MITRE Engage 1.0 – A Structured Dance with Your Adversary
Written by Kevin Hiltpold – Federal Sr. Solutions Engineer – MITRE introduced Shield in August 2020 and became vocal advocates for utilizing an active defense to defend networks and manage adversaries. For those of us already in the business of deceiving adversaries to reduce dwell time, MITRE Shield was a perfect matrix. However, defending networks is not a job for technical personnel alone. Cybersecurity is about risk acceptance and requires agreement on strategy and outcomes from all stakeholders in the organization. MITRE created Engage to assist technical and non-technical decision-makers in planning strategic outcomes for adversary engagement operations.
For those in the legal world about to raise their hands, adversary engagement operations or an active defense is not hacking back and is not entrapment. Engaging and managing adversaries begin once they have already broken down the door or picked the lock. The organization did not invite or entice the adversary into walking through the front door. In other words, the defenders are engaging adversaries who have already committed a crime or policy violation with an active defense to control lateral movement.
Attivo Networks Support for the MITRE Engage Matrix
In evaluating the ThreatDefend Platform against the Engage Matrix, Attivo Networks compared the solution against activities to identify how the solution would implement each one. The table below contains the analysis as of the initial release of the Engage Matrix in 2022, mapping to the activities the ThreatDefend Platform can successfully implement.
One of the common misconceptions about using cyber deception as an active defense technique is that only very mature organizations can do so. Attivo’s customer base dispels this belief. While it is true that Attivo has very large, very mature organizations as customers in the private and public sector, we also have a large footprint in small and mid-size organizations that use our platform effectively.
MITRE Engage emphasizes the importance of learning from previous attacks to prepare for when the adversary returns. Can any organization honestly say that attackers have never compromised them, so there are no previous attacks to reference? If they can, then there are well-known tactics that APT groups or ransomware groups like Conti use. At a minimum, they should utilize this open-source intelligence to plan adversary engagement around common lateral movement tactics.
Let’s take the example of SolarWinds as we work through the Engage 10-Step Process:
Step 1: Assess knowledge of your adversaries and your organization
The highest value asset in our hybrid cloud architecture is our on-prem Active Directory infrastructure and Active Directory Federation Services (ADFS) servers.
Step 2: Determine your operational objective
Detect early-stage lateral movement attempts and redirect attackers for observation to a decoy ADFS server.
Step 3: Determine how you want your adversary to react
The attackers should engage with the deceptive ADFS server
Step 4: Determine what you want your adversary to perceive
We want the attackers to perceive successful enumeration of local administrators, credentials, domain controllers, and ADFS servers. They should find deceptive credentials that map to decoy ADFS servers without knowing we have detected them.
Step 5: Determine channels to engage with your adversary
Configuration of the following Attivo capabilities
1. Configure Attivo EDN to detect or feed misinformation to:
a. Local account enumeration
b. LDAP enumeration
c. ADFS discovery
d. Credential dumping
2. Plant credentials on production endpoints that map to deceptive ADFS server deployed via bound IP address in server VLAN
Step 6: Determine the success and gating criteria
We will leave the ADFS deceptive campaign in place for six months. We will act on any unauthorized lateral movement detected during this time once we have met intelligence-gathering goals. After six months, if attackers have not engaged with the deceptive ADFS server, consider adding or replacing it with decoy ESXi servers that ransomware groups are targeting with the Log4j vulnerability.
Step 7: Execute your operation
Step 8: Turn raw data into actionable intelligence
All actions the Attivo platform observes are actionable intelligence.
Step 9: Feedback intelligence
Provide all actionable intelligence to the Incident Response team.
Step 10: Analyze successes & failures to inform future actions
In summary, whether the goal is actionable intelligence gathering or an extreme reduction in adversary dwell time, MITRE Engage will aid organizations of any size and maturity level. The MITRE Engage team has done an excellent job with the Engage website, which officially launched on February 28, 2022. A starter kit and an interactive matrix explorer guides users through the suggested goals, approaches, and activities. Deception and concealment technologies are crucial defense mechanisms in an active defense that fills detection gaps left after adversaries penetrate static perimeter defenses. By adding the Attivo Networks ThreatDefend Platform to the security stack, organizations gain early and accurate visibility, detection, and prevention of attacks that evade existing controls while gaining capabilities that help them meet MITRE’s guidance.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise