MITRE released the first official version of its deception framework Engage on Monday after eight months of operating as a public beta. The finalized version 1.0 is more friendly to inexperienced users, less dependent on a matrix of strategies, and more fine-tuned in language.
"When we started this off we had every intention of releasing our V1 in the fall of last year. We thought maybe a few people would notice the beta in August, when we released it. Maybe we'd get a couple comments and then we would put out V1," said Maretta Morovitz, Engage lead at MITRE.
Instead, MITRE heard from more than 100 stakeholders, including 30 organizations, 10 focus groups and comments ranging from the official to people reaching out over social media.
Engage replaces Shield, MITRE's first attempt at a deception product. Shield was conceptualized as more of a knowledge database, with Engage intended as a strategic guide. Engage separates the broad concept of using fake files or servers into several different potential goals, including alerting defenders to an attack, slowing attackers as they traverse a network and providing intelligence on the attackers as they go.
In the public beta, that took the form of a matrix of strategies, MITRE found that many users — new users most of all — needed a product that was a little more user-friendly. The matrix remains at the core of the product, but there are now five other areas on the website for defenders to engage with.
There have been minor restructuring of the matrix along the way. The idea of threat modeling is no longer treated as a single activity, and is now split between threat modeling for the enterprise and threat modeling for the adversary.
MITRE has also tweaked the language to make sense across the globe, rather than only in its East Coast, U.S. offices.
"It turned out Europeans didn't know what a 'hotwash' was," Morovitz said.
Deception is growing as a strategic concept. MITRE has been working with vendors in the nascent arena to explain how their products map with the Engage framework. Many have developed the products with tripwire aspects of deception, without as much of a focus on the other strategic benefits it can bring. Morovitz believes that commercially available technologies can often be used in more ways than even their manufacturers currently market.
On the flip side, she also believes that smaller enterprises and less experienced defenders may underappreciate what they could accomplish with free canary tokens and open-source honeypots — it does not have to be a million-dollar venture.
But the biggest conceptual hurdle MITRE sees potential users grapple with is a belief that using deception in cyberdefense is somehow cheating or less honorable than other defensive technology.
"If you go back to history, armies would way rather win on an open battlefield than have a spy or sneak or deceive. There's this ingrained thing that when you do that, it's less of a win," she said. "It is shocking to me how often you say the word deception and people feel like they immediately need their lawyers in the room."
While the new version of the Engage framework is out, MITRE hopes to build a community around the framework to create more collaboration and support among users of deception. That includes incorporating more behavioral research into the craft.
"You have a lot of engineers thinking about this, but we need to be bringing in the behavioral science people and the academic researchers. We're actually working with researchers and PhD students to figure out how to start engaging that community," Morovitz said.