A goal for Engage was to employ enough structure and rigor to be useful scientifically to the practitioner, without becoming needlessly rigid or complex. We began with terminology found in the DOD Dictionary of Military and Associated Terms, as well as the United States Government Compendium of Interagency and Associated Terms.
We modified those terms to fit the domain of cyber-based adversary engagement:
Adversary Engagement: Engagement is the combination of denial and deception to increase the cost and decrease the value of the adversary’s cyber operations. The goal of adversary engagement is to expose adversaries and their weaknesses, learn about their capabilities and intentions, and impose costs on them.
Cyber Denial: Denial is the ability and effort to prevent or impair the collection of intelligence by an adversary.Heckman2015. Denial also supports the prevention or disruption of and adversary’s attempt at achieving effects.
Cyber Deception: The deceiver reveals deceptive facts and fictions to mislead the opponent, while concealing critical facts and fictions to prevent the opponent from forming the correct estimates or taking appropriate actionsHeckman2015.
Goals: The big objectives you would like to accomplish.
Approaches: The methods you use to make progress toward your goals. Engage uses the term Approaches to refer to Tactics like those described in ATT&CK®. We use the term Approaches instead of Tactics to disambiguate when we refer Engage Approaches versus ATT&CK® Tactics.
Activities: The concrete activities you use to make progress towards each approach. Engage uses the term Activities to refer to Techniques like those described in ATT&CK®. We use the term Activities instead of Techniques to disambiguate between Engage Activities and ATT&CK® Techniques.
Strategic Actions: The goals, approaches, and activities that are undertaken to support your operational strategy.
Engagement Actions: The goals, approaches, and activities that are undertaken against your adversary.
The Engage Matrix consists of the following core components:
These actions are divided into two categories:
Every Goal, Approach, and Activity has a unique ID.
By mapping the various Engagement Activities to ATT&CK®, we can ensure that each activity in Engage is driven by observed adversary behavior. Each mapping is broken down as follows:
In our first release of MITRE Engage, we have chosen not to include any specific activity implementations or use cases in these mappings. To provide some guidance, we have included expanded definitions for each Activity including concrete examples. We hope these definitions will provide some examples of the art of the possible. If you have questions, please reach out! We would be happy to share our past operational implementations or discuss your ideas.
In the future, we hope to find new ways to dive into specific implementations, including collecting open source examples of activity implementations, either from vendor products or individual practitioners.