About the talk
Meet MITRE ATT&CK’s younger cousin: MITRE Shield! MITRE InfoSec leaders will dive into Shield, a new, active defense knowledge base focused on foundational techniques for deception and adversary engagement. The presentation will unpack the knowledge base and how to use it—from strategy setting to implementation. Newbies and advanced practitioners alike will gain useful resources to get started.
Christina Fowler is the Chief Cyber Intel Strategist within MITRE InfoSec and leads the Cyber Threat Analysis Cell which includes malware analysts, Intel analysts, DevOps, and Adversary post-exploitation research. Mrs. Fowler has over 20 years of experience in cyber investigations, focused threat analysis, network security and implementation, and IT management. She previously served as a member of the Board of Directors for the National Defense ISAC. She is a recognized expert within the Defense Industrial Base and U.S. Federal Law Enforcement Communities on technical matters relating to cyber deception, computer forensics, computer crime investigations, and network security. Mrs. Fowler received a bachelor’s degree from Clemson University and a master’s degree from Webster University.View the profile
Bill Hill is the Chief Information Security Official (CISO) of The MITRE Corporation, responsible for overseeing information protection governance and defending corporate systems and networks. He leads a team that blends innovations in threat-based defense and shared risk management with best practices and compliance. Hill oversees an operational defense that seeks continuous improvement against an evolving Advanced Persistent Threat, combining both local innovation and deep technical analysis with aggressive threat and intelligence sharing partnerships. Prior to becoming CISO, Hill was a Chief Information Systems Engineer at MITRE, leading teams supporting a variety of Department of Defense and Intelligence Community agencies in their IT and security projects.View the profile
Hello, I'm Bill Hill. And with me is Christina, Fowler. And we're here to introduce you to a newly public. Resource called minor Shield are public-private Partnerships in federally funded, R&D centers work to the safety stability, and well-being of our nation. So, although this talk is pre-recorded. We will be live in chat. So as we're going along, feel free to put questions in the chat window, and we'll try to answer. So anyway, with miter, Shield were hoping to introduce some ideas that are new and hopefully game-changing. So let's jump in. Shield is a exposition of ideas that we
collectively call Active defense with a particular emphasis on defensive. We've been using varieties ideas for over ten years now, in the defense of our corporate Network. A bit about us. Personally. Although I'm, I might or sit though. I tend to be a pretty Hands-On guy and skeptical additional passive security defenses. I think it's all based on experience practical Lessons Learned in demonstrated value. So what does active defense really mean? We looked around for definition in
cyber another domains and we haven't found one that totally fits and we haven't come up with ourselves either. It's It's tricky because it means a lot of things. What, it doesn't mean, they don't send me hate mail about this, but it means not taking an active role in your own defense more than just clapping defenses out there and and, and forgetting about it. So I include a wide variety of things. We've listed some of them but really the Hallmark of it. The foundation of it is I think it's an attitude. It's understanding the idea that
you're going to fight with an intelligent. Adaptive determined adversary who wants to win in the Hallmark back to defense means that you was a Defender are going to be intelligent, informed active, and determine the counter that adversary and you're going to try to learn more than they do as you go for. So Shield is about showing you some of the ways you might think about doing it. A little bit of background about how we came to this so that we can do this through necessity. A little over ten years ago. We had an active apt
at that. Time was very little about how that is. Very operated. So important decision for me, first. We were going to study observe learn enough about and keep them out. Second was that once we did that, we wanted to continue that kind of learning but do it in a way that didn't endanger our systems or our data. So our adversary engagement program was born. We just eject the APT and it's been helping us be better Defenders ever since In a playing the old game without that
meant that the adversary chooses, the time, the police in the manner of the engagement and they're doing almost all the learning. So what we wanted to do was challenged the adversary control of that and start influencing the time, the place the manner of the engagement and doing it away to maximize our learning and denied them learning. So what do we mean by this sort of? You know, I was so let me give you some of an example walking through what that looks like. What do we have a piece of our? We've identified maybe an attack that was emailed to us? We can place
that special Defender Network. We can run it and see what happens. What happens is it phone Tom, the attacker who then uses our own system to continue the exploitation and then attack us either on that system or moving laterally, or whatever until they achieve their objectives. But in our case this network is synthetic, we've created for this purpose and systems are instruments so that we can collect the network traffic with tools and observe what the adversary does. That's what we mean when we're talkin defensive. This
idea of answering his helps for thinking and inspired to scrape Shield. But it's part of a bigger thing that that we we've called active defense. Guys fun to improve your defenses. You need to check with your learning there and and use it throughout all your defenses. So that means, you know, two fans changing your engineering reconfiguring the defenses to, to take advantage of what you're learning. So that's the shield. Origin story and Kristina's going to go into a deeper dive on Shield self.
