MITRE D3FEND: Cyber Defense Technique Catalog
MITRE D3FEND (pronounced “defend”) is a knowledge base and knowledge graph of cybersecurity countermeasures (defensive processes or technologies). D3FEND is an acronym for Detection, Denial, and Disruption Framework Empowering Network Defense. For each of the countermeasures, it tells what threats the countermeasure addresses, how it addresses those threats, and the situations in which the countermeasure would work.
D3FEND is an experimental research project, and is not yet as mature as MITRE ATT&CK. It complements ATT&CK by showing how the various defensive tactics and techniques in D3FEND are related to adversary tactics and techniques in ATT&CK.
The D3FEND Matrix
The D3FEND Matrix has a row for tactics, a row for base techniques, and multiple columns for techniques. What are these?
- Tactics: Defensive maneuvers against an adversary; the what of an action. These are Harden, Detect, Isolate, Deceive, and Evict.
- Base techniques: Top-level techniques. For example, File Analysis is a base technique under the Detect tactic. Base techniques are also referred to as categories.
- Techniques: The methods to achieve the tactics; specific defensive processes or technologies; the how of implementing the tactic. For example, Dynamic Analysis is a technique under the File Analysis base technique.
- Sub-techniques: More specific, lower-level techniques fitting under their parent technique. For example, the Certificate Analysis technique has the sub-techniques Active Certificate Analysis and Passive Certificate Analysis.
When you view the D3FEND Matrix, you can click tactics, base techniques, techniques, and sub-techniques to view the corresponding pages.
The page for each tactic shows a definition and list of techniques in that category.
The page for each base technique shows a definition, overview, relationships to digital artifacts, and list of techniques in that category.
The page for each base technique shows the following details:
- Definition
- Technique Overview
- Digital Artifact Relationships: how the technique relates to artifacts (digital objects that cyber actors interact with, such as pointers and process segments)
- Technique Subclasses: sub-techniques of the technique you’re viewing (if any)
- Related ATT&CK Techniques
The page for each technique or sub-technique shows the following details:
- Definition
- How it works
- Considerations: important things to know about using the technique, such as caveats or limitations
- Digital Artifact Relationships
- Technique Subclasses (if any)
- References: external resources about the technique
D3FEND Tactics
- Harden: make network exploitation more difficult and costly
- Detect: identify adversary access or activity
- Isolate: create logical or physical barriers to restrict adversary access
- Deceive: lure potential attackers and allow them access to an observed or controlled environment
- Evict: remove adversary from the network
D3FEND Base Techniques
- Application Hardening
- Credential Hardening
- Message Hardening
- Platform Hardening
- File Analysis
- Identifier Analysis
- Message Analysis
- Network Traffic Analysis
- Platform Monitoring
- Process Analysis
- User Behavior Analysis
- Execution Isolation
- Network Isolation
- Decoy Environment
- Decoy Object
- Credential Eviction
- Process Eviction
