MITRE Engage: A Framework and Community for Cyber Deception

(Above, the MITRE Engage team: Gabby Raymond, Stan Barr, and Maretta Morovitz.)

MITRE Engage™ is based upon a simple premise: Since network compromise is often inevitable, defenders can use adversary engagement methodologies to ensure that compromise does not mean loss. Adversary engagement offers defenders the opportunity to drive up the cost and drive down the value of an adversary’s cyber operations. With traditional cyber defense, the adversary only needs to be right once, but with cyber deception, the adversary only needs to be wrong once.

Engage is based on MITRE Shield. After gathering technical feedback from the cyber community, MITRE replaced Shield with Engage to focus on the areas of denial, deception, and adversary engagement.

“Shield was a good start, but the toolset was too broad—and not easy enough for different users to apply,” says Stanley Barr, chief scientist for Engage.

Built on more than 10 years of operational experience, Engage helps industry, government, and cyber vendor communities plan and execute adversary engagement strategies and technologies. Engage maps to the MITRE ATT&CK® framework, helping to clarify when the adversary becomes vulnerable—and how a defender can take advantage of those vulnerabilities. More than a matrix, the Engage website also includes a playbook, worksheets, posters, and other resources to help organizations implement adversary engagement strategies.

We asked members of the MITRE Engage team to discuss how the cybersecurity community can use Engage.

Q: What’s new with MITRE Engage?

Stan Barr, MITRE Engage chief scientist: “Decision makers, defenders, and vendors must work together against cyber adversaries but have different perspectives. With Engage, we created a framework for discussing and planning adversary engagement, deception, and denial activities, informed by adversary behavior observed in the real world. ‘Engage’ has a deliberate meaning. We recommend engaging with the adversary—but avoiding a hack-back. We’re not trying to ratchet up conflict.”

To clarify Engage’s purpose, Barr broke down the traditional See, Think, Do model to understand how defenders can implement deceptions to influence adversary behavior. He explains: “What do you want your adversary to do that will make your life better? Then, what does he need to think to make him do that? Finally, what does he need to see so that he thinks that? With Engage, we made it simpler to strategically use deception and denial to identify goals, and then use the technology stack to achieve them.”

Barr encourages the entire cybersecurity community to think beyond the latest anti-viral software or firewall.

“They may be elements of a strategy, but alone can’t solve the problem. Instead, decision makers can use Engage to think about their strategy for protecting the company, defenders can use it to achieve that strategy, and vendors can use it to align their products with their users’ goals.”

Q: How can decision makers and defenders use MITRE Engage?

Maretta Morovitz, MITRE Engage lead: “As the Sun Tzu quote goes, ‘If you know the enemy and know yourself, you need not fear the result of a hundred battles.’ Engage is structured so that decision makers and defenders make it their first goal (Prepare) to understand how denial, deception, and adversary engagement fit into their current cyber strategy. This preparation will drive all further engagement activity.”

There are five columns in the MITRE Engage Matrix: Prepare, Expose, Affect, Elicit, Understand.

“We’ve mapped the three middle columns to ATT&CK and shifted the perspective to clarify when the adversary becomes vulnerable—and the defender now has an opportunity,” Morovitz says. “That drives home that denial and deception are really taking advantage of the vulnerabilities adversaries present when they engage with the defender.

“And finally, once an operation has completed or come to a natural assessment point, moving to the ‘Understand’ column helps teams understand how the different outputs can generate actionable intelligence and help refine additional operations.”

Q: Why is building a community of researchers and vendors such an important part of Engage?

Gabby Raymond, MITRE Engage capability lead: “First, because ‘denial, deception, and adversary engagement’ can mean different things across the cyber community, the Engage framework is defining a common terminology for the community. In the past year, the Engage team ran a series of focus groups with vendors, defenders, and decision makers, and they’ve given us tremendous feedback and insight.

“Second, we’re constantly looking for examples of implementations of various activities in the wild, whether it’s in research products or real-world use cases. We want to show others how an activity actually looks and was implemented.

“Third, what are we missing? We want to gather the community’s thoughts and feedback about how Engage can help defenders drive up the cost for an adversary to act on a network while simultaneously driving down the value of what they receive. Better still, can we cause an adversary to take an action that benefits us as a defender? For instance, are they using new techniques we haven’t seen before? Or, as we watch them move around the network or exfiltrate data from a host, can we gain more information about their motivations and how they perform their operations?

“Plus, as vendors map their various technologies to Engage, it will help providers and chief information security officers understand what the current state of the field is and how they can support the variety of operational goals defenders may have.

“Bottom line, Engage goes far beyond a ‘framework.’ It’s about the process of planning adversary engagement operations. And that’s why we’re intent on growing the Engage community, so together we can push the boundaries of today’s research and development to defend against cyber threats into the future.”

Learn more about MITRE Engage and read the related news release.