So let's look at what Shield is when we say active defense, knowledge base. So when you go to the shield website and shield that matter, I don't work. Well, you'll see is a compilation of information that allows you as a Defender to counter your adversaries. We're going to talk to you about opportunities that exist for you as a Defender things that you can do that. You may not have thought about before a, we're going to give you techniques that you can use. We're going to talk about tactics and goals and and how you can achieve those.
And we're also going to link the information to miter attack. So we feel like my heart attack is a very good view of what adversaries do and what capabilities they have three to link The Shield information to defend her side stew, that adversary side and the goal of all of this is to stimulate thinking about what's possible. We're not going to give you all the solutions because every network is different because every Has different skills and different stools. We couldn't possibly give you all the solutions, but we want to get you started down that fast. So the first thing I want
to do is call out a couple of key pieces of the miter Shield website. And the first one I want to call out is the Matrix you so we can familiar with moderate. Very similar is formatted in a very similar manner. Across the top you're going to have a group of its of tactics. They're eight of those in this version of minor shield. And those are the things that you're going to seek to do your goals what you want to accomplish. Then within the body of the Matrix, the individual cells are the techniques that you're going to use. And each of those are repeated. We'll talk about
a little bit more about how this Matrix Works a little bit later, but doing have you familiar with it as we get through. The other part of the shield website that I want to call out is the attack mapping section. If you're a miner attack user, this section is going to be useful to you. The way that section is laid out is we will give you a miter attack technique. That's what the adversary is going to do. We're then going to give you an option of an opportunity space something for you to consider something that you the defender can gain when an adversary does a
certain thing. We're also going to give you a used case. A used case, moves towards implementation again, not a specific implementation, but something that you might consider when you're planning your active defense. And the technique is the actual tool that you're going to use the technique that you're going to use, how you're going to get through that implementation and accomplish that opportunity. How does that look like soda? Top-level? We just kind of summarize that vocabulary there for you. So, an opportunity space is what you can gain. A
tactic is what's your goal? I use case. What's your plan? A technique is, how do I do it? So, let's dive deeper. Opportunity space. What can use a Defender gain from implementing an act of Defense? So don't talk about the adversaries, typical, you're in control. So with opportunities face. We're trying to flip the perspective. What can you use as a Defender? Get, how can I use a Defender? Change the battlefield, change the time, and ultimately change the outcome cuz I sure go.
Is you want to be in control of the game of the fight of the battlefield? Tactics. Pictures of those things, you want to accomplish those goals? So, when you're looking at these, there's eight of them. Think about what your organization wants to get out of back of defense. Do you want to move an adversary of certain way and channel them? Do you want to collect all their stuff, collect their malware collect their ttp's collect their behaviors to like their indicators. You want to
contain them, do want to keep them in a box to keep them in a certain area of your network. You want to detect them, even know that they're there. Disrupt them and make them go away. We also going to do some things like facilitating, help them along. Legitimize make all your deceptions. All your decoys look real. In test validate. The things that you think, you know, Use cases, we talked with those moves towards implementation. Again, implementation is all going to be specific to your organization specific to, your
tooling, specific, to what you have, and play your skills and your resources. So are use cases and Shield or just ways to make you think about these illustrations of the possible. So something like seeding a decoy system with credentials. However, you choose to do that. It may be a real system or decoy. However, you choose is up to you. We're just going to give you some options that you might consider. And then techniques techniques are the actions. You're going to take what you're going to do. And the techniques and shield are versatile and
they are designed to give you multiple options in many cases. So one technique applied One Way, can a wow and adversary to do something that same technique applied a different way. Can block an action or keep them from doing something. In this version of minor Shield r33 techniques and we believe those 33 techniques are extremely powerful to use a Defender to invite you to look in each of those see which ones you're already comfortable, doing. You did may do them today, like, create an account. So, creating the decoy account that used for
