MITRE D3FEND: Cyber Defense Technique Catalog

The D3FEND Matrix

  • Tactics: Defensive maneuvers against an adversary; the what of an action. These are Harden, Detect, Isolate, Deceive, and Evict.
  • Base techniques: Top-level techniques. For example, File Analysis is a base technique under the Detect tactic. Base techniques are also referred to as categories.
  • Techniques: The methods to achieve the tactics; specific defensive processes or technologies; the how of implementing the tactic. For example, Dynamic Analysis is a technique under the File Analysis base technique.
  • Sub-techniques: More specific, lower-level techniques fitting under their parent technique. For example, the Certificate Analysis technique has the sub-techniques Active Certificate Analysis and Passive Certificate Analysis.
MITRE D3FEND Matrix
  • Definition
  • Technique Overview
  • Digital Artifact Relationships: how the technique relates to artifacts (digital objects that cyber actors interact with, such as pointers and process segments)
  • Technique Subclasses: sub-techniques of the technique you’re viewing (if any)
  • Related ATT&CK Techniques
  • Definition
  • How it works
  • Considerations: important things to know about using the technique, such as caveats or limitations
  • Digital Artifact Relationships
  • Technique Subclasses (if any)
  • References: external resources about the technique

D3FEND Tactics

  • Harden: make network exploitation more difficult and costly
  • Detect: identify adversary access or activity
  • Isolate: create logical or physical barriers to restrict adversary access
  • Deceive: lure potential attackers and allow them access to an observed or controlled environment
  • Evict: remove adversary from the network

D3FEND Base Techniques

  • Application Hardening
  • Credential Hardening
  • Message Hardening
  • Platform Hardening
  • File Analysis
  • Identifier Analysis
  • Message Analysis
  • Network Traffic Analysis
  • Platform Monitoring
  • Process Analysis
  • User Behavior Analysis
  • Execution Isolation
  • Network Isolation
  • Decoy Environment
  • Decoy Object
  • Credential Eviction
  • Process Eviction

Additional Information

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

580 Followers

Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.