deception technology

Designing Adversary Engagement with MITRE Engage

Plan, run, and measure an adversary engagement operation using the MITRE Engage framework so that deployed deception is driven by strategy instead of deployed ad hoc. Covers the Engage Matrix (Prepare, Expose, Affect, Elicit, Understand), the 10-Step Operational Process, mapping engagement Activities to the ATT&CK techniques they expose, and defining measurable Goals and Operational Objectives. Use when a team has honeypots, honeytokens, or canary tokens but no coordinating strategy, when leadership asks "should we engage attackers and how", when building a deception/denial program, when writing an adversary engagement operation plan, or when deciding which deception Activities to deploy against a specific threat actor. Keywords: MITRE Engage, adversary engagement, cyber deception strategy, denial and deception, Engage Matrix, EAC, EGO, Expose Affect Elicit, deception program, honeypot strategy, engagement operation.

adversary-engagementcyber-deceptiondeceptiondenial-and-deceptiondetection-engineeringengage-matrixmitre-engagethreat-intelligence
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When an organization owns deception tooling (honeypots, honeytokens, canary tokens, decoy files) but deploys it tactically with no unifying strategy or measurable outcome.
  • When leadership asks whether the organization should engage adversaries, and what the legal, operational, and resourcing implications are.
  • When writing a formal adversary engagement operation plan that must justify every deployed deceptive artifact against a strategic goal.
  • When selecting which specific deception Activities to deploy against a known or suspected threat actor based on that actor's ATT&CK TTPs.
  • When building a denial, deception, and adversary engagement (DD&AE) program that must integrate with existing SOC, threat intel, and incident response functions.
  • When a deception deployment generates alerts that nobody knows how to act on, because Expose was never connected to Affect or Elicit goals.

This skill is the strategy and operations layer that sits above tactical deployment skills (honeypot, honeytoken, canary-token, and decoy-file deployment). Use those skills to implement the Activities this skill selects and sequences.

Prerequisites

  • Familiarity with MITRE ATT&CK (tactics, techniques, and how to read a technique page), because Engagement Activities are mapped to the ATT&CK techniques they expose.
  • A documented set of critical assets and an understanding of which adversaries plausibly target them (a threat model or prioritized threat actor list).
  • Executive sponsorship and a written legal review. Engagement operations interact with live adversaries and raise entrapment, evidence-handling, and liability questions; never run an engagement operation without legal sign-off.
  • An existing detection and response capability. Engage is an additive strategy, not a replacement for defense-in-depth; if a defense-in-depth control fails, engagement keeps you in control rather than blind.
  • Access to the live matrix at https://engage.mitre.org/matrix/ for canonical Activity names and IDs.

Workflow

Engage operations follow the 10-Step Operational Process. The matrix is linear to read but cyclical to run — you continuously realign Activities toward your Goals as the adversary reacts.

1. Confirm strategic fit (Prepare)

Decide where denial, deception, and adversary engagement fit in the existing cyber strategy. The Prepare goal (a strategic bookend, alongside Understand) defines the inputs to the operation. Document the strategic goal in plain language, e.g. "reduce dwell time of insider threats around the source-code repository" or "generate first-party CTI on the actor targeting our VPN."

2. Define Engagement Goals and Operational Objectives

Select from the three Engagement Goals. Goals set direction; Operational Objectives take measurable steps in that direction.

Engagement Goal (EGO) What it does Example Operational Objective
Expose Reveal adversary presence with high-fidelity, low-false-positive alerts "Alert within 5 minutes of any touch on a decoy credential"
Affect Negatively change the adversary's cost-value calculation (defender network only) "Redirect the adversary away from 3 unpatchable legacy hosts"
Elicit Observe the adversary to learn TTPs and produce CTI "Obtain a second-stage malware sample" or "identify ≥10 new indicators"

Write objectives as falsifiable, time-bound statements. A goal without an objective is unmeasurable.