active defense purposes, may not be a stretch at all. It may be a very low, barrier-to-entry in an easy thing to start with. So look at the techniques and see how they may work for your organization. So let's talk about the shield Matrix, one more time. So in this Matrix, when you're starting to look at how you can apply Shield, one of the things that makes a little easier is when you come a carve up the Matrix and look at how you might apply it. So you might want to start in the first five calls. We really believe. He's first, five columns or applicable to everybody. So maybe you're
going to channel your adversary. Move them away. Collect all their stuff, all those fun things. You're going to want to look down again. These are your goals. You're going to look down The Columns of these goals and say, which techniques am I doing now? Maybe I'm already creating decoy accounts and decoy credentials. Maybe I can create a decoy content, very easy. So this is a good starting place. As you move into your familiarity with Shield, you get more comfortable with it, then you might move towards the last three columns which are geared
towards absurd engagement rings. Where you're going to put your adversary in at decoys at work? And you want them to stay there as long as possible. You want them to expend as many resources as possible. Show you their ttp's give you their malware and really Let You observe them firsthand. So you're going to want the sill at 8 help them along. You're going to want that environment to look so realistic that they don't know they're inadequate at work. So it's going to be a legitimate goal and take what you think. You
know about an adversary, maybe you think they have a certain capability or you don't think they're after a certain type of information. All those things can be validated through the test Tactic. Well, there are some pieces that you'll apply in other areas, like legitimize. You want your decoys look legitimate. Your overarching goal is going to be Channel collect contain detect unless you're not answering gauge meant where the overall goal is to make the same look as legitimate as possible. So again, when you reiterate, the first five columns are where we want people to start and get
comfortable. As you're getting started with miter Shield. You're going to look down these columns and you're going to see techniques repeated. We do that because we believe those techniques have a lot of power. So single technique applied one-way, can allow an adversary to do something. You can also denying adversary from doing something. So in that power as a Defender, you choose what you want to do. So don't be afraid that these techniques are repeated. It's by Design. So let's talk about some use cases. So I'm kind of seeing the
techniques. I've seen the tactics the opportunities to use cases. How do I make this all work in my environment? What's with the word? Very simple use case? I want to use my door Shield to detect the presence of an adversary. So, you know, your goal, your goal is to detect, so you go and look across the Matrix and you see detect. You didn't go down that call him and say, okay of all the techniques in ads in the detect tactic. What do I want to use? And I just mentioned a decoy accounts and decoy credentials passwords.
And those are things. You do everyday many companies, create accounts constantly put password accounts. So I choose to use decoy credentials. I can create decoy credentials. I can sprinkle those credentials among the systems either instacure enclaves sensitive systems or anywhere else in my network. However, I might choose to do it. And then I can set up monitoring and say if those credentials are used and they shouldn't be. But if they're used as signals Badness activity that I care about that, I want to investigate further.
That is, it is easiest form. A used case for shield. Let's talk about one a little more, a little deeper, and also want a little fresher in our minds. So many people may have seen this chart and if you haven't seen this chart, this comes from Microsoft blog. About the solarwinds intrusion that happened in came out in December. Many companies were victim of this attack. And from reading the blog and reading the information on the solar winds attack, what we can see is that the adversary brings down now or malware is
brought down. That malware inspects the environment that it comes into. If you were using deception and you were using shield and you knew the adversaries ttp's in advance. You could have planted some decoy processes that look like security software. But when the adversary has malware inspected, it. The Miller would have shut down. Yes, you would have had plan ahead. You would had to know this adversaries, ttp's you would have had to study them before or read articles about them
to do this. So let's say you missed that opportunity. What's the matter continues on it? Gathers information about the system? Can you that you could have planted some decoy content within your network that the adversaries malware would have grabbed pulled in with all the other information. And now I have a Siri has a mix of decoy data and real data and they have to be able to discern which is which and maybe they can't do that and maybe it throws off or influences. The rest of their work. In an activity, is in your network. That's the beauty of deception. We
have Siri doesn't know the legitimate information and the fake information. Oh, so you miss that. The mail work continues on. They have a scary ghost hands on keyboard. One of the first things that the amount that the Absurd is going to do is they're going to look to escalate privileges or compromised credentials. So you could have created those decoy credentials and seeded it throughout your network as we talked about before. And anytime you see those credentials being used, you would know that an adversary was present. The last thing that you could
