We recently released the MITRE Shield Active Defense Knowledge Base — which was developed from our first-hand experience with defending MITRE’s corporate network. Since then, we’ve gotten many questions about Shield and our approach to active defense. We’d like to take a step back and answer some of these key questions. While these do not reflect all of the questions we have received, they do address topics that have been asked multiple times.
Why did you choose to call Shield an ‘Active Defense’ knowledge base?
We wanted to raise awareness and stimulate conversation about defenders taking a less passive, more active mindset. We defenders are in a contest with adversaries who are determined and constantly evolving. To succeed, we need to better understand what cyber adversaries do, what’s working (and not working) in our defense strategies, and how we might shift the game in our advantage. That is what we see as the heart of an active defense.
We recognize that to some “active defense” implies doing things that we simply do not touch upon, like offensive techniques. We feel these techniques fall outside the scope of what a typical organization might do and therefore do not fit into our current focus for MITRE Shield.
Why does a technique appear in many different columns in the Shield matrix?
In designing MITRE Shield, we tried to choose techniques that were “multi-use,” meaning the same technique could deliver different results depending on how it was applied. Our goal was to show that an organization armed with a core set of techniques could produce various outcomes depending on how they approached a problem and how they applied those techniques. We tried to choose techniques that were attainable and actionable for a wide array of organizations.
What is Opportunity Space?
We think looking for opportunities in what attackers do is central to an effective active defense mindset. This has been somewhat organic or instinctive in our approach, but as we began formalizing what we are learning in Shield, we wanted to make it explicit. We’ve already heard comments like “I hadn’t thought of attacks as an opportunity before,” so we’re hopeful people are going to find this mindset useful!
Why are there only one technique approaches in this version of MITRE Shield?
For the initial version of MITRE Shield, we decided to show how individual techniques could be applied, based on an adversary’s actions. We believe Shield’s modular design will allow organizations to combine techniques together as their skills and tools allow. In the next version of Shield, we envision creating plays which involve one or more techniques. These plays will give defenders more robust options to have in their active defense arsenal.
How can I programmatically work with the data in MITRE Shield?
We provide the MITRE Shield data in JSON format for those wishing to use it. You can find the data on our GitHub repo in the _data folder.
As we move forward, we will be releasing key information to help organizations — both big and small — understand how they can leverage MITRE Shield to be more effective defenders and CISO and leadership can find value in an active defense. Be sure to check back for regular updates and follow our LinkedIn page for more information.
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20–00398–8.