3. Build the threat model and select Approaches

For each Goal, pick the Engagement Approaches (EAP) that fit the adversary you modeled:

  • Expose → Collection, Detection
  • Affect → Prevention, Direction, Disruption
  • Elicit → Reassurance, Motivation

4. Map ATT&CK techniques to Engagement Activities

For each technique your target adversary uses, find the Engage Activity that exposes the weakness that technique creates. Example mappings:

Adversary technique (ATT&CK) Weakness exposed Engage Activity (EAC)
T1078 Valid Accounts Must test credentials Decoy Credentials, Lures
T1083 File & Directory Discovery Must enumerate files Decoy Content, Pocket Litter
T1046 Network Service Discovery Must scan the network Network Diversity, Decoy Systems
T1021 Remote Services Must move laterally Decoy Systems, Network Manipulation
T1552 Unsecured Credentials Harvests secrets Decoy Credentials, Artifact Diversity

Pull the authoritative Activity list and IDs from the live matrix; Engage IDs use the prefixes SGO/EGO (Goals), SAP/EAP (Approaches), and SAC/EAC (Activities).

5. Design the engagement environment

Decide realism and isolation. Choose between standalone, connected, or integrated decoy environments (see D3FEND honeynet types in references/standards.md). Populate it with diverse, believable artifacts — Persona Creation, Pocket Litter, Artifact Diversity, Application Diversity — so the environment survives adversary scrutiny.

6. Define gating criteria and rules of engagement

Document, before deployment: what the adversary is allowed to reach, the maximum blast radius, the trigger for tear-down or hand-off to IR, evidence preservation steps, and who has authority to escalate. Affect Activities are limited to the defender's own network — never act on infrastructure you do not own.

7. Deploy the Activities

Implement the selected Activities using the tactical deployment skills (honeypots, honeytokens, canary tokens, decoy files). Instrument every artifact so a touch produces telemetry routed to the SOC.

8. Operate and observe

Run the operation. Triage Expose alerts as high-fidelity (a touch on a decoy almost always means malicious or unauthorized activity). Feed observations back into Approach selection — realign Affect/Elicit Activities as the adversary behaves.

9. Analyze (Understand)

The Understand goal (the output bookend) turns observations into decisions: new detections for production, CTI for sharing, and validated or invalidated threat-model assumptions.

10. After-action and feedback

Score the operation against the Operational Objectives from Step 2. Capture what intel was gained, what Activities triggered, dwell time, and lessons learned. Update the threat model and feed the next cycle.

Key Concepts

Concept Definition
Goal (SGO/EGO) High-level outcome of the operation. Prepare/Understand are strategic bookends; Expose/Affect/Elicit are the engagement goals.
Approach (SAP/EAP) The method used to make progress toward a Goal (e.g., Detection, Direction, Motivation).
Activity (SAC/EAC) The concrete denial/deception action deployed (e.g., Decoy Credentials, Network Manipulation).
Operate The default matrix view = Expose + Affect + Elicit, the three engagement goals.
Operational Objective A measurable, time-bound target that operationalizes a Goal.
Gating Criteria Pre-defined boundaries and triggers that constrain the operation's blast radius.
High-fidelity alert An alert from a decoy that legitimate users have no reason to touch, yielding near-zero false positives.
Denial vs. Deception Denial blocks the adversary's access to real information; deception feeds plausible false information.

Tools & Systems

  • MITRE Engage Matrix and Starter Kit (https://engage.mitre.org) — canonical Goals/Approaches/Activities, the 10-Step Process, and operation-planning worksheets.
  • MITRE ATT&CK Navigator — to lay out the target adversary's techniques and overlay selected Engagement Activities.
  • MITRE D3FEND — the Deceive tactic provides defensive countermeasure naming (Decoy Environment, Decoy Object, honeynet types) that complements Engage.
  • Deception platforms / open tooling — OpenCanary, T-Pot, Cowrie (honeypots); Canarytokens, Thinkst Canary (honeytokens); to implement selected Activities.
  • SIEM/SOAR — to route decoy telemetry to high-priority detections and automate Expose → IR hand-off.
  • CTI platform (MISP, OpenCTI) — to store and share the first-party intelligence produced under the Elicit goal.

