MITRE Engage replaces the MITRE Shield knowledge base. Based on technical feedback from the cyber community, we've streamlined Shield to focus on the areas of denial, deception, and adversary engagement. By bookending these Engagement Activities with strategic planning and analysis, we hope that MITRE Engage will help organizations to better plan and implement real-world adversary engagement strategies.
We're aware that the change from Shield to Engage will create the need for major re-design of processes and tooling. We think these changes are necessary to help cyber practitioners, leaders, and vendors understand the tools and strategies available to them to build adversary engagement operations.
To ensure that MITRE Engage keeps a focus on strategic planning, we have implemented the following changes:
Decreased the number of activities and, in places, broadened the scope of individual activities.
For example, we have folded the Shield Techniques of Decoy Account, Decoy Content, Decoy Credentials, Decoy Process, and Decoy Systems into a single Activity: Decoy Artifacts and Systems. Each of these Shield Techniques may look very different in implementation. However, we believe the reason a defender may utilize one of them, and the effect the activity may have on the adversary, is shared across the various implementations. For example, a defender may use a Decoy Account or Decoy Content as a tripwire. In either case, the defender hopes to expose adversary movement. This release of Engage seeks to abstract away, to a degree, activity implementations to allow the defender to focus on how the activity can impact the adversary and drive progress towards an intended outcome. In future Engage releases we hope to provide more details into specific implementations of a given Activity.
Removed the concepts of Procedures, Use Cases, and Opportunity Spaces.
These changes were an intentional adjustment to remove the focus from individual activities, and instead, focus on how these activities fit into the context of larger strategic objectives. Once we have fully fleshed out this emphasis on strategic planning and analysis, we would like to revisit the idea of Engagement Activities to expand the knowledge base and provide a deeper dive into various implementations and opportunities each activity offers. In the very near future, we would like to introduce the concept of References. References are intended to provide proven, real-world examples of Activity implementations. We are looking to the community to help curate these References. Click here to learn more about how to contribute References and other data to Engage.
Changed the terms Tactics and Techniques to Approaches and Activities.
We wanted to remove any confusion between what we call Approaches and Activities in Engage versus ATT&CK Tactics or Techniques. Additionally, we have added the concept of Goals as a layer above Approaches. We have also divided the Engage Goals, Approaches, and Activities into two categories: Strategic actions and Engagement actions. All these changes were made in order to build strategic planning into the foundation of Engage. For full definitions for each of these actions, click here.
Added the concept of Adversary Vulnerabilities.
Adversary Vulnerabilities are the weaknesses an adversary unintentionally exposes when they engage in a particular behavior. The defender has an opportunity to impact the adversary by taking advantage of such a vulnerability. We have chosen to include Adversary Vulnerabilities in place of Opportunity Spaces to make adversary behavior a focal point of Engage. We feel that this framing helps the defender keep the adversary, and the adversary's behavior, at the center of every operation.
We feel strongly that strategic planning and analysis must be foundational components of every adversary engagement operation. MITRE Engage allows the defender to view the same expertise captured in the Shield knowledge base through this lens of planning and analysis.
While Shield was an active defense knowledge base, MITRE Engage has tightened the focus exclusively to denial, deception, and adversary engagement. We feel that the name Engage more accurately represents this new, more streamlined focus.
As we transition from MITRE Shield to MITRE Engage, you may be asking yourself, “Where do I start?” Below is a step-by-step guide for transitioning from Shield to Engage.
Please note that Approaches have changed significantly from Shield’s original Tactics. With the addition of Goals, we made big changes that make a one-to-one mapping from Tactics to Approaches difficult. Adding Goals as a super category allowed us to make each Approach more focused. As a result, we were able to reduce much of the overlap seen in Shield. While we believe the pros outweigh the cons, we recognize that this makes the conversion from Tactic to Approach more challenging. In the end we believe the change will provide greater clarity and ease of understanding.
