We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Develop Threat Model

Identify, understand, and prioritize potential engagement targets.

Developing a Threat Model allows the potential target adversary to be identified and understood. This model should be informed by a combination of open and closed source research. It can be supplemented with internal and external threat intelligence feeds and information gleaned from previous operations.

Additionally, in order to build the model, the defender must have a thorough understanding of themselves. Among other things, this includes their own organization, trusted partners, infrastructure, current security strengths and weaknesses, and critical cyber assets. This understanding will inform the threat modeling by outlining the defender's attack surface and highlighting areas that may be of particular interest to a given adversary. The threat model output from this analysis should include information about the adversary's TTPs, IOCs, victimology, and level of sophistication.

Applying the Strategic Goal to these models allows the defender to prioritize target adversaries. For example, if the defender's intended operational outcome is to expose adversaries on the network, the defender should prioritize adversaries that historically target their organization or similar organizations and have displayed TTPs that are likely to evade current defenses. Additionally, Storyboarding should use the threat model for the target adversary to anticipate what the adversary will do in the environment, how they will react to what they find, and what the defender plans to do in response.

Once one or more adversaries have been selected as the target adversary, the corresponding threat model should guide the creation of the engagement environment and storyboard including hardware and software requirements, the required level of realism for Decoy Artifacts and Pocket Litter, and acceptable operational risk. For example, if the target adversary is known to use ransomware, then having a domain controller (DC) in the environment will be a requirement as most ransomware requires a DC in order to execute.

ID: SAC0004
Type:  Strategic 
Goals:  Prepare
Approaches:  Planning