Mitre unveiled the "beta version" of Engage, the new framework for implementing deception into defense earlier this month. The concept, say its makers, is to deliver not just a better information source, but a way to "engage" with the philosophy of an underutilized concept.
"Deception is a process, not just a bag of tricks," said Maretta Morovitz, Engage lead at Mitre.
Engage is Mitre's second framework for deception. The first was Shield, released in December. While the two contain a lot of the same information, they are not conceptualized in the same way. Shield was more of a knowledge database than a planning aid; a matrix of eight columns of "tactics" defenders might want to pursue, each containing a list of "techniques." It was not built to determine when they would pick any tactic or technique.
Engage is streamlined from Shield with more deliberately chosen language (gone are tactics and techniques, wording that caused confusion with the ATT&CK Framework, and in are "approaches" and "activities.") But above all else, Engage is more oriented towards creating plans than Shield. Mitre hopes that use will follow usability.
Deception is the use of fake files, accounts, and other digital artifacts to alert defenders to the presence of a hacker, perform reconnaissance on an adversary and keep them so busy with the fake information they never move on to the real stuff. It is not a tool in most toolboxes yet. That could be for a couple of reasons. It is a form of defense that assumes breach, which has historically been less palatable to much of the boardroom. It is sometimes lumped in with hack back – a "dirty word," said Morovitz, that can be exceedingly dangerous for defenders and anyone who shares an internet with them. And, for many, it sometimes might feel like a strategy too complex for a less mature security operations center.
"It’s not just for the most elite security teams with a robust SOC," said Morovitz. "Often many deception objectives can be accomplished with technically simple engagement activities. When you think about deception as a process and think strategically about what big objectives you want to accomplish, the defender can hone in on only the activities that will allow her to make progress towards those goals."
The Engage framework makes a lot of changes to better focus on that process. The approaches (formerly: tactics) have been wrapped in three main engagement goals: "expose," exposing an actor in a system, "affect," affecting how an actor interacts with the system, and "elicit," eliciting intelligence from an actor. It also adds the critical idea of strategic goals, preparing in advance what you hope to gain from deception and understanding how new data should update a defensive model."
The framework is very open-ended, emphasizing bespoke strategies for anyone who uses it.
"Questions – for example, what would be the best specific techniques for your specific situation – those are the what the Engage framework directly does not answer. But it makes you question that question and find that answer through your own investigation," said Anubhav Arora, chief technology officer of Fidelis Cybersecurity, which incorporates deception into its defensive products.
Engage is a very usable beta. But Mitre hopes it will undergo near-term and long-term refinement. Near-term, the hope is that it Engage will encourage a standard language for deception, and that stakeholders will help adjust its verbiage to match the current ecosystem as much as possible. Long term, Mitre hopes Engage will help people understand the strategic potentials of deception, potentially driving vendors to explore new markets.
"As the technology matures and grows, we hope to see Engage reflect these new or more mature activities. Right now, the vendors are focused mostly on the Expose activities. Some vendors have some solid offerings that support Affect activities. Very few vendors are looking at elicit activities. As the space matures, we expect to see more organizations moving into the affect and elicit spaces," said Stanley Barr, capability area lead for cyber denial, deception, and adversary engagement.
Mitre is actively soliciting comments on their beta framework, and is organizing focus groups via LinkedIn to refine the product.
"We are trying to find a balance between refinement and stability. We are looking to create a framework that is useful and sustainable while still flexible enough to incorporate community contributions," Barr said.