MITRE releases D3FEND framework as a complement to its existing ATT&CK structure
The National Security Agency (NSA) announced Tuesday that the MITRE project had released the D3FEND framework, funded by the agency. The new framework aims to improve the cybersecurity of national security systems, the Department of Defense, and the defense industrial base and add defensive cybersecurity techniques to the existing ATT&CK framework. (IndustrialCyber, 2021)
D3FEND IS ON THE STREET… NOW WHAT?
What does this new framework bring to the table? As the l33tSpeak name suggests, it looks at security control capabilities with a Defensive lens. D3FEND framework knowledge-base estimates operational applicability. The framework identifies strengths and weaknesses while developing enterprise solutions consisting of multiple capabilities. The framework looks at these control capabilities because practitioners need to know not only what threats a capability claims to address but, more specifically, how those threats are addressed engineering-wise and under what circumstances the countermeasures would work. A cybersecurity countermeasure is any process or technology developed to negate or offset offensive cyber activities. It is not enough to understand what a countermeasure does—what it detects, what it prevents. We must know how it does it. A security architect must understand their organization's countermeasures—precisely what they do, how they do it, and their limitations—if countermeasures are effectively employed. (Kaloroumakis, Smith, 2021)
The D3FEND framework is focused on generic taxonomy vice vendor-specific terminology, or other technological colloquialisms. Like the ATT&CK uses categories of attack criterion, the D3FEND framework focuses on five major categories and looks at the defensive posture (control functions) recommended to affect the desired outcome. These categories are:
- Application Hardening - Application Hardening makes an executable application more resilient to a class of exploits that either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
- Credential Hardening - Credential Hardening techniques modify the system or network properties to protect the system or network/domain credentials.
- Message Hardening - Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user-to-user computer messages.
- Platform Hardening - Hardening components of a Platform to make them more challenging to exploit.
- Platforms include components such as:
- BIOS UEFI Subsystems
- Hardware security devices such as Trusted Platform Modules
- Boot process logic or code
- Kernel software components
- File Analysis - File Analysis is an analytic process to determine a file's status. For example, viruses, trojans, benign, malicious, trusted, unauthorized, sensitive, etc.
- Identifier Analysis - Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.
- Message Analysis - Analyzing email or instant message content to detect unauthorized activity.
- Network Traffic Analysis - Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
- Platform Monitoring - Monitoring platform components such as operating systems software, hardware devices, or firmware.
- Platform monitoring consists of analyzing and monitoring system-level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.
- Monitored platform components include system files and embedded devices such as:
- Kernel software modules
- Boot process code and load logic
- Operating system components and device files
- System libraries and dynamically loaded files
- Hardware device drivers
- Embedded firmware devices
- Process Analysis - Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.
- User Behavior Analysis - Analysis of user behavior and patterns to detect unauthorized user activity.
- Execution Isolation - Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.
- Network Isolation - Network Isolation techniques prevent network hosts from accessing non-essential system network resources.
- Decoy Environment - A Decoy Environment comprises hosts and networks to deceive an attacker.
- Decoy Object - A Decoy Object is created and deployed to deceive attackers.
- Credential Eviction - Credential Eviction techniques disable or remove compromised credentials from a computer network.
- Process Eviction - Process eviction techniques terminate or remove the running process.