By: Carolyn Crandall, Chief Deception Officer and CMO – MITRE recently announced Shield, which is a publicly available, free knowledge base of common techniques and tactics that can help experts take proactive steps to defend their networks and assets. This guide takes a similar approach to what MITRE ATT&CK® does for offense, though in this case, it presents the information around active defense concepts. Leveraging them together enables organizations to create an active defense to better address adversaries.
What really caught the eye of the Attivo team is that 82 percent of the active defense measures presented in MITRE Shield are things that Attivo solutions comprehensively cover. When we did the mapping, we found that the ThreatDefend® Platform, comprised of the ADSecure™, BOTsink®, and Endpoint Detection Net (EDN) solutions – represents the industry’s most comprehensive threat detection coverage, providing organizations with 27 of the 33 defensive techniques identified by MITRE. Additionally, these solutions provide an active defense for 123 of 190 MITRE Shield use cases.
Below shows how comprehensive the coverage is, noting that the only areas that are not covered are areas of backup, hardware management, training, and other non-detection related activities.
Cyber deception has long been renowned for its ability to create an active defense. However, unlike other forms of deception solutions, the Attivo ThreatDefend platform provides extensive attack prevention and detection capabilities that enable the coverage of not only decoy techniques, but also a wide variety of other methods. The platform proactively diverts attackers away from their targets with fake information that misdirects them to decoys, and through denial of access, can conceal and prevent an attacker from obtaining critical information such as Active Directory objects, data, and file storage systems. With the ability to control the path of the attacker into a decoy, defenders can gather the valuable insights that they need to understand their adversary’s tools and techniques, as well as intent.
We absolutely love the educational work that the MITRE organization is providing through MITRE ATT&CK and Shield. If you haven’t already checked out the validation of Attivo performance enhancements using the MITRE APT testing, I would encourage you to take a look at this resource as well. Using their testing guide and DIY tools, the Attivo Endpoint Detection Net was able to boost EDR detection performance by an average of 42%. It’s quite impressive.
Hats off and gloves on to the work that MITRE has done in creating these resources.