Select Page

Jun 22, 2021

Active Defense with MITRE Shield Framework


MITRE’s introduction of Shield late last year has received widespread industry attention. Affectionately referred to as the “younger cousin” of the renowned MITRE ATT&CK framework, Shield is an active cyber-defense knowledge base from the defender’s perspective. As an early adopter of ATT&CK, Hillstone Networks has been paying close attention to the development of MITRE Shield.

At the RSA 2021 Conference, MITRE’s Dr. William Hill, Chief Information Security Official and Dr. Stanley Barr, Senior Principal Deception Researcher, gave a presentation titled, “A Primer: Get Started with MITRE Shield.” Following are insights gained from the session, as well as thoughts on how Shield can benefit IT personnel and their mission to defend the network.

A Difference in Perspective

MITRE ATT&CK is a knowledge base, continuously updated since 2013, showing the tactical, technical, sub-technical, procedural, and other elements involved in launching an attack from an attacker’s perspective. After several major improvements and updates, the latest ATT&CK knowledge base includes enterprise, mobile, and industrial control system matrices.

Unlike ATT&CK’s adversary perspective, the MITRE Shield knowledge base takes the defender’s perspective, starting with defense tactics and defense techniques in a matrix similar to ATT&CK. Currently, Shield includes eight defensive tactics that defenders can use to accomplish their objectives. These broad “umbrella” categories include channel, collect, contain, detect, disrupt, facilitate, legitimize, and test.

Underneath the tactics umbrella are 34 defense techniques that further define and refine the methods involved in the defender’s goal. The entire Shield matrix includes the basic technologies needed for active defense, including general cyber defense, cyber deception, and adversary engagement. Not only does the MITRE Shield help defenders better respond to current attacks, but it also helps security teams gain a deeper understanding of attackers and prepare for new attacks in the future.

Figure Note: MITRE Shield matrix diagram

The Latest Developments in MITRE Shield

At RSA 2021, Dr. Barr presented ideas for improvements to the MITRE Shield, including optimization of defense methodologies, enhanced data collection and detection capabilities, improved defense planning and analysis, and improved defense techniques such as blocking, guidance, and interference. In addition, Dr. Stanley spoke about some of the recommendations made by the security community since Shield’s release that will be considered in the next version.

Hillstone Networks is Committed to MITRE Shield Active Defense Technology

Because MITRE ATT&CK is widely used by security vendors to measure maturity and detect gaps in security capabilities, MITRE Shield provides a mapping section to ATT&CK. Each ATT&CK technique lists the applicable corresponding active defense information.  For example, in the mapping table of attack and defense relationships (partial sample shown below), we can see the attack techniques for an ATT&CK technique (e.g., T1589) and Shield’s defense techniques (DTE0010 and DTE0015).

Note that there are two other columns in the map, Opportunity Space and Use Case. The Opportunity Space column describes the high-level possibilities for detecting the attack technique, while the Use Case is a description of the specific defense usage scenario that security staff can use to take advantage of the Opportunity Space.

Figure Note: MITRE ATT&CK and Shield Relationship Map

By describing various defense technologies in the context of the tactics, techniques and procedures (TTPs) of ATT&CK, Shield can help speed up the process to build up active defense capabilities. It is worth mentioning that these defense techniques are derived from multiple years of experience from Red Team and Blue Team engagement. The knowledge has strong practical significance for IT teams to plan and implement an active defense strategy.

For many years, Hillstone Networks has adopted active defense strategies in security products such as honeypots on breach detection systems and low-interaction deception techniques. With the continuous addition and improvement of MITRE’s Shield knowledge base, we believe that this knowledge framework will provide systematic, high-level, actionable guidance to enterprise network security defense teams.