Thursday, September 24, 2020

By Maril Vernon, Fuel User Group Member (@shewhohacks)

MITRE ATT&CK has gotten a lot of recognition and support in recent years as a robust offensive security utility for those organizations mature enough to look proactively to defense. From MITRE-aligned testing tools to security provider backing, cybersecurity professionals are speaking a common language with regards to adversary behaviors. This month, MITRE impressed the cybersecurity community yet again when they upped the ante with another framework: MITRE Shield. 

If you’re new to MITRE and ATT&CK, we recommend you start with this article. 

What Is Shield?

As much as ATT&CK is a dynamic repository of adversary TTPs (tactics, techniques and procedures), Shield is a repository of active defense tactics and techniques to organize and navigate what we know about adversary engagement and counter defense measures.

As ATT&CK breaks down the tactic categories by stage of hack, Shield breaks down tactics by what the defender is trying to accomplish: collect, contain, disrupt, etc.

Each technique (individual in the tactic categories) can then be expanded upon to display tactic opportunity (DO), use case (DU), procedure (DP) and associated ATT&CK technique (T####).

How New Is Shield?

Very, very new! It was released August 2020 and MITRE notes it is by no means complete. The framework is in its early stages of development and will be in constant evolution throughout its entire lifespan. MITRE released it to drive the conversation of active defense and develop further updates to the framework around what surfaces.

Similarly, ATT&CK has been around since 2015 and just underwent a huge revision to include sub-techniques.

How Is Shield Used?

It is a reference framework and is meant to be utilized to form security and testing programs to provide quantifiable visibility over active defenses. In ATT&CK, you seek to improve your defense around removing as many factors from the “attack equation” as possible by identifying and placing controls around the various vectors of initial access, pivot, C2, exfiltration, etc.; in Shield, you can easily identify which defense controls can directly address ATT&CK TTPs.

Previously, users had to take an ATT&CK scenario and test for the various stages in the Cyber Kill Chain framework on their own by making the best guess at adversary emulation. Now, users know definitively what defenses are available and can enable and test those much more readily.

Example: How Shield Can Be Used in Conjunction With MITRE ATT&CK

Our defender knows her adversaries use the ATT&CK technique Network Service Scanning (T1046) to footprint remote hosts and identify services running on open ports. Given this, she can use the Decoy System (DTE0017) page of Shield’s ATT&CK mapping to see what opportunities she has for defense and finds that “there is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique” (DOS0005). How can our defender take advantage of this opportunity? The use case (DUC0007) begins to reveal that a defender can use a decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs.

Our defender now has the makings of a high-level plan. When she gets to planning the specifics, she will employ the listed Shield technique Decoy System (DTE0017) hoping to lure and detect the adversary.

According to MITRE Shield, “a decoy system is a computing resource presented to the adversary in support of active defense.” The underlying system can be real, virtual or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc.” Information on how to implement monitoring and mitigate this attack technique can be found in the Detections section for the ATT&CK technique Network Service Scanning (T1046).

What Does Shield Mean for Me?

According to its creators, “Leveraging ATT&CK along with MITRE Shield offers the potential to create active defense playbooks to address specific adversaries” Jeremy Singer, MITRE Corp. In other words, why leave your defense to guesswork? Understand the adversary’s behaviors in an attack (ATT&CK) and suggest real-world active defenses against them (Shield) and the scenarios in which those defenses can be put to use. Then use your monitoring medium to confirm it’s happening and you’re that much more likely to thwart an attack attempt.

After all, risk is identified as likelihood multiplied by impact. If you remove as much of the likelihood in that equation as you can, you enter a place of security assurance versus hope.

Does Shield Actively Protect Me?

No, this is a reference framework and not a security tool. As with all tools, you need to know how to utilize it effectively to draw out its maximum benefit.

Does Shield Have Any Association With the TV Show?

Sadly, no. There are no MITRE agents running around in fancy nanotech suits with actual shields made of vibranium.

Maril Vernon, aka “@SheWhoHacks,” is a penetration tester and PluralSight author with courses published on Red Team tools and MITRE-driven testing methods. Since entering cybersecurity in 2018, Maril achieved seven certifications in pentesting and security, accelerating her career in unprecedented time. Recently, Maril was also a contributing editor of the latest CIS AWS Foundation Benchmark for cloud security.