Common Scenarios

  • "We have honeypots but no value." Map existing honeypots to the Expose goal, define an Operational Objective (alert latency, dwell-time reduction), and connect alerts to an IR hand-off so the deployment produces decisions, not noise.
  • "Targeted by a specific actor." Build the actor's ATT&CK technique set, map each to the Activity that exposes it, and prioritize the smallest set of Activities that covers the actor's likely kill chain.
  • "Protect unpatchable legacy systems." Use Affect Activities (Direction, Network Manipulation, decoys) to steer adversaries away from systems that cannot be remediated.
  • "Tired of CVE whack-a-mole." Use the Elicit goal to generate a first-party CTI feed so defense is driven by observed adversary TTPs rather than the vulnerability of the week.
  • "Insider threat near critical data." Seed Expose Activities (Decoy Content, Decoy Credentials, Pocket Litter) around the crown-jewel asset for high-fidelity detection of unauthorized internal access.

Output Format

Produce an Adversary Engagement Operation Plan using assets/template.md, containing:

  1. Strategic context — where DD&AE fits the cyber strategy; executive sponsor; legal sign-off reference.
  2. Engagement Goals + Operational Objectives — each objective falsifiable and time-bound.
  3. Threat model — target adversary, prioritized ATT&CK techniques.
  4. Activity selection matrix — technique → exposed weakness → selected Engage Activity (with EAC IDs) → tactical deployment owner.
  5. Engagement environment design — realism, isolation/honeynet type, artifact diversity plan.
  6. Gating criteria and rules of engagement — blast radius, tear-down triggers, evidence handling, escalation authority.
  7. Measurement plan — metrics per objective (alert latency, dwell time, indicators gained, samples obtained).
  8. After-action report — objectives met/missed, intel produced, detections promoted to production, threat-model updates.

Use scripts/process.py to validate technique→Activity coverage and generate the operation-plan skeleton from a threat-model input.

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

standards.md4.4 KB

MITRE Engage — Standards & Framework Reference

Primary framework

MITRE Engage™ v1.0

  • Publisher: The MITRE Corporation
  • Version: 1.0, last updated 2022-02-28
  • Home: https://engage.mitre.org
  • Live Matrix: https://engage.mitre.org/matrix/ (authoritative source for all Goal/Approach/Activity names and IDs)
  • Starter Kit: https://engage.mitre.org/starter-kit/ (10-Step Process, planning worksheets, whitepapers)
  • Predecessor: MITRE Shield (Engage supersedes and restructures Shield).
  • Note: Engage is a framework for planning and discussing denial, deception, and adversary engagement. It is not a tool; it provides a shared language across defenders, vendors, and decision-makers.

Engage Matrix structure

Five columns (Goals): Prepare · Expose · Affect · Elicit · Understand

  • Prepare and Understand are strategic bookends (operation inputs and outputs).
  • Expose, Affect, Elicit are the three Engagement goals; together they form the default Operate view and are mapped to MITRE ATT&CK.

ID prefixes (verified from engage.mitre.org)

Component Strategic prefix Engagement prefix
Goals SGO EGO
Approaches SAP EAP
Activities SAC EAC

Always resolve specific numeric IDs (e.g., the EAC for "Decoy Credentials") against the live matrix rather than from memory.

Engagement Approaches (EAP) by Goal

  • Expose → Collection, Detection
  • Affect → Prevention, Direction, Disruption
  • Elicit → Reassurance, Motivation

Representative Engagement Activities (EAC), by name

Decoy Credentials · Decoy Content · Decoy Account · Decoy Diversity · Lures · Pocket Litter · Persona Creation · Artifact Diversity · Network Diversity · Application Diversity · Email Manipulation · Network Manipulation · Software Manipulation · Hardware Manipulation · Security Controls · Isolation · Attack Vector Migration · Peripheral Management · Baseline · Network Monitoring · System Activity Monitoring · API Monitoring · Malware Detonation · Burn-In · Introduced Vulnerabilities.

The matrix maps each Activity to the ATT&CK techniques whose execution exposes an adversary weakness. Use the Navigator overlay to confirm current mappings.

Operating principle: Affect is defender-network-only

All Affect Activities are constrained to infrastructure the defender owns and controls. Acting on adversary or third-party infrastructure is out of scope and creates legal exposure.

Complementary frameworks

MITRE ATT&CK

  • https://attack.mitre.org — the technique catalog used to model the target adversary. Engagement Activities exist to exploit the weaknesses adversary techniques create.

