npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When an organization owns deception tooling (honeypots, honeytokens, canary tokens, decoy files) but deploys it tactically with no unifying strategy or measurable outcome.
- When leadership asks whether the organization should engage adversaries, and what the legal, operational, and resourcing implications are.
- When writing a formal adversary engagement operation plan that must justify every deployed deceptive artifact against a strategic goal.
- When selecting which specific deception Activities to deploy against a known or suspected threat actor based on that actor's ATT&CK TTPs.
- When building a denial, deception, and adversary engagement (DD&AE) program that must integrate with existing SOC, threat intel, and incident response functions.
- When a deception deployment generates alerts that nobody knows how to act on, because Expose was never connected to Affect or Elicit goals.
This skill is the strategy and operations layer that sits above tactical deployment skills (honeypot, honeytoken, canary-token, and decoy-file deployment). Use those skills to implement the Activities this skill selects and sequences.
Prerequisites
- Familiarity with MITRE ATT&CK (tactics, techniques, and how to read a technique page), because Engagement Activities are mapped to the ATT&CK techniques they expose.
- A documented set of critical assets and an understanding of which adversaries plausibly target them (a threat model or prioritized threat actor list).
- Executive sponsorship and a written legal review. Engagement operations interact with live adversaries and raise entrapment, evidence-handling, and liability questions; never run an engagement operation without legal sign-off.
- An existing detection and response capability. Engage is an additive strategy, not a replacement for defense-in-depth; if a defense-in-depth control fails, engagement keeps you in control rather than blind.
- Access to the live matrix at https://engage.mitre.org/matrix/ for canonical Activity names and IDs.
Workflow
Engage operations follow the 10-Step Operational Process. The matrix is linear to read but cyclical to run — you continuously realign Activities toward your Goals as the adversary reacts.
1. Confirm strategic fit (Prepare)
Decide where denial, deception, and adversary engagement fit in the existing cyber strategy. The Prepare goal (a strategic bookend, alongside Understand) defines the inputs to the operation. Document the strategic goal in plain language, e.g. "reduce dwell time of insider threats around the source-code repository" or "generate first-party CTI on the actor targeting our VPN."
2. Define Engagement Goals and Operational Objectives
Select from the three Engagement Goals. Goals set direction; Operational Objectives take measurable steps in that direction.
| Engagement Goal (EGO) | What it does | Example Operational Objective |
|---|---|---|
| Expose | Reveal adversary presence with high-fidelity, low-false-positive alerts | "Alert within 5 minutes of any touch on a decoy credential" |
| Affect | Negatively change the adversary's cost-value calculation (defender network only) | "Redirect the adversary away from 3 unpatchable legacy hosts" |
| Elicit | Observe the adversary to learn TTPs and produce CTI | "Obtain a second-stage malware sample" or "identify ≥10 new indicators" |
Write objectives as falsifiable, time-bound statements. A goal without an objective is unmeasurable.
3. Build the threat model and select Approaches
For each Goal, pick the Engagement Approaches (EAP) that fit the adversary you modeled:
- Expose → Collection, Detection
- Affect → Prevention, Direction, Disruption
- Elicit → Reassurance, Motivation
4. Map ATT&CK techniques to Engagement Activities
For each technique your target adversary uses, find the Engage Activity that exposes the weakness that technique creates. Example mappings:
| Adversary technique (ATT&CK) | Weakness exposed | Engage Activity (EAC) |
|---|---|---|
| T1078 Valid Accounts | Must test credentials | Decoy Credentials, Lures |
| T1083 File & Directory Discovery | Must enumerate files | Decoy Content, Pocket Litter |
| T1046 Network Service Discovery | Must scan the network | Network Diversity, Decoy Systems |
| T1021 Remote Services | Must move laterally | Decoy Systems, Network Manipulation |
| T1552 Unsecured Credentials | Harvests secrets | Decoy Credentials, Artifact Diversity |
Pull the authoritative Activity list and IDs from the live matrix; Engage IDs use the prefixes SGO/EGO (Goals), SAP/EAP (Approaches), and SAC/EAC (Activities).