We provide three forms of translation tables or "crosswalks" from our previous release Technique IDs to the Engage Activity IDs to help with the transition. The three CSVs are:
We have also created a JSON representation of each CSV for greater machine readability:
We have identified the following 5 key types of changes when mapping Techniques to Activities:
Each of these types of changes is represented in the "Change Type" column of the CSVs or "change-type" field in the JSON. Some of these changes are simpler to implement than others. To help with the transition, we've outlined six tips on how to move from Shield to Engage.
Step 1: Start with the easy to remap activities first and automate.
For content mapped to Shield, start by replacing the existing technique ID from the value in the "TID" column with the value in the "New ID" column if there is one. Next, update the technique name to match the value in "New Activity Name." This remap fixes the majority of the changes for Technique Became Activity, Technique Name was Changed, Technique Name was Changed and Scope was Broadened, as well as Multiple Techniques Became Activity. We'll handle the remaining two cases in Step 2. In cases where the scope of the Activity was broadened, it's also worth checking the "Notes" field in the CSV and "explanation" in the JSON.
Technique Became Activity
For Techniques labeled "Technique Became Activity" the name is the same in Engage as in it was in Shield but note that the definitions and IDs will be new. For example, Detonate Malware (Shield: DTE0018) remains Detonate Malware (Engage: EAC0013).
New Activity Added
No mappings from previous Techniques will be impacted. Examples of new Activities include Information Manipulation (EAC0015) and Storyboarding (SAC0003).
Multiple Techniques Became New Activity
For Techniques labeled "Multiple Techniques Became New Activity," a new Activity was created covering the scope and content of multiple previous Techniques. For example, Decoy Account (Shield ID: DTE0010), Decoy Content (Shield ID: DTE0011), Decoy Credentials (Shield ID: DTE0012), Decoy Process (Shield ID: DTE0016), and Decoy Systems (Shield ID: DTE0017) merged into Decoy Artifacts and Systems (EAC0005).
Technique Name was Changed
For Techniques labeled "Technique Name was Changed," a new Activity was created covering the same scope and content of a previous Technique with a new name. For example, Decoy Persona (Shield ID: DTE0015) is now Personas (EAC0012).
Technique Name was Changed and Scope was Broadened
For Techniques labeled "Technique Name was Changed," a new Activity was created covering a larger scope and content from a previous Technique with a new name. For example, PCAP Collection (Shield ID: DTE0028) is a component of Network Monitoring (EAC0002).
Step 2: Look at the deprecated Techniques to see what changed.
This is where some manual effort will be required. Deprecated techniques are not as straightforward. For techniques labeled as "Deprecated," we removed them from Engage without replacing them because we felt they did not fit into Engage. Often, these activities focused more broadly on good cyber hygiene practices, which are no longer in scope for Engage. For example, User Training (Shield ID: DTE0035) was removed because we felt this practice was not within the tighter scope of denial, deception, and adversary engagement.
Step 3: Review if the New Goals Categories Change Your Mappings.
If you want to take full advantage of Engage, it is important to consider each goal in the context of a given goal it is mapped to. The implementation behind a given activity is influenced greatly by the goal it is mapped to. For example, Decoy Artifacts and Systems maps to both Expose and Affect. A Decoy Artifact intended to expose the adversary may be an interesting document with a tripwire. On the other hand, a Decoy Artifact mean to Affect an adversary may be an interesting document that is so large the adversary wastes time attempting to encrypt and exfiltrate the artifact. In both cases, the Decoy Artifact is an interesting document in the environment, but the differing goals result in different implementations of the document (one document has a tripwire, one is massive in size). Make sure each of your existing mappings accurately reflects not only the Activity definition, but also the corresponding Approach and Goal definitions.
Although previous versions of Shield will remain available on GitHub for the time being, new content will only be added to Engage. We look forward to exploring all the new opportunities these improvements provide. We would like to thank everyone that made these exciting changes possible, including the Engage and Shield Teams (past and present) and the amazing community for your continuous feedback and support.
For those familiar with ATT&CK, this guide attempts to mirror the article published to assist users in switching to ATT&CK with Sub-Techniques.