MITRE D3FEND — Deceive tactic

D3FEND (https://d3fend.mitre.org) provides defensive-technique naming that pairs with Engage. The Deceive tactic includes:

  • Decoy Environment: Connected Honeynet, Integrated Honeynet, Standalone Honeynet
  • Decoy Object: Decoy File, Decoy Network Resource, Decoy Persona, Decoy Public Release, Decoy Session Token, Decoy User Credential

Use D3FEND honeynet types when documenting environment isolation in the operation plan:

  • Standalone Honeynet — fully isolated; safest; least realistic to a sophisticated adversary.
  • Connected Honeynet — bridged to production paths to appear reachable; moderate risk.
  • Integrated Honeynet — decoys interleaved with production assets; most realistic; highest operational risk and tightest gating required.

NIST CSF 2.0 alignment

CSF 2.0 ID Relevance to adversary engagement
GV.RM-01 Risk management objectives established — anchors the strategic Prepare goal
ID.RA-01 Vulnerabilities identified — informs which weaknesses to expose
ID.IM-02 Security testing / improvement — engagement operations validate detections
DE.CM-01 Networks monitored to find adverse events — Expose Activities feed monitoring
DE.AE-02 Potentially adverse events analyzed — triage of decoy alerts

Legal & ethical references

  • Engagement operations interact with live adversaries; obtain written legal review before deployment.
  • Preserve evidence per the organization's incident-response and forensics procedures (chain of custody).
  • Coordinate with law enforcement engagement policy where applicable.
  • Document rules of engagement and gating criteria before any Activity is deployed.

Scripts 1

process.py6.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
MITRE Engage operation planner.

Given a threat model (a list of ATT&CK technique IDs the target adversary uses),
this maps each technique to the Engage Activities that expose its weakness,
reports coverage gaps, and emits an Adversary Engagement Operation Plan skeleton.

The embedded ATT&CK -> Engage Activity table is a *starter* map. Reconcile against
the live matrix at https://engage.mitre.org/matrix/ before operational use.

Usage:
    python process.py --threat-model tm.json --out plan.md
    python process.py --list-techniques

tm.json format:
    {
      "operation_name": "VPN-actor engagement",
      "target_actor": "Suspected access broker",
      "strategic_goal": "Generate first-party CTI on the VPN actor",
      "techniques": ["T1078", "T1046", "T1021", "T1552"]
    }
"""
import argparse
import json
import sys
from datetime import date

# Starter map: ATT&CK technique -> (short name, [candidate Engage Activities]).
# Activities use canonical Engage names; resolve EAC numeric IDs from the live matrix.
TECHNIQUE_TO_ACTIVITIES = {
    "T1078": ("Valid Accounts", ["Decoy Credentials", "Lures", "Decoy Account"]),
    "T1110": ("Brute Force", ["Decoy Credentials", "Security Controls"]),
    "T1552": ("Unsecured Credentials", ["Decoy Credentials", "Artifact Diversity", "Pocket Litter"]),
    "T1083": ("File and Directory Discovery", ["Decoy Content", "Pocket Litter", "Artifact Diversity"]),
    "T1046": ("Network Service Discovery", ["Network Diversity", "Network Manipulation"]),
    "T1021": ("Remote Services", ["Network Manipulation", "Isolation", "Decoy Content"]),
    "T1018": ("Remote System Discovery", ["Network Diversity", "Decoy Content"]),
    "T1057": ("Process Discovery", ["System Activity Monitoring", "Software Manipulation"]),
    "T1071": ("Application Layer Protocol (C2)", ["Network Monitoring", "Network Manipulation"]),
    "T1105": ("Ingress Tool Transfer", ["Malware Detonation", "Network Monitoring"]),
    "T1190": ("Exploit Public-Facing Application", ["Introduced Vulnerabilities", "Application Diversity"]),
    "T1059": ("Command and Scripting Interpreter", ["System Activity Monitoring", "API Monitoring"]),
    "T1567": ("Exfiltration Over Web Service", ["Network Monitoring", "Decoy Content"]),
}

