Infosec Institute -
The MITRE ATT&CK framework is likely the MITRE Corporation’s most famous cybersecurity tool, but it is not the only one. To complement the offensively-focused ATT&CK framework, MITRE recently released the Shield framework. MITRE Shield focuses on active defense or how defenders can proactively protect against cyberattacks.
The MITRE Shield framework is organized similarly to MITRE ATT&CK with tactics defining operational objectives and techniques describing specific ways to accomplish these goals.
Across multiple different tactics, MITRE Shield discusses monitoring, which provides visibility that is essential for effective active defense.
Network monitoring for active defense
Monitoring can be performed at multiple different levels within an organization’s environment. Since most cyberattacks come over the network and the network is used for lateral movement within an organization’s environment, monitoring at the network level is a logical component of an active defense strategy.
At the network level, monitoring is focused on traffic collection and analysis. Traffic collection is relatively simple if an organization controls the infrastructure that the traffic flows over.
Analysis can be more complex due to the vast amount of network traffic in the average enterprise and the complexity of this traffic. Starting with high-level statistics and expanding to more