Illusive Blog August 24, 2020

MITRE’s Shield Maps Tactics and Techniques to Achieve an Active Defense Posture

By Kirby Wadsworth

With the release of Shield, a rich knowledgebase built on over a decade of enemy engagement, MITRE is once again stepping in front of the pack, and leading the global cybersecurity ecosystem in thought and action.

According to MITRE, Shield is intended to stimulate discussion about Active Defense.

With ACTION being the pivotal concept here. According to MITRE, “Active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.”

Well there it is. Active Defense. Not passive. Not analytical paralysis. And, not whack-a-mole responsive defense either.

MITRE makes no bones about being pro-deception. They see deceptive capabilities as a must have in the modern security stack to truly deter and manage adversaries. They’ve certainly put deception front and center in the new Shield modeling. Shield outlines 8 active defense tactics – Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize, Test – and 34 defensive techniques. Deception is reflected someway in nearly half of them.

It’s fair to say Active Defense requires Deception.

Thankfully, MITRE has also created a direct mapping from the original and widely implemented ATT&CK technique framework to the in depth opportunities, use cases, and procedures captured in the Shield knowledgebase.

Consider this example for ATT&CK Tactic T1003 OS Credential Dumping:

  • A defender may create decoy credentials for active defense purposes, by seeding a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways.

In defining this Active Defense category, MITRE has done the industry a service. This was never about mine is better than your technology. Its always been about changing the approach to cyber self-defense from response to prevention, from maybe to absolutely, from passive to active. Now, we have a clearly articulated language to describe and debate.

Learn more at

To learn more about Illusive and MITRE see: