MITRE Engage: a framework for deception

In the arms race that cybersecurity has become, there’s value in knowing an adversary’s next move, strategy, and motivation.

The MITRE Corp. has a way to help figure that out.

The not-for-profit entity, which operates federally funded R&D centers and public-private partnerships, has released a framework that details how security professionals can engage their enemy and pick up that valuable intel.

MITRE in early 2022 launched MITRE Engage, a framework that cyber defenders can use for “communicating and planning cyber adversary engagement, deception, and denial activities.” The project earned Hill and his team a CSO 50 award for security innovation.

For MITRE Chief Information Security Official Bill Hill, adversary engagement is akin to getting a glimpse at an enemy’s battle plans.

“You’re fighting an intelligent adversary, and you can’t just lay down a defense and hope that works for every attack. You have to know what they’re going to do next,” Hill says.

Adversary engagement moves the front line in cybersecurity battles that have already seen tactics evolve on both the defender and the hacker sides.

According to Hill, adversary engagement has defenders creating scenarios that allow hackers into and around a controlled environment so their actions and tactics can be observed.

“It’s similar to threat hunting, but different. In threat hunting, you’re looking to find an adversary already in your network primarily so you can get rid of them. Adversary engagement is something more proactive and intentional. You create a situation where an adversary accomplishes some goal of yours, such as learning how they attack. And it creates a situation where there’s some back and forth with the adversary to accomplish those goals,” Hill explains.

According to Hill, defenders can use adversary engagement to learn what hackers do beyond the initial actions that get them into their targets’ environment.

The MITRE Corp.

“The world knows a lot about the first part of the attack; people do reverse engineering of attacks, so that’s what we know the most about. But that’s the tip of the iceberg,” he says. “If an adversary gets into your network, what happens next? What’s the second thing they do? What’s the third thing they do? We know less about all that.”

Hill acknowledges that there’s good reason for that lack of knowledge.

“Defenders are trying to prevent the initial intrusion so we’re not inclined to let things go on and see how things play out,” he says.

But adversary engagement allows just that.

“If you’re in control, you can let things play out, see what tools they might be using, what [tactics, techniques and procedures (TTPs)] are being used later in the attack lifecycle,” Hill says. “That’s valuable information for a defender. It’s helpful to know for those that get through what’s next?”

As Hill explains, defenders can use that insight to determine what TTPs would work best for them to stop the hackers if they get in and make it to step two or step three.

Not if, but when

According to MITRE officials, Engage is based on the oft-quoted idea that a breach is not a matter of if, but when. Given that a network compromise is probably inevitable, adversary engagement can better help defenders prepare and limit losses because they can anticipate and thus more quickly and effectively thwart the hackers’ actions.

At the same time, adversary engagement gives defenders the opportunity to drive up the cost and work involved with hacking, thereby driving down the value of an adversary’s cyber operations.

Research from deception technology vendor Attivo Networks backs up that assertion: The 2020 report Cyber Deception Reduces Breach Costs & Increases SOC Efficiency calculated that organizations utilizing cyber detection reduced data breach-related costs by 51% compared to those not deploying deception technology.

Hill has seen the benefits of engaging the adversary, which he says MITRE has been doing for about a decade—before such activities had a recognizable name.

He says MITRE and others borrowed concepts from other disciplines, notably military strategy, with adversary engagement developing from there. Hill says a number of security teams from different organizations developed the concept over the years.

“There’s no obvious start with adversary engagement in cybersecurity, but like other things we look to related fields to bring in useful concepts,” he says, adding that MITRE’s own experience building and using this strategy prompted organization leaders to develop the Engage framework as a way to share what they had learned. “A lot of this comes from our practical work defending our own company and some comes from our R&D work.”

However, Hill says security workers, including MITRE’s own professionals, often struggled to convey the concept to others.

“It was hard for people to understand what we meant and what were the benefits of what we were talking about,” he says. “So we thought that it would be helpful to put something out there.”

A guide for others

The first iteration of that information was MITRE Shield, released in 2020, which gives defenders tools to counter cyber adversaries.

Engage, which builds on Shield, includes resources that enterprise security teams can use to create their own strategy for layering adversary engagement into their own organization’s cybersecurity activities and vendors can use to evolve their products.

Engage maps to the MITRE ATT&CK framework, which documents threat tactics and techniques that have been observed from millions of attacks on enterprise networks.

Engage describes how defenders can devise engagement opportunities—basically how to interact with bad actors in ways that the defenders themselves design and control for the purpose of learning.

Engage also details denial activities, which Hill says is “at some point creating a situation where the adversary is denied something they’re wanting or trying to do.” That, he says, allows defenders to observer their reactions and next steps.

And Engage explains the deception factor; Hill says adversary engagement involves “convincing them that something that is true isn’t or that they’re in a real environment but they’re really in a test environment.”

“Denial and deception are often compound terms, but our activities are focused more on deception than denial,” Hill explains. He notes that Engage isn’t “talking about hacking back or doing anything where we don’t’ belong.”

Hill says some security experts have questioned the promotion of adversary engagement, suggesting that open discussion of the practice could blow the defenders’ advantage.

That, though, speaks to the need for the security community to share how to effectively and successfully engage in deceptive techniques.

“We assume that adversaries paying attention to us know these ideas are floating around. And now some adversaries who get in look around to make sure it’s real, and some do figure out it’s not, so you have to do some work to make your environment look real,” Hill says.

He thinks it’s worth the effort.

“If you want to learn from your adversary so you can prioritize your defenses,” he says, “then this is for you.”