MITRE Shield: A Framework for Agile Cyber Security
MITRE Shield – MITRE recently released MITRE Shield, an active defense knowledge base that captures and organizes security techniques in a way that is complimentary to the mitigations featured in MITRE ATT&CK.
What is MITRE Shield?
This important new resource currently contains 34 techniques mapped against 8 active defense tactics.
MITRE categorizes Shield as “Active Defense,” and quotes the US Department of Defense definition as, the “employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” This is a noteworthy distinction. Actively engaging the enemy is complimentary to, but different than fortifying defenses (patching, firewalls, authentications, etc.) Shield is an important development for the security industry, and it’s easy to see why Deception advocates are so excited about it.
Deception comprises about a third of the techniques in the framework. Decoy Accounts, Content, Credentials, Networks, Personas, Processes and Systems, as well as Decoy Diversity and Burn, are all listed and mapped to 70 ATT&CK Techniques. MITRE ATT&CK has emerged as a preeminent cyber security resource. MITRE Shield now extends ATT&CK as the first actionable framework for Active Defense.
Why Is Active Defense Important Now?
An Active Defense framework could not come at a better time. The reasons are captured by one simple word: Speed. Specifically, the need for business speed and attack response speed, versus the speed of traditional security controls.
Business Speed vs. Security Speed
It’s hard to debate the pandemic’s influence in accelerating Digital Transformation. Digital holdouts have been thrown into a new world of Cloud Adoption, Robotic Process Automation, IoT device adoption, and Remote Work. They are all on the rise. According to a survey from Snow Software, 45% of IT leaders indicated they planned to accelerate the pace of their cloud migration plans, and their businesses’ wider digital transformation initiatives (41%). From mortgage re-financing, to online food and grocery delivery, to university classes, each of us are learning and transitioning to an increasingly digital existence.
The most profound change can be felt with remote work. This might be familiar ground to many knowledge workers, but customer service reps, claims processors, teachers, attorneys, and many others are now learning new tools and accessing sensitive information from their homes for the first time. Another study revealed that last year, the American full-time remote employee population was growing 2.86% year over year. Now the growth rate is expected to reach 493% by the end of 2020.
Digital transformation has always been a challenge for security. It moves quickly. More than 1,000 insecure personal devices connect to enterprise networks every day, without IT’s knowledge in 30% of US, UK, and German companies. In 2020, 93% of enterprises will adopt Internet of Things (IoT) devices, yet nearly all of IoT device traffic is unencrypted (98%), and more than half of IoT devices are vulnerable to medium or high-severity attacks.
Under extreme conditions, business has persevered and reinvented itself through digital transformation, but security teams are struggling to keep pace and cover this expanding attack surface area.
The Race Between Attacker and Defender
Attackers continue to refine their craft. They exploit vulnerabilities faster and move more quickly and quietly toward critical access and data. The wheels of defense, on the other hand, grind more slowly.
A recent study shows that 58% of vulnerabilities are exploited before a patch is released. 27% are exploited within a month of a patch release – 12% within the first week. We know that patch management is not trivial, but how long does it take to patch a known vulnerability?
Another study shows that it takes, on average 34 days to patch the most critical web application CVEs. I think it’s reasonable to believe that attackers’ ability to exploit vulnerability outpace security’s ability to discover and patch them. There’s certainly more to security than vulnerability management, but these statistics illustrate the challenge of keeping pace with the attackers.
It’s generally accepted that breaches are inevitable. As the adage goes, the defender must be right 100% of the time, but the attacker only has to be right once. So, what happens after a breach?
Breakout Time is a measure of the time it takes an attacker to advance from initial network access to lateral movement (the point at which they can move freely within the network). Breakout Time can range from 5 to 9 hours depending on the attacker. How does that compare with the average time it takes detect, analyze and contain a breach? One survey estimates the average time to be 162 hours. That leaves the attacker almost 4 weeks to do what they want after they have gained full access to the network. As a result, the majority of respondents (80%) report that in the past 12 months, they have been unable to prevent intruders on their networks from accessing targeted data, with 44% pointing to slow detection as the cause.
