception technology is now being adopted to improve detection and deterrence, identifying the technique used by adversaries, which is pivoting/lateral movement.
Much of the tactics defined in Shield are achieved using deception technology, to include decoy accounts, decoy content, decoy credentials, decoy networks, decoy personas, decoy processes, decoy systems, and decoy diversity, which I'll cover in the next part.
In this first part of the Liars and Saints series, I explained MITRE Shield, what it is, how it works, and its idiosyncratic distinctions from MITRE ATT&CK and how defenders can use it to employ active defense in their organization. In part 2 of this series, I'll explain how MITRE has coupled ATT&CK with Shield to create a mapping for defenders that ties specific active defense techniques they can use to specific TTPs defined in the ATT&CK framework and how deception technology plays an integral part of an active defense model.
In the final part of the Liars & Saints series, I discuss Illusive Networks, and how their deception technology is radically transforming threat detection of human-centric spyware and lateral movement of adversaries using dissolving agents.
T. (n.d.). Active Defense Matrix. Retrieved November 12, 2020, from https://shield.mitre.org/matrix/
T. (n.d.). Mapping To Initial Access. Retrieved November 12, 2020, from https://shield.mitre.org/attack_mapping/TA0001/
Fowler, C., Goffin, M., Hill, B., Lamourine, R., & Sovern, A. (n.d.). An Introduction to MITRE Shield (Tech. No. 20-00398-1.). The MITRE Corporation.