Infosec Institute -
mitre ATT&CK is a well-known cybersecurity tool that breaks the lifecycle of a cyberattack into discrete goals that the attacker may pursue (called “tactics”). For each tactic, ATT&CK defines several techniques for accomplishing these goals.
MITRE Shield is a newer tool in the same vein as MITRE ATT&CK. Instead of focusing on offensive cybersecurity, it describes tactics and techniques that defenders can employ to proactively defend against an attacker via active defense.
When implementing active defense, network-level data collection and deception is a critical part of this strategy. network-level techniques are represented across many tactics of the MITRE Shield framework.
PCAP collection for active defense
Many of an attacker’s activities during a campaign are performed over the network. Initial access is often gained over the network, and network traffic is created when an attacker is exploring and expanding their foothold within an organization’s environment.
This makes visibility into the network level essential for active defense.
An organization might want to collect network traffic data for a variety of different purposes. Analyzing network traffic at an enterprise scale can enable a company to detect known threats or identify anomalies within an organization’s network.
Alternatively, network traffic collection can