MITRE’s Engage Deception Framework V1.0 !

MITRE released the first official version of its deception framework Engage after eight months of operating as a public beta. The finalized version 1.0 is more friendly to inexperienced users, less dependent on a matrix of strategies, and more fine-tuned in language.

MITRE heard from more than 100 stakeholders, including 30 organizations, 10 focus groups and comments ranging from the official to people reaching out over social media.

Advertisements

Engage replaces Shield, the first attempt at a deception product. Shield was conceptualized as more of a knowledge database, with Engage intended as a strategic guide. Engage separates the broad concept of using fake files or servers into several different potential goals, including alerting defenders to an attack, slowing attackers as they traverse a network and providing intelligence on the attackers as they go.

In the beta version, that took the form of a matrix of strategies, MITRE found that many users new users most of all needed a product that was a little more user-friendly. The matrix remains at the core of the product, but there are now five other areas on the website for defenders to engage.

There has been minor restructuring of the matrix along the way. The idea of threat modeling is no longer treated as a single activity and is now split between threat modeling for the enterprise and threat modeling for the adversary.

Deception is growing as a strategic concept. MITRE has been working with vendors in the nascent arena to explain how their products map with the Engage framework. Many have developed the products with tripwire aspects of deception, without as much of a focus on the other strategic benefits it can bring.

On the other side, smaller enterprises and less experienced defenders may underappreciate what they could accomplish with free canary tokens and open-source honeypots it does not have to be a million-dollar venture.