ENGAGEMENT_GOALS = ["Expose", "Affect", "Elicit"]


def build_coverage(techniques):
    covered, gaps = {}, []
    for t in techniques:
        t = t.strip().upper()
        if t in TECHNIQUE_TO_ACTIVITIES:
            name, acts = TECHNIQUE_TO_ACTIVITIES[t]
            covered[t] = {"name": name, "activities": acts}
        else:
            gaps.append(t)
    return covered, gaps


def render_plan(tm, covered, gaps):
    lines = []
    lines.append(f"# Adversary Engagement Operation Plan: {tm.get('operation_name', 'UNNAMED')}")
    lines.append(f"\n_Generated {date.today().isoformat()} — DRAFT, requires legal sign-off before deployment._\n")
    lines.append("## 1. Strategic context")
    lines.append(f"- **Target actor:** {tm.get('target_actor', 'TBD')}")
    lines.append(f"- **Strategic goal (Prepare):** {tm.get('strategic_goal', 'TBD')}")
    lines.append("- **Executive sponsor:** TBD")
    lines.append("- **Legal sign-off reference:** TBD (REQUIRED before deployment)\n")

    lines.append("## 2. Engagement Goals + Operational Objectives")
    for g in ENGAGEMENT_GOALS:
        lines.append(f"- **{g}:** define ≥1 falsifiable, time-bound objective (e.g., alert latency, dwell-time reduction, indicators gained).")
    lines.append("")

    lines.append("## 3. Activity selection matrix")
    lines.append("| ATT&CK | Technique | Weakness → Engage Activities | Deployment owner |")
    lines.append("|---|---|---|---|")
    for t, info in covered.items():
        acts = ", ".join(info["activities"])
        lines.append(f"| {t} | {info['name']} | {acts} | TBD |")
    if not covered:
        lines.append("| — | — | (no mapped techniques) | — |")
    lines.append("")

    if gaps:
        lines.append("## 3a. Coverage GAPS (no starter mapping — check live matrix)")
        for t in gaps:
            lines.append(f"- {t}: resolve against https://engage.mitre.org/matrix/")
        lines.append("")

    lines.append("## 4. Engagement environment design")
    lines.append("- Honeynet type (standalone / connected / integrated): TBD")
    lines.append("- Artifact diversity plan (Persona Creation, Pocket Litter, Artifact/Application/Network Diversity): TBD\n")

    lines.append("## 5. Gating criteria & rules of engagement")
    lines.append("- Max blast radius: TBD")
    lines.append("- Tear-down / IR hand-off trigger: TBD")
    lines.append("- Evidence handling & chain of custody: TBD")
    lines.append("- Escalation authority: TBD")
    lines.append("- Affect Activities limited to defender-owned network only (hard constraint).\n")

    lines.append("## 6. Measurement plan")
    lines.append("- Metric per objective; baseline before deployment; review cadence: TBD\n")

    lines.append("## 7. After-action report (post-operation)")
    lines.append("- Objectives met/missed, intel produced, detections promoted to production, threat-model updates: TBD")
    return "\n".join(lines)


def main():
    p = argparse.ArgumentParser(description="MITRE Engage operation planner")
    p.add_argument("--threat-model", help="Path to threat-model JSON")
    p.add_argument("--out", help="Output markdown path (default: stdout)")
    p.add_argument("--list-techniques", action="store_true", help="List techniques in the starter map")
    args = p.parse_args()

    if args.list_techniques:
        for t, (name, acts) in sorted(TECHNIQUE_TO_ACTIVITIES.items()):
            print(f"{t:8} {name:40} -> {', '.join(acts)}")
        return

    if not args.threat_model:
        p.error("--threat-model is required (or use --list-techniques)")

    with open(args.threat_model) as f:
        tm = json.load(f)

    techniques = tm.get("techniques", [])
    if not techniques:
        print("WARNING: threat model has no 'techniques' list", file=sys.stderr)

    covered, gaps = build_coverage(techniques)
    total = len(techniques)
    pct = (len(covered) / total * 100) if total else 0
    print(f"Coverage: {len(covered)}/{total} techniques mapped ({pct:.0f}%); {len(gaps)} gap(s).",
          file=sys.stderr)

    plan = render_plan(tm, covered, gaps)
    if args.out:
        with open(args.out, "w") as f:
            f.write(plan + "\n")
        print(f"Wrote operation plan -> {args.out}", file=sys.stderr)
    else:
        print(plan)


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 3.6 KB
Keep exploring