We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Expose

Reveal the presence of ongoing adversary operations.

Expose is about discovering previously undetected adversaries engaging in one of two behaviors. First, the adversary may be attempting to gain access to the networks. Second, the adversary may be currently operating on the networks. Both categories of adversary behavior contain vulnerabilities that can be advantageous for a defender seeking to expose the adversary.

As an example of such a vulnerability, when an adversary interacts with network or system resources, they are vulnerable to trigger tripwires. The defender can make and leak fake credentials both inside and outside of the network. The defender can then monitor for the use of these credentials. Then, when an adversary uses a fake credential, the defender will receive a high-fidelity alert. In addition, if the credentials are unique, a defender may be able to detect how and when an adversary collected the credentials. Whenever a defender seeks to engage with an adversary, operational safety is paramount. To maintain this safety, it is a best practice to monitor adversaries as they operate in an engagement environment. Additionally, the defender must be able to observe the adversary. Therefore, collection and detection activities can often be utilized even when a defender may have other strategic goals in mind.

Engage defines two approaches to make progress towards the Expose goal.

  • Collection allows the defender to capture and review data that the adversary produces during their operations.
  • Detection takes this collected data and turns it into an alert that the defender can use to their advantage.
In many cases, the activities that support such Collection and Detection approaches are also good cybersecurity practices. However, in Engage, these activities will focus exclusively on the intersection of denial, deception, and adversary engagement technologies and the defender’s ability to Expose the adversary.

Details
ID: EGO0001
Type:  Engagement 

Approaches

Approach NameDescriptionID
Collection Gather adversary tools, observe tactics, and collect other raw intelligence about the adversary's activity. EAP0001
Detection Establish or maintain awareness in regard to adversary activity. EAP0002