have done, as you could have created a decoy system or decoy Network and you could push the Sabbath very into it and you could then let them stay and expend resources and show you ttp's, and you can just watch them and gather all that intelligence and reapply it to your defenses later on. So I just want to use this to show you that as you research an adversary and you learn their ttp's, you can always go back and apply those things to your network and improve your defenses cuz maybe you didn't catch him this time, but you'll be ready for them. The next
time they come. Someone wants to use case. Let's go back to the slide that bill showed you where we talked about a decir engagement. How does this? Actually work. How do you make this happen? So all the elements is Shield come from aperture engagement. Bill told you that. So if you're going to do this, what you're going to do is you're going to build a full decoy Network. You're going to have a collection of decoy systems within it. With equally accounts, decoy credentials, all that fun stuff. You're going to instrument that network with monitoring with packet
capture system monitoring network, monitoring you name it and you're going to make sure that everything that you have in that Network meets your needs and goes towards the goal that you have in mind. You're the end of the take malware that you obtained, your going to detonate it on that system and in that Network. And then you're going to have a little fun. Susie. I was hurrying gauges. You're in control of that? Battlefield? You're in control of the time you're in control the outcome. So you can adjust your security controls to get
to the outcome that you want. So maybe you let them go a little deeper into that deception at work. Maybe you close them off and see if they can expose some other capabilities, but your whole goal here is to learn as much about your adversary as possible and then feed all that information back into your overall Network defenses. At the end of the day, you have a much better security posture because the information that you're feeding in for your defenses, is first-hand observed information about shields in in some
detail and want to come and things. Is where is how do you get started? And I know it. That's fine, but there's no single answer to that. A lot of it is a your mileage may vary, depending on where your team is right now. We do think that do that. We believe that these approaches are accessible to everything big and small here for you and that you can develop in overtime. So that's the good news is, I think the first step is pretty easy because the first step in doing this is in developing sort of that Scrappy Street Fighter
attitude. It says, I know I'm in a fight and I want to be that. I'm sorry for the guy on the other side. So once you leave that those first two steps, you definitely have the, your mileage may vary territory. If your team is not familiar with a lot of this than the starting place, is things like that. Sharing, you know, what base defense your defense is based on what you can learn about. That are attacking you and I'm really developing your community connections. If your
team is already comfortable with, those are things you could move on. And that's where things like their engagement can come in. And they are getting that does not have to be a super sophisticated thing. You can get started on a shoestring. That's how we did. My first my first environment was pretty simple and yet it did get the job done. So I think the other thing is or the gotchas, you know, what what should I be? Wary of as I enter the space and I think both Christian and I have some lessons
learned. Their Christina. Do you want to start? Sure, absolutely. So I think the most important thing is start cultivating that management support making sure your managers on board with what you're trying to do. And even if your managers on board, what about your legal department? How are they going to feel about this? Deception is one thing after engagement. Something. Totally different. So, so so make sure your building that support as you go cuz the last thing you want to do is be ready to implement and realize you have no support behind you. Look at what you can
do for your team. Can you use a basura engagement to add to your instant response capabilities and your skills? Grow your team using this hands-on experience. Can you let your team just have a little fun going toe-to-toe? Everybody likes a good fight, right? Can you just have fun with your team and let them not just Implement firewalls and Antivirus. But go toe-to-toe day in Day Out. Right. So depending on who you're talking to, you can talk to your sister about retention factors.
This is definitely skill-building. It's definitely allows you practice. It helps you get better what you're doing. And yes, the team does like it and always some of our most creative people have been around, have been with us for a long time. And I think in no small part because they feel like they're doing something different and something that actually is working. So that said hi. I think you know we're wrapping up here. I think we want to continue the conversation with anybody that's interested. So, you know, this is an initial effort is definitely not finished
so we know that but if you are interested in these things, we love to hear from you and and would be interested in building a community around these ideas. So I'll let us know. And thanks. Thank you for listening.
Buy this talk
Buy this video
Our other topics
With ConferenceCast.tv, you get access to our library of the world's best conference talks.