What is Mitre Shield? Active Defense for advanced attacks



MITRE a non-profit organisation has recently developed an active defence mechanism for ATT&CK Tactics for their corresponding techniques. Mitre Shield mainly focus on limited offensive action and counterattacks to emerging cyber-attacks. As with the MITRE ATT&CK framework, MITRE SHIELD is also included with some specialized Tactics and Techniques to defend against Adversaries groups.

The main focus is to proactively defend against the emerging cyberattacks to safeguard the organization networks and its IT assets It is a similar approach to present active defence concepts as MITRE ATT&CK®,

MITRE ATT&CK framework

MITRE | ATTACK is an open-source framework that mainly focuses to understand or familiarize yourself with adversary tactics and techniques based on real-world observations, In general, MITRE ATTACK is a collection of attack techniques used by an adversary during breaches or even for defensive engagement like [Threat modelling, Threat Hunting]. Readmore

Active Defence framework

MITRE SHIELD is also a publicly hosted proactive countermeasures to actively defend against cyberattacks, the primary focus of the active defence framework is to apply A Good Cyber Defense. MITRE SHIELD currently contains 34 techniques mapped against 8 active defence tactics.

  • Channel
  • Collect
  • Contain
  • Detect
  • Disrupt
  • Facilitate
  • Legitimize
  • Test

MITRE ATT&CK * MITRE SHIELD = The combination of the two frameworks will offer the potential to create active defence playbooks to address specific adversaries.


  1. To get familiar yourself with Defence Tactics and Techniques
  2. To learn about active defense and adversary engagement
  3. Adversary Group mappings
  4. To limited offensive action and add counterattacks
  5. Helps to prepare for new attacks in the future


A well categorized tactics of active defense which allow the defenders to choose a specific active defense technique to apply active defense and adversary engagements. These tactics serve as useful ways to classify individual defensive techniques. 

Tactics IDNameDescription
DTA0001ChannelGuide an adversary down a specific path or in a specific direction.
DTA0002CollectGather adversary tools, observe tactics, and collect other raw intelligence about the adversary’s activity.
DTA0003ContainPrevent an adversary from moving outside specific bounds or constraints.
DTA0004DetectEstablish or maintain awareness into what an adversary is doing.
DTA0005DisruptPrevent an adversary from conducting part or all of their mission.
DTA0006FacilitateEnable an adversary to conduct part or all of their mission.
DTA0007LegitimizeAdd authenticity to deceptive components to convince an adversary that something is real.
DTA0008TestDetermine the interests, capabilities, or behaviors of an adversary.


A well categorized technique of active defense describes things that can be done (by defenders) in active defense, The detailed information of each technique will provide a clear ideology about which tactics it supports.

Techniques IDNameDescription
DTE0001Admin AccessModify a user’s administrative privileges. 
DTE0003API MonitoringMonitor local APIs that might be used by adversary tools and activity.
DTE0004Application DiversityPresent the adversary with a variety of installed applications and services.
DTE0005Backup and RecoveryMake copies of key system software, configuration, and data to enable rapid system restoration.
DTE0006BaselineIdentify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
DTE0007Behavioral AnalyticsDeploy tools that detect unusual system or user behavior. 
DTE0008Burn-InExercise a target system in a manner where it will generate desirable system artifacts. 
DTE0010Decoy AccountCreate an account that is used for active defense purposes.
DTE0011Decoy Content Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.
DTE0012Decoy CredentialsCreate user credentials that are used for active defense purposes.
DTE0013Decoy DiversityDeploy a set of decoy systems with different OS and software configurations.
DTE0012Decoy NetworkCreate a target network with a set of target systems, for the purpose of active defense. 
DTE0013Decoy PersonaDevelop personal information (aka a backstory) about a user and plant data to support that backstory. 
DTE0014Decoy ProcessExecute software on a target system for the purposes of the defender.
DTE0015Decoy SystemConfigure a computing system to serve as an attack target or experimental environment. 
DTE0016Detonate MalwareExecute malware under controlled conditions to analyze its functionality.
DTE0017Email ManipulationModify the flow or contents of email. 
DTE0018Hardware ManipulationAlter the hardware configuration of a system to limit what an adversary can do with the device.
DTE0019HuntingSearch for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.
DTE0020IsolationConfigure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.
DTE0021Migrate Attack VectorMove a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
DTE0022Network DiversityUse a diverse set of devices on the network to help establish the legitimacy of a decoy network.
DTE0023Network ManipulationMake changes to network properties and functions to achieve a desired effect.
DTE0024Network MonitoringMonitor network traffic in order to detect adversary activity. 
DTE0025PCAP CollectionCollect full network traffic for future research and analysis.
DTE0026Peripheral ManagementManage peripheral devices used on systems within the network for active defense purposes. 
DTE0027Pocket LitterPlace data on a system to reinforce the legitimacy of the system or user.
DTE0028Protocol DecoderUse software designed to deobfuscate or decrypt adversary command and control (C2) or data exfiltration traffic.
DTE0029Security ControlsAlter security controls to make the system more or less vulnerable to attack.
DTE0030Standard Operating ProcedureEstablish a structured way of interacting with systems so that non-standard interactions are more easily detectable.
DTE0031System Activity MonitoringCollect system activity logs which can reveal adversary activity.
DTE0032User TrainingTrain users to detect malicious intent or activity, how to report it, etc.
DTE0033Software ManipulationMake changes to a system’s software properties and functions to achieve a desired effect.

Previous articleThreat Intelligence – Dridex Malware Latest IOCs
Next articleDeep Drive into Darkside Ransomware
A Cyber Security Aspirant Security Researcher | Red-Teamer |


Please enter your comment!
Please enter your name here