How Does Security Stack Up?
Security struggles to keep pace with the business. Forced digital transformation, despite its benefits, exposes the enterprise to unknown and potentially unacceptable risk. The surface area continues to spread, the blind spots continue to multiply and keeping pace with this sprawl feels unachievable. There’s no way to reasonably expect security to use traditional tools to discover, monitor, fix and defend this explosion of endpoints, particularly in the case of IoT and OT devices that cannot be touched.
The economic scales are tipped heavily in the attacker’s favor. The attack process is fast, quiet and low-risk, while defending is expensive, complex, exhausting and largely ineffective. There’s no denying that security basics are still necessary, but the security engine, as built, simply does not match up with the current environment. Something is missing.
The Missing Link
Security needs a light, fast defensive capability that protects the entire attack surface area: all endpoints and all devices, even the untouchable ones. Security needs the ability to see lateral movement – in the cloud and in every corner of the network – with greater fidelity and less alert volume so that analysts can respond faster to material incidents rather than false positives.
Deception meets this need by hiding real assets (servers, applications, routers, printers, controllers and more) in a crowd of authentic imposters that look and feel exactly like the real thing. In a deceptive environment, the attacker must be 100% right, otherwise they will waste time and effort collecting bad data in exchange for revealing their tradecraft to the defender.
Deception exists in a shadow network. Traps don’t touch real assets, making it a highly valued solution wherever IoT, OT, ICS or SCADA systems are present. And because traps are not visible to legitimate users or systems, and serve only to deceive attackers, they deliver high fidelity alerts and virtually no false positives.
NIST recommends Deception to disrupt attacker reconnaissance, delay or degrade lateral movement, divert the adversary away from critical systems or system components, and reveal the presence of the adversary along with its TTPs. While this is a powerful endorsement, historically there hasn’t been a standard framework or playbook to deploy Deception in a strategic and integrated fashion. That is until the introduction of MITRE Shield.
MITRE ATT&CK and MITRE Shield are a powerful combination that offers practitioners a framework to harden their environment against likely groups and their TTPs, together with a complimentary roadmap for actively disrupting attacker TTPs.
An integrated Deception platform deploys and manages deceptive accounts, content, credentials, networks, personas, processes, and systems. It disrupts an adversary’s ability to conduct reconnaissance and move laterally while revealing their presence along with their TTPs. In addition, alerts are tagged with ATT&CK Techniques, creating a dynamic closed loop between active Techniques, active defensive countermeasures, and mitigation.
Evaluating Commercial Solutions
Shield prescribes a broad range of deceptive capabilities that can be applied across all eight Shield Tactics. The vendor community can meet these needs with what we generically call low interaction, medium interaction and high interaction deceptive assets, integrated into a realistic and deceptive environment. These deceptive assets are different and valuable, and they should work together. For the sake of brevity, here is a simple description of each:
Low Interaction: Fake data, credentials, files, traffic, browser history, etc. designed to channel attacks away from real assets by making fake assets more realistic and attractive.
Medium Interaction: Network assets that allow for interaction sufficient to collect enough information to identify attackers, expose TTPs and respond.
High Interaction: Network assets that allow for extended interaction primarily to collect information in order to learn about an adversary and their TTPs.
One Size Does Not Fit All
Each approach to Deception is valid, but taken alone, might force an organization into trade-offs between scale, time-to-value and insight. Evaluators should look for solutions that offer a blended approach, covering the full range of possible trap interactions, and that integrates with their unique security stack.
Deception Without Limits
Put aside what you think you know about honeypots. Modern Deception is scalable, effective and easy to deploy and manage, even for small security teams. Insist on a proof of concept and make agility and time-to-value key criteria for an evaluation. The right solution should be as dynamic as the specific IT environment it is designed to protect and should offer the speed and agility to help you keep pace with any potential attackers. To learn more, check out these Resources:
- Gartner Hype Cycle for Security Operations, 2020
- Simplifying Adoption of MITRE ATT&CK with Deception
- One Giant Step for Deception
MITRE Shield: A Framework for Agile Cyber Security