Sunday, July 4, 2021

What does D3FEND from MITRE bring to us?

 MITRE releases D3FEND framework as a complement to its existing ATT&CK structure

The National Security Agency (NSA) announced Tuesday that the MITRE project had released the D3FEND framework, funded by the agency. The new framework aims to improve the cybersecurity of national security systems, the Department of Defense, and the defense industrial base and add defensive cybersecurity techniques to the existing ATT&CK framework. (IndustrialCyber, 2021)


What does this new framework bring to the table? As the l33tSpeak name suggests, it looks at security control capabilities with a Defensive lens. D3FEND framework knowledge-base estimates operational applicability. The framework identifies strengths and weaknesses while developing enterprise solutions consisting of multiple capabilities. The framework looks at these control capabilities because practitioners need to know not only what threats a capability claims to address but, more specifically, how those threats are addressed engineering-wise and under what circumstances the countermeasures would work. A cybersecurity countermeasure is any process or technology developed to negate or offset offensive cyber activities. It is not enough to understand what a countermeasure does—what it detects, what it prevents. We must know how it does it. A security architect must understand their organization's countermeasures—precisely what they do, how they do it, and their limitations—if countermeasures are effectively employed. (Kaloroumakis, Smith, 2021)

The D3FEND framework is focused on generic taxonomy vice vendor-specific terminology, or other technological colloquialisms. Like the ATT&CK uses categories of attack criterion, the D3FEND framework focuses on five major categories and looks at the defensive posture (control functions) recommended to affect the desired outcome. These categories are:


The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.
  • Application Hardening - Application Hardening makes an executable application more resilient to a class of exploits that either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
  • Credential Hardening - Credential Hardening techniques modify the system or network properties to protect the system or network/domain credentials.
  • Message Hardening - Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user-to-user computer messages.
  • Platform Hardening - Hardening components of a Platform to make them more challenging to exploit.
    • Platforms include components such as:
      • BIOS UEFI Subsystems
      • Hardware security devices such as Trusted Platform Modules
      • Boot process logic or code
      • Kernel software components


The detect tactic is used to identify adversary access to or unauthorized activity on computer networks.
  • File Analysis - File Analysis is an analytic process to determine a file's status. For example, viruses, trojans, benign, malicious, trusted, unauthorized, sensitive, etc.
  • Identifier Analysis - Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.
  • Message Analysis - Analyzing email or instant message content to detect unauthorized activity.
  • Network Traffic Analysis - Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
  • Platform Monitoring - Monitoring platform components such as operating systems software, hardware devices, or firmware.
    • Platform monitoring consists of analyzing and monitoring system-level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.
    • Monitored platform components include system files and embedded devices such as:
      • Kernel software modules
      • Boot process code and load logic
      • Operating system components and device files
      • System libraries and dynamically loaded files
      • Hardware device drivers
      • Embedded firmware devices
  • Process Analysis - Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.
  • User Behavior Analysis - Analysis of user behavior and patterns to detect unauthorized user activity.


The isolate tactic creates logical or physical barriers in a system that reduces adversaries' opportunities to create further accesses.
  • Execution Isolation - Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.
  • Network Isolation - Network Isolation techniques prevent network hosts from accessing non-essential system network resources.


The deceive tactic is used to advertise, entice, and allow potential attackers access to an observed or controlled environment.
  • Decoy Environment - A Decoy Environment comprises hosts and networks to deceive an attacker.
  • Decoy Object - A Decoy Object is created and deployed to deceive attackers.


The eviction tactic is used to remove an adversary from a computer network.
  • Credential Eviction - Credential Eviction techniques disable or remove compromised credentials from a computer network.
  • Process Eviction - Process eviction techniques terminate or remove the running process.


    The D3FEND framework is the next logical step in standardizing the correlation of attack methods and vectors to the deployed or proposed defensive controls and capabilities. These controls are necessary to reduce the impact of events. The subcategories beneath the Harden, Detect, Isolate, Deceive and Evict include public comments to support the recommended capabilities. Using the ATT&CK framework to identify techniques and potential attack methods, a security team can match the methods against threat intelligence, thereby identifying potential threats and threat vectors. It is then possible to look critically at the defensive capabilities using the D3FEND framework to look for any gaps based on the threat landscape. I recommend using the bow tie methodology to graphically depict the flow from the attack vector, through defensive controls, past the event, through compensating controls to get to a more realistic potential impact.

    No comments:

    Post a Comment