Three Simple Ways to Deploy an Active Defense with MITRE Shield

Mike Goffin
MITRE Shield
Published in
4 min readSep 25, 2020

(Note: Content in this post was consolidated from previous items written by the Shield team: Christina Fowler, Mike Goffin, Bill Hill, and Andrew Sovern)

MITRE Shield is an Active Defense knowledge base that was developed from our first-hand experience with defending MITRE’s corporate network. Many of the techniques found in MITRE Shield are foundational security techniques — the cornerstones upon which good active defense is built. These techniques make MITRE Shield accessible and actionable to organizations regardless of size or sophistication.

This post builds on the information provided in our papers:

Introduction to MITRE Shield

Getting Started with MITRE Shield

The Shield Matrix

The relationship between Shield tactics and techniques is illustrated in the Shield matrix. The matrix consists of columns where we outline our defender tactics, and within each column are relevant techniques. In designing Shield, we tried to choose techniques that were “multi-use”, meaning, the same technique could deliver different results depending on how it was applied. This means that you will see the same techniques displayed in multiple columns within the matrix.

Applying MITRE Shield to Create an Active Defense

How can you use MITRE Shield in your organization? Let’s look at a few examples of how a defender could add active defense capabilities. These scenarios show how Shield can be simple and effective. Each of these examples are easy wins that defenders can use to enhance a defensive posture regardless of the size, skills, and available resources of your team or organization.

Once you have deployed some simpler Shield techniques, you might want to work overtime to build more intricate capabilities depending on your needs, interests, and the growth of your team and organization.

# 1: Removing Admin Access

As a defender, you have a goal of disrupting adversary activity. You identify that adversaries often need elevated privileges to perform certain tasks. Surveying the list of available techniques under Disrupt, you decide to explore Admin Access to see what level of effort might be involved in its implementation.

The opportunity space (DOS0029) “There is an opportunity to block an adversary’s intended action and force them to reveal additional TTPs” seems to align with the goal. Reviewing the use cases shows you that removing admin access will prevent an adversary from performing some exploitation activity. You find additional information in procedure (DPR001) “Remove an account’s administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks.”

You know that removing admin access is something that you or your team can accomplish. You decide to remove Admin Access from all users on your network, hoping that this will disrupt adversary activity and prevent them from accomplishing their mission.

# 2: Detecting Activity with Decoy Credentials

You have identified an ATT&CK Technique (Valid Accounts) where adversaries may try to obtain and use credentials of valid users to perform certain tasks. Reviewing the ATT&CK Mapping in Shield for valid accounts, you identify two active defense technique of interest: Decoy Account and Decoy Credentials.

Reviewing the details page for both techniques, you see Opportunity Space (DOS0005) and Use Case (DUC0005) which will allow for the detection of an adversary. You decide that you can create a user account that does not correspond to an actual user and sets a password for the account. You then log in as the decoy user account on various computing resources within the network, to store the decoy credentials on those systems.

Because no one should be using the decoy account, you can set account restrictions, such as deny logon attempts or locking the account. You can monitor for any login attempt to the decoy user account and detect an adversary who may have harvested credentials from machines and are seeking to use them.

# 3: Detecting Activity with Decoy Content

In this case, you are trying to counter a cyber adversary who has a history of targeting your organization. You do not know if the adversary still maintains a foothold but are curious if you can detect their presence if they do.

You outline some folder names that might be of interest to the adversary and create them as Decoy Content. You and your team put them on network shares and systems, then setup monitoring for anyone attempting to access the folders.

What’s Next?

Now that we have covered some basic use cases, our next blog entry will step back and answer some of the questions we have received since MITRE Shield was launched.

©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20–00398–6.

--

--