5. Design the engagement environment
Decide realism and isolation. Choose between standalone, connected, or integrated decoy environments (see D3FEND honeynet types in references/standards.md). Populate it with diverse, believable artifacts — Persona Creation, Pocket Litter, Artifact Diversity, Application Diversity — so the environment survives adversary scrutiny.
6. Define gating criteria and rules of engagement
Document, before deployment: what the adversary is allowed to reach, the maximum blast radius, the trigger for tear-down or hand-off to IR, evidence preservation steps, and who has authority to escalate. Affect Activities are limited to the defender's own network — never act on infrastructure you do not own.
7. Deploy the Activities
Implement the selected Activities using the tactical deployment skills (honeypots, honeytokens, canary tokens, decoy files). Instrument every artifact so a touch produces telemetry routed to the SOC.
8. Operate and observe
Run the operation. Triage Expose alerts as high-fidelity (a touch on a decoy almost always means malicious or unauthorized activity). Feed observations back into Approach selection — realign Affect/Elicit Activities as the adversary behaves.
9. Analyze (Understand)
The Understand goal (the output bookend) turns observations into decisions: new detections for production, CTI for sharing, and validated or invalidated threat-model assumptions.
10. After-action and feedback
Score the operation against the Operational Objectives from Step 2. Capture what intel was gained, what Activities triggered, dwell time, and lessons learned. Update the threat model and feed the next cycle.
Key Concepts
| Concept | Definition |
|---|---|
| Goal (SGO/EGO) | High-level outcome of the operation. Prepare/Understand are strategic bookends; Expose/Affect/Elicit are the engagement goals. |
| Approach (SAP/EAP) | The method used to make progress toward a Goal (e.g., Detection, Direction, Motivation). |
| Activity (SAC/EAC) | The concrete denial/deception action deployed (e.g., Decoy Credentials, Network Manipulation). |
| Operate | The default matrix view = Expose + Affect + Elicit, the three engagement goals. |
| Operational Objective | A measurable, time-bound target that operationalizes a Goal. |
| Gating Criteria | Pre-defined boundaries and triggers that constrain the operation's blast radius. |
| High-fidelity alert | An alert from a decoy that legitimate users have no reason to touch, yielding near-zero false positives. |
| Denial vs. Deception | Denial blocks the adversary's access to real information; deception feeds plausible false information. |
Tools & Systems
- MITRE Engage Matrix and Starter Kit (https://engage.mitre.org) — canonical Goals/Approaches/Activities, the 10-Step Process, and operation-planning worksheets.
- MITRE ATT&CK Navigator — to lay out the target adversary's techniques and overlay selected Engagement Activities.
- MITRE D3FEND — the
Deceivetactic provides defensive countermeasure naming (Decoy Environment, Decoy Object, honeynet types) that complements Engage. - Deception platforms / open tooling — OpenCanary, T-Pot, Cowrie (honeypots); Canarytokens, Thinkst Canary (honeytokens); to implement selected Activities.
- SIEM/SOAR — to route decoy telemetry to high-priority detections and automate Expose → IR hand-off.
- CTI platform (MISP, OpenCTI) — to store and share the first-party intelligence produced under the Elicit goal.
Common Scenarios
- "We have honeypots but no value." Map existing honeypots to the Expose goal, define an Operational Objective (alert latency, dwell-time reduction), and connect alerts to an IR hand-off so the deployment produces decisions, not noise.
- "Targeted by a specific actor." Build the actor's ATT&CK technique set, map each to the Activity that exposes it, and prioritize the smallest set of Activities that covers the actor's likely kill chain.
- "Protect unpatchable legacy systems." Use Affect Activities (Direction, Network Manipulation, decoys) to steer adversaries away from systems that cannot be remediated.
- "Tired of CVE whack-a-mole." Use the Elicit goal to generate a first-party CTI feed so defense is driven by observed adversary TTPs rather than the vulnerability of the week.
