Illusive Blog September 3, 2020

MITRE Shield Tactics Confirm that Deception Is Essential

By Matan Kubovsky

We recently wrote about MITRE Shield, just after the initial release. In this article I’ll go into more detail about specific capabilities that Illusive platform provides, and how they map to the MITRE SHIELD framework.

View an on-demand webcast on MITRE Shield, with special guest presenter Christina Fowler, Chief Cyber Intel Strategist at MITRE.

How does MITRE Shield apply to the typical organization? You may be wondering how MITRE Shield is different from the MITRE ATT&CK® framework, which has been around for several years. 

The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a framework based on community knowledge and analysis of known threat actors that enumerates specific threat actor behaviors across the later stages of the Lockheed Martin Cyber Kill Chain®. In other words, it looks at attacker methods. 

Structured similarly, but looking at the other side of the table, MITRE Shield organizes defense techniques in a framework of defensive tactics. What are some of the most effective cybersecurity techniques and strategies for CISOs to be aware of? In what areas do threat hunting, IT security administrators, SOC analysts and incident response teams need to be well invested and experienced in? SHIELD is a great resource for that. 

Active defense now the focus of cybersecurity

When we see defense techniques, however, we aren’t talking about a wait-and-respond-when -needed approach. Quite the opposite. According to MITRE, Shield is intended to stimulate discussion about Active Defense.

“Active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.”

Shield outlines 8 active defense tactics – Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize, Test – and 33 defensive techniques. 

Many large enterprises have a wide plethora of tools in their cybersecurity arsenal. Some of these would surely fall into the category of “active”. Yet they also have some non-interactive defense platforms as well. I think MITRE Shield is a wake-up call. When non-interactive defense fails, then what?

Defense in depth – nobody is a one stop shop

I’ll give some specific examples of the 33 techniques in MITRE Shield below, but I’d like to preface it with a warning: Beware of solution providers and tools that promise EVERYTHING. 

Perhaps predictably, we’ve witnessed in the first days since MITRE first published the Shield Matrix many vendors trying to outdo each other with promises of how many techniques they cover. Deception vendors who also claim to now focus on Behavioral Analytics, for instance. Some detection offerings are now claiming to cover every technique in the Matrix. Let’s be honest. At best it’s a stretch, referring to ultra-thin functionality pushed forward by marketing and sales teams to check every box, without the needed depth of effective defense. At worst, it’s completely misleading. We won’t play that game.

I’m of the belief that intelligent security teams would be wise to steer away from vendors promising “one stop shop” solutions. One thing is clear regarding MITRE Shield; you MUST have deception capabilities to achieve Active Defense coverage. In fact, and here is something to highlight, it could be argued that deception is very much at the core of MITRE’s approach to Active Defense.

Cyber Deception techniques front and center

So what does this all mean? MITRE has certainly put deception front and center in the new Shield modeling. Shield, which is another spot-on name by Mitre, after ATT&CK, outlines 8 active defense tactics – Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize, Test – and 33 defensive techniques. Deception is reflected someway in all of the 8 active defense tactics.

Some of the deception-related categories include:

  • Application Diversity
  • Burn-In
  • Decoy Account
  • Decoy Content
  • Decoy Credentials
  • Decoy Diversity
  • Decoy Network
  • Decoy Persona
  • Decoy Process
  • Decoy System  
  • Network Diversity
  • Network Manipulation
  • Pocket Litter

As the leading thought leader in the deception space, we at Illusive Networks feel obligated to explain how this works and want to highlight distinct differences between deception vendors on the market. 

We’ve published a whitepaper on each of these techniques and how Illusive capabilities map to them, but for now, i’d like to look at just a few categories. 

Decoy Content – MITRE defines this as “Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc. Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy.” At Illusive, we empower our customers with the ability to fulfill several of the use cases mentioned by MITRE. Here are just 3 examples:

  • DUC0190 – A defender can utilize decoy network shares to provide content that could be used by the adversary.
  • DUC0102 – A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems.
  • DUC0074 – A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.

llusive’s Attack Detection System provides a wide array of deceptions that, together, leverage over 50 deception techniques. Deceptions mimic user, system, network, application and device elements. These deceptions, as a whole, cover the following purposes:

  • They include fake credentials and connections— the foundation for lateral movement—that could be found by attackers manually, or be swept into the “harvesting” processes by Mimikatz or similar attack tools (From memory, registry, file-system and more);
  • They mimic artifacts that appear to offer useful information during reconnaissance (fake emails, files, file shares, scripts, browsers, cached browser data, etc.);
  • They appear to provide access to high-value assets such as SWIFT systems, mainframes, RDP jump servers and other potential targets;
  • They introduce  fake traffic (e.g. authentication or broadcast traffic), or execute other low- interaction features that simulate a real “live” environment.

Or take the example of Decoy Credentials. A given use case by MITRE is “DUC0084 – A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.” Illusive’s Attack Detection System puts credentials in a wide range of locations (Registry, Memory, Network) to significantly increase chances of attackers to encounter them.

