Active Defense: Using Deception and Trickery to Defeat Cyber AdversariesJanuary 2021
Topics: Cybersecurity, Cyber Threat Intelligence, Threat-informed Defense, Computer Security, Cyber Threat Intelligence, Information Security Architecture
What do cyber defenders have in common with martial artists, fencers, chess players—even soldiers?
“They are in a fight,” says Bill Hill, MITRE chief information security official. “It’s different from many technology or engineering challenges, such as ‘How many cars can fit on the bridge I’m building?’ When it comes to cyber attacks, you’re facing intelligent, adaptive people who want to do things that you don't want them to do.
“This includes things like stealing your data, damaging your business, denying service for critical infrastructure, and more.”
The risks are more concerning than ever. At least 200 organizations, including government agencies and companies around the world, have been hacked as part of a suspected cyberattack using sophisticated and novel tactics.
According to Hill and Christina Fowler, MITRE’s chief cyber intelligence strategist, defenders need to understand new adversary attacks so they can adapt in response. And an “active defense” is the best way to engage your adversaries.
Active defense ranges from basic cyber defensive capabilities to deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.
Hill and Fowler were part of the team that published MITRE Shield, a publicly available, free knowledge base of common techniques and tactics that experts can use to reassess and possibly revise their defenses. The MITRE Shield team takes a similar approach to presenting active defense concepts as MITRE ATT&CK®, a framework that catalogs adversary behavior and is widely used throughout the cybersecurity industry. Together, MITRE Shield and ATT&CK are powerful tools in developing an integrated defense.
Hill and Fowler also say that an active defense approach is great for the defensive team—improving technical innovation, job satisfaction, and retention. We asked them to tell us more:
Q: Why do you encourage people to think in terms of a “fight” rather than “self-protection”?
Bill Hill: Recognizing you’re in a fight is an important mindset. If you were in a foxhole, every minute you’d be thinking, “What can my adversary do to me? What can I do?” There’s a different level of creativity.
But the traditional cyber defender mindset, is “adversaries have all the advantages.” And there’s truth to that if you always immediately shut down the adversaries as soon as you detect them, which is what most defenders are trained to do. But this is a vicious cycle. The adversary is always learning, but once you’ve shut them down, you learn nothing more.
With active defense, you can learn not only how they got in, but what they did once they got there. For instance, they usually set up some way to steal data and send it back out. How’d they do that in your system? Does that give you a way to detect other thefts?
These are things you’ll never learn if you simply shut them down the instant you catch them.
Q: Isn’t it risky to engage with adversaries?
Christina Fowler: MITRE Shield provides ways to mitigate risks, including containment and decoys. But remember, a passive defense of firewalls and antivirus is risky, too. Experience shows us that determined, advanced adversaries often get in if they keep trying. The days of relying upon a moat around my castle are gone.
Instead, we recommend taking it a step at a time. Some of the techniques in MITRE Shield are basic things that every security team can do, like creating a user account for defensive purposes instead of in your production environment. Of the eight tactics in the Shield Matrix, the first five are deception oriented. Assuming you have your house in order, you’ll be fine doing those in a production environment.
The last three, where you're engaging with an adversary, you would not want to do them in a production environment. Rather, you’ll want to use an isolated network where the adversary can unknowingly conduct their normal activities on decoy systems. This allows you to monitor their activities and study their tactics, techniques, and procedures.
Q: How should defenders use MITRE Shield with ATT&CK?
Hill: ATT&CK helps you detect what an adversary will do and offer ways to stop them. Whereas, with MITRE Shield, we’re saying sometimes you don’t want to stop them, but watch them. You may want to employ a decoy technique—but to do that, you need ATT&CK’s detections. So, they really work together very well.
And, as with ATT&CK, MITRE Shield provides a forum for the community to share ideas with one another. Ultimately, you can use them both to engage the adversary, make them work hard, and expend time, energy, and money. You may even let them steal something that’s fake. That leaves them questioning the value of what they just did. Was it worth it? Has everything they’ve stolen been fake?
Q: Have you been applying these techniques for MITRE?
Fowler: We have, for over 10 years. It’s been our experience that with an active defense you can learn so much more, such as the entire lifecycle of the attack. With MITRE Shield, we want to help other defenders see there’s a whole new opportunity to watch cyber attackers, learn their techniques, and deceive them. Plus, with MITRE Shield, you can share with other defenders and learn what they’ve done.
And that’s the beauty of active defense. Instead of letting the adversaries hold all the cards, you can beat them at their own game.
Learn more about MITRE Shield or check out our story, Shields Up: A Good Cyber Defense Is an Active Defense.
—interviews conducted by Bill Eidson