Using the Matrix view, you can explore how the various Goals, Approaches, and Activities help you to design and structure your adversary engagement operations. Engage provides the cyber defender with a common language for planning and discussing engagement operations.
Whether you are planning to run a single operation for research purposes or intend to undertake a series of operations to generate a continuous threat intelligence feed, MITRE Engage can help.
If you have not already, click here for a full exploration of the structure and terminology you will find in Engage.
Now that you understand the basic terms and structure of Engage, let’s see one example of how a defender could use this framework to plan and run an operation. This process was adapted from the process described by Barton Whaley in the Art and Science of Military Deception.
The defender should Develop a Threat Model of both the target adversary and their organization. A target adversary represent a threat that historically targets your organization or organizations like yours. The target adversary may represent a gap in the your threat intelligence orr they may be known to historically utilize TTPs that represent a gap in the your's current defenses. Regardless of the reason, you should have solid understanding of both the adversary and their own organiztion.
Using the previously developed Threat Model, you must now identify your Strategic Goal. Every operation will have a unique Strategic Goal. This goal might be to Expose adversaries on the network to reveal previously unknown threats, to Affect adversaries by imposing a negative resource cost, or to Elicit adversary TTPs by encouraging the adversary to reveal new or more advanced behaviors or capabilities. This goal will drive every action you take from this point forward.
Guided by the chosen Strategic Goal and using the previously developed Threat Model, you can use the Engage ATT&CK® Mappings to examine the various Tactics and Techniques associated with the adversary. For every Technique, we have identified one or more adversary vulnerabilities that are exposed, and the Engagement activity you can utilize to take advantage of the vulnerability. Using these mappings, you can begin to create the operational Storyboard. This outline should help identify what activities you will use to encourage the adversary to take the desired actions.
Still guided by the chosen Strategic Goal, and using the previously developed Threat Model, you can continue to expand the Storyboard by creating the Personas and related story elements required to control what is communicated to the adversary. While you cannot control what the adversary thinks, you can use the developed Threat Model, Strategic Goal, and Storyboard to shape what the adversary will find in the environment.
Now you must decide what the adversary will find in the environment. You should examine the various Approaches and Activities described under their selected Engagement Goal in the Matrix to identify which activities you will utilize. You must determine how these activities will be implemented. Additionally, you must determine if a given activity will be revealed to or concealed from the adversary. For example, you may reveal a Decoy Document to the adversary while concealing the fact that you Manipulated Software to serve as a tripwire to detect adversary movement.
In order to maintain operational safety and to ensure that operations remain focused on the chosen Strategic Goal, you must identify key Exit Criteria. Sometimes, these events include the successful completion of the agreed upon goals. Other times, these events may signify the operation has reached a hard stop. This is often because future operational safety cannot be guaranteed or because events have occurred that outweigh the agreed upon acceptable risk. Finally, it may just be that if the adversary operates any longer, they may learn something we don't want them to know. It is important to engage stakeholders across various roles and skillsets to identify these criteria.
Deploy the monitoring, engagement, and analysis activities. And wait. Note: depending on the specifics of the engagement, an operation may take time! *Note: Steps 7-9 may happen continuously throughout an operation to ensure incremental refinements*
You must gather all of the various data outputs. These may be in the form of logs, PCAP, NetFlow, etc. You should feed this data into an analytics pipeline to ensure that the data can be used to provide actionable intelligence. This intelligence may be in the form of new IOCs, TTPs, etc.
Any intelligence produced during the operation should be used to Inform the Threat Model and Refine Operational Activities. If applicable, this intelligence should inform, not only future operations, but also the larger defensive strategy of your organization.
Finally, it is essential to examine all of the operational activities to assess successes and failures. The results of these assessments should Refine Future Operation Activities. Additionally, it is important to perform a team Hotwash to assess overall communication and team efficiency.