- "Insider threat near critical data." Seed Expose Activities (Decoy Content, Decoy Credentials, Pocket Litter) around the crown-jewel asset for high-fidelity detection of unauthorized internal access.
Output Format
Produce an Adversary Engagement Operation Plan using assets/template.md, containing:
- Strategic context — where DD&AE fits the cyber strategy; executive sponsor; legal sign-off reference.
- Engagement Goals + Operational Objectives — each objective falsifiable and time-bound.
- Threat model — target adversary, prioritized ATT&CK techniques.
- Activity selection matrix — technique → exposed weakness → selected Engage Activity (with EAC IDs) → tactical deployment owner.
- Engagement environment design — realism, isolation/honeynet type, artifact diversity plan.
- Gating criteria and rules of engagement — blast radius, tear-down triggers, evidence handling, escalation authority.
- Measurement plan — metrics per objective (alert latency, dwell time, indicators gained, samples obtained).
- After-action report — objectives met/missed, intel produced, detections promoted to production, threat-model updates.
Use scripts/process.py to validate technique→Activity coverage and generate the operation-plan skeleton from a threat-model input.
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
standards.md4.4 KB
MITRE Engage — Standards & Framework Reference
Primary framework
MITRE Engage™ v1.0
- Publisher: The MITRE Corporation
- Version: 1.0, last updated 2022-02-28
- Home: https://engage.mitre.org
- Live Matrix: https://engage.mitre.org/matrix/ (authoritative source for all Goal/Approach/Activity names and IDs)
- Starter Kit: https://engage.mitre.org/starter-kit/ (10-Step Process, planning worksheets, whitepapers)
- Predecessor: MITRE Shield (Engage supersedes and restructures Shield).
- Note: Engage is a framework for planning and discussing denial, deception, and adversary engagement. It is not a tool; it provides a shared language across defenders, vendors, and decision-makers.
Engage Matrix structure
Five columns (Goals): Prepare · Expose · Affect · Elicit · Understand
- Prepare and Understand are strategic bookends (operation inputs and outputs).
- Expose, Affect, Elicit are the three Engagement goals; together they form the default Operate view and are mapped to MITRE ATT&CK.
ID prefixes (verified from engage.mitre.org)
| Component | Strategic prefix | Engagement prefix |
|---|---|---|
| Goals | SGO | EGO |
| Approaches | SAP | EAP |
| Activities | SAC | EAC |
Always resolve specific numeric IDs (e.g., the EAC for "Decoy Credentials") against the live matrix rather than from memory.
Engagement Approaches (EAP) by Goal
- Expose → Collection, Detection
- Affect → Prevention, Direction, Disruption
- Elicit → Reassurance, Motivation
Representative Engagement Activities (EAC), by name
Decoy Credentials · Decoy Content · Decoy Account · Decoy Diversity · Lures · Pocket Litter · Persona Creation · Artifact Diversity · Network Diversity · Application Diversity · Email Manipulation · Network Manipulation · Software Manipulation · Hardware Manipulation · Security Controls · Isolation · Attack Vector Migration · Peripheral Management · Baseline · Network Monitoring · System Activity Monitoring · API Monitoring · Malware Detonation · Burn-In · Introduced Vulnerabilities.
The matrix maps each Activity to the ATT&CK techniques whose execution exposes an adversary weakness. Use the Navigator overlay to confirm current mappings.
Operating principle: Affect is defender-network-only
All Affect Activities are constrained to infrastructure the defender owns and controls. Acting on adversary or third-party infrastructure is out of scope and creates legal exposure.
Complementary frameworks
MITRE ATT&CK
- https://attack.mitre.org — the technique catalog used to model the target adversary. Engagement Activities exist to exploit the weaknesses adversary techniques create.
MITRE D3FEND — Deceive tactic
D3FEND (https://d3fend.mitre.org) provides defensive-technique naming that pairs with Engage. The Deceive tactic includes:
- Decoy Environment: Connected Honeynet, Integrated Honeynet, Standalone Honeynet
- Decoy Object: Decoy File, Decoy Network Resource, Decoy Persona, Decoy Public Release, Decoy Session Token, Decoy User Credential
Use D3FEND honeynet types when documenting environment isolation in the operation plan:
- Standalone Honeynet — fully isolated; safest; least realistic to a sophisticated adversary.