What about Decoy Network, to “Create a target network with a set of target systems, for the purpose of active defense”? With Illusive’s Attack Intelligence System, our main platform for threat intelligence, a defender can create a full-OS decoy which would appear vulnerable and attractive to an attacker, but in reality allows the security team to monitor them in a safe environment, learning about their tactics and objectives. The decoy network contains systems which are easily discoverable and appealing to an adversary. (MITRE use case DUC0231)

Shrinking the attack surface is also an important “active” defense

I’ll add here that Illusive is about much more than “just” deception. Several of the categories in MITRE Shield go beyond deception, and are more broadly focused on managing the attack surface. Look at the category of Admin Access – to “modify a user’s administrative privileges.” MITRE writes that ”changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems.”

Illusive’s Attack Surface Manager is a perfect tool to detect whether admin access has been enabled on a certain system. It also allows security teams to “remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit (MITRE use case DUC0196).” Attack Surface Manager’s many functions include:

  • Automatic discovery and mapping of the access footprint across the enterprise “Crown Jewel” systems as well as attack paths to high-value systems;
  • Easy definition of rules and policies through automation-assisted processes;
  • Continuous monitoring for credential and connection violations;
  • Risk-oriented decision support through insight on the potential impact of policy violations and attack paths;
  • Corrective action through a choice of manual and automatic methods;
  • Built-in attack risk reports for security leaders.

When used in conjunction with the Attack Detection System, Attack Surface Manager also supports faster attack detection. By reducing the number of real attack vectors in the environment, the odds significantly increase that attackers will choose deceptive artifacts as they attempt lateral movement. A great example of this is when, in a recent APT detected and contained by Illusive in a 35,000 endpoint organization, Attack Surface Manager has been used to backtrack attackers’ previous steps after the initial detection of the threat, when the attackers fell for an Illusive deceptive trap.

Does “decoy” really mean deception?

Finally, a few words on differentiating some terms related to deception.

There’s often some inconsistency between terms used in various reports and in certain contexts. Without focusing on every report out there, I’ll choose to both explain how we use certain terms, and how the term “decoy” is used in the MITRE Shield matrix.The good folks at MITRE have used the word DECOY as an adjective to describe all types of deceptions – Decoy Accounts, Decoy Credentials, etc. We think this is a good thing as over time we believe this convention will normalize terminology in this emerging space, and make discussions of value and application more fluent and easier for all.  

MITRE’s use of the term “Decoy” in the Shield is more inclusive of both deceptions and honeypots, but more often than not refers to the fake data on endpoints. Decoy Credentials, for example, includes use cases and procedures which clearly refer to using deceptive credentials on real production systems. Decoy Content also includes use cases that refer to “breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.” These are deceptive data that are used to trip up the attacker and perhaps bring them over to a fully separate decoy system..

At Illusive, we refer to fake data placed on endpoints in production environments that mimic credentials, connections, files, and other data that look to an attacker as though they will facilitate lateral movement as endpoint deceptions. Unknown to the attacker, his or her first wrong choice triggers an alert. By covering the entire endpoint inventory, the deception “net” is able to catch attackers at or close to “Patient Zero,” no matter where the attack begins. 

We currently use the term Decoy when referring to more traditional honeypots – live, network-attached operating systems set up to mimic real assets to lure an attacker into full engagement. These decoy computer systems were designed to purposely engage and deceive hackers in order to better understand their tactics and activities. 

When it comes to threat detection, we strongly believe that distributed endpoint-based deception (whatever we call it) is still the most effective option available for trapping in-network attackers. High-interaction decoys remain valuable, however, mainly for threat hunting, intelligence and research, with the long-term ability to learn an attacker’s methods, targets, tools and techniques.

A breakthrough for cybersecurity

The release of MITRE Shield is a watershed moment in the history of cybersecurity. 

As attacker tactics evolve – whether through nation-states attack teams, insider threats, for-hire groups, and others – we’ve seen a rapid expansion of the attack surface that security teams must secure. The forced digital transformation during the current health crisis, and long-term ramifications that have resulted from it, point to the need for a more robust approach to protecting critical assets.

The endorsement of an Active Defense strategy by MITRE is one that we support wholeheartedly. The Illusive Networks platform provides impactful security coverage for many of the techniques listed above. Read this whitepaper to give further details as to each capability we can support, and of course we invite you to reach out to us with any questions. 

Also make sure to to view our on-demand webcast, Stop Advanced Ransomware Now: MITRE Shield’s Active Defense and Illusive Lateral Movement Prevention.

I believe that the industry will widely adopt MITRE Shield as a standard to measure their current security proficiency. This includes security vendors, as well as the largest organizations. I, and the entire Illusive team, am excited to see what happens in the future and look forward to hearing your thoughts as well. 

Schedule an in-depth exploration and demo