- Connected Honeynet — bridged to production paths to appear reachable; moderate risk.
- Integrated Honeynet — decoys interleaved with production assets; most realistic; highest operational risk and tightest gating required.
NIST CSF 2.0 alignment
| CSF 2.0 ID | Relevance to adversary engagement |
|---|---|
| GV.RM-01 | Risk management objectives established — anchors the strategic Prepare goal |
| ID.RA-01 | Vulnerabilities identified — informs which weaknesses to expose |
| ID.IM-02 | Security testing / improvement — engagement operations validate detections |
| DE.CM-01 | Networks monitored to find adverse events — Expose Activities feed monitoring |
| DE.AE-02 | Potentially adverse events analyzed — triage of decoy alerts |
Legal & ethical references
- Engagement operations interact with live adversaries; obtain written legal review before deployment.
- Preserve evidence per the organization's incident-response and forensics procedures (chain of custody).
- Coordinate with law enforcement engagement policy where applicable.
- Document rules of engagement and gating criteria before any Activity is deployed.
Scripts 1
process.py6.5 KB
#!/usr/bin/env python3
"""
MITRE Engage operation planner.
Given a threat model (a list of ATT&CK technique IDs the target adversary uses),
this maps each technique to the Engage Activities that expose its weakness,
reports coverage gaps, and emits an Adversary Engagement Operation Plan skeleton.
The embedded ATT&CK -> Engage Activity table is a *starter* map. Reconcile against
the live matrix at https://engage.mitre.org/matrix/ before operational use.
Usage:
python process.py --threat-model tm.json --out plan.md
python process.py --list-techniques
tm.json format:
{
"operation_name": "VPN-actor engagement",
"target_actor": "Suspected access broker",
"strategic_goal": "Generate first-party CTI on the VPN actor",
"techniques": ["T1078", "T1046", "T1021", "T1552"]
}
"""
import argparse
import json
import sys
from datetime import date
# Starter map: ATT&CK technique -> (short name, [candidate Engage Activities]).
# Activities use canonical Engage names; resolve EAC numeric IDs from the live matrix.
TECHNIQUE_TO_ACTIVITIES = {
"T1078": ("Valid Accounts", ["Decoy Credentials", "Lures", "Decoy Account"]),
"T1110": ("Brute Force", ["Decoy Credentials", "Security Controls"]),
"T1552": ("Unsecured Credentials", ["Decoy Credentials", "Artifact Diversity", "Pocket Litter"]),
"T1083": ("File and Directory Discovery", ["Decoy Content", "Pocket Litter", "Artifact Diversity"]),
"T1046": ("Network Service Discovery", ["Network Diversity", "Network Manipulation"]),
"T1021": ("Remote Services", ["Network Manipulation", "Isolation", "Decoy Content"]),
"T1018": ("Remote System Discovery", ["Network Diversity", "Decoy Content"]),
"T1057": ("Process Discovery", ["System Activity Monitoring", "Software Manipulation"]),
"T1071": ("Application Layer Protocol (C2)", ["Network Monitoring", "Network Manipulation"]),
"T1105": ("Ingress Tool Transfer", ["Malware Detonation", "Network Monitoring"]),
"T1190": ("Exploit Public-Facing Application", ["Introduced Vulnerabilities", "Application Diversity"]),
"T1059": ("Command and Scripting Interpreter", ["System Activity Monitoring", "API Monitoring"]),
"T1567": ("Exfiltration Over Web Service", ["Network Monitoring", "Decoy Content"]),
}
ENGAGEMENT_GOALS = ["Expose", "Affect", "Elicit"]
def build_coverage(techniques):
covered, gaps = {}, []
for t in techniques:
t = t.strip().upper()
if t in TECHNIQUE_TO_ACTIVITIES:
name, acts = TECHNIQUE_TO_ACTIVITIES[t]
covered[t] = {"name": name, "activities": acts}
else:
gaps.append(t)
return covered, gaps
def render_plan(tm, covered, gaps):
lines = []
lines.append(f"# Adversary Engagement Operation Plan: {tm.get('operation_name', 'UNNAMED')}")
lines.append(f"\n_Generated {date.today().isoformat()} — DRAFT, requires legal sign-off before deployment._\n")
lines.append("## 1. Strategic context")
lines.append(f"- **Target actor:** {tm.get('target_actor', 'TBD')}")
lines.append(f"- **Strategic goal (Prepare):** {tm.get('strategic_goal', 'TBD')}")
lines.append("- **Executive sponsor:** TBD")
lines.append("- **Legal sign-off reference:** TBD (REQUIRED before deployment)\n")
lines.append("## 2. Engagement Goals + Operational Objectives")
for g in ENGAGEMENT_GOALS:
lines.append(f"- **{g}:** define ≥1 falsifiable, time-bound objective (e.g., alert latency, dwell-time reduction, indicators gained).")
lines.append("")
lines.append("## 3. Activity selection matrix")
lines.append("| ATT&CK | Technique | Weakness → Engage Activities | Deployment owner |")
lines.append("|---|---|---|---|")
for t, info in covered.items():
acts = ", ".join(info["activities"])
lines.append(f"| {t} | {info['name']} | {acts} | TBD |")
if not covered:
lines.append("| — | — | (no mapped techniques) | — |")
lines.append("")
if gaps:
lines.append("## 3a. Coverage GAPS (no starter mapping — check live matrix)")
for t in gaps:
lines.append(f"- {t}: resolve against https://engage.mitre.org/matrix/")
lines.append("")
lines.append("## 4. Engagement environment design")
lines.append("- Honeynet type (standalone / connected / integrated): TBD")
lines.append("- Artifact diversity plan (Persona Creation, Pocket Litter, Artifact/Application/Network Diversity): TBD\n")
lines.append("## 5. Gating criteria & rules of engagement")
lines.append("- Max blast radius: TBD")
lines.append("- Tear-down / IR hand-off trigger: TBD")
lines.append("- Evidence handling & chain of custody: TBD")
lines.append("- Escalation authority: TBD")
lines.append("- Affect Activities limited to defender-owned network only (hard constraint).\n")
lines.append("## 6. Measurement plan")
lines.append("- Metric per objective; baseline before deployment; review cadence: TBD\n")
lines.append("## 7. After-action report (post-operation)")
lines.append("- Objectives met/missed, intel produced, detections promoted to production, threat-model updates: TBD")
return "\n".join(lines)
def main():
p = argparse.ArgumentParser(description="MITRE Engage operation planner")
p.add_argument("--threat-model", help="Path to threat-model JSON")
p.add_argument("--out", help="Output markdown path (default: stdout)")
p.add_argument("--list-techniques", action="store_true", help="List techniques in the starter map")
args = p.parse_args()
if args.list_techniques:
for t, (name, acts) in sorted(TECHNIQUE_TO_ACTIVITIES.items()):
print(f"{t:8} {name:40} -> {', '.join(acts)}")
return
if not args.threat_model:
p.error("--threat-model is required (or use --list-techniques)")
with open(args.threat_model) as f:
tm = json.load(f)
techniques = tm.get("techniques", [])
if not techniques:
print("WARNING: threat model has no 'techniques' list", file=sys.stderr)
covered, gaps = build_coverage(techniques)
total = len(techniques)
pct = (len(covered) / total * 100) if total else 0
print(f"Coverage: {len(covered)}/{total} techniques mapped ({pct:.0f}%); {len(gaps)} gap(s).",
file=sys.stderr)
plan = render_plan(tm, covered, gaps)
if args.out:
with open(args.out, "w") as f:
f.write(plan + "\n")
print(f"Wrote operation plan -> {args.out}", file=sys.stderr)
else:
print(plan)
if __name__ == "__main__":
main()