Being a security analyst today is hard. You’re constantly trying to protect your organization while feeling like attackers are always a step ahead of you. Every year, you seem to add more security technologies to your stack, yet you still find yourself facing tooling gaps. If only you had the ability to clearly compare different products and their capabilities, you think. Then, you would be able to make more informed decisions about what you really need and how the different vendors enable your operations.
Enter MITRE D3FEND. From the same people who brought you the MITRE ATT&CK framework comes the D3FEND knowledge graph, a standardized vocabulary for understanding the different actions you can take to protect yourself. By using D3FEND, you can map ATT&CK Mitigations to your current tooling to identify gaps and build a stronger security program.
What is MITRE D3FEND?
The MITRE Detection, Denial, and Disruption Framework Empowering Network Defense (D3FEND) knowledge graph creates a common vocabulary for defensive cybersecurity techniques that help respond to adversary techniques.
Currently, most organizations use D3FEND are part of the security technology acquisition and investment process since it:
- Provides insight into the strengths and weaknesses of certain products
- Enables product testing to determine whether the technology would achieve a desired security objective
D3FEND’s cybersecurity countermeasures define two things products and technologies that respond to offensive cyber activities:
- What they detect and prevent
- How they detect and prevent an activity, including their limitations
What are the D3FEND Tactics?
D3FEND tactics are categories of activities that security teams use when responding to an adversarial action.
D3FEND defines the following seven tactics:
- Model: Generating a common understanding of systems, operations, users, and relationships that act as the foundation of other security and risk management activities
- Harden: implementing before deploying systems increases the cost of the attack
- Detect: identifying adversary access or unauthorized activity
- Isolate: creating logical or physical barriers to reduce movement within and across systems
- Deceive: creating controlled environments for observing potential attacker activity
- Evict: removing adversary from the network
- Restore: returning system to a better state
The D3FEND tactics are listed in a specific order to help map to attacker activities and the points at which organizations can mitigate risk. For example, without the ability to detect an attacker, the organization won’t move on to isolation because they don’t know they experienced an incident.
What are D3FEND Techniques?
The Techniques define how security teams implement a tactic. The standardized vocabulary was built around:
- Patents: key phrases across cybersecurity technology
- Existing knowledge bases: MITRE Cyber Analytics Repository and ATT&CK framework to understand analytics and detections
- Other data sources: academic papers, technical specifications, publicly available product technical documentation
The D3FEND techniques focus on two things:
- The data input types that the technology uses
- The technology’s core functional activity
For example, within the Harden tactic, Application Hardening is a technique that mitigates risk by making the application more resilient to a class of exploits. Within the Application Hardening technique, the Application Configuration Hardening Technique addresses activities like limiting permissions or disabling features.
What are digital artifacts?
The digital artifacts are the evidence of interaction with systems that adversaries or security teams leave behind. These create the relationship between the ATT&CK framework offensive activities and the D3FEND countermeasures.
For example, an adversary might engage in the following activities:
- Produce
- Execute
- Analyze
- Access
- Install
The countermeasure responds to these adversary activities because the defender:
- Observes
- Detects
- Counters
The digital artifacts act as the common point between the adversary and defender actions. For example, when an adversary modifies code, the defender or the technology observes or detects a modification by attempting to verify integrity.
How to Use D3FEND
If you already use ATT&CK as part of your threat detection and incident response processes, then you might want to consider how you can leverage D3FEND to augment these activities.
Mapping to Mitigations
D3FEND maps to thirty-five ATT&CK Enterprise Mitigations. In some cases, multiple D3FEND techniques align with a single ATT&CK Enterprise Mitigation. For example, M1040 Behavior Prevention on Endpoint maps to the following countermeasure techniques:
- D3-ANET Authentication Event Thresholding
- D3-AZET Authorization Event Thresholding
- D3-JFAPA Job Function Access Pattern Analysis
- D3-RAPA Resource Access Pattern Analysis
- D3-SDA Session Duration Analysis
- D3-UDTA User Data Transfer Analysis
- D3-UGLPA User Geolocation Logon Pattern Analysis
- D3-WSAA Web Session Activity Analysis
As attackers increasingly target web applications, you need proactive controls and detections for:
- Implementing and enforcing the principle of least privilege by mapping user access to job function
- Detecting credential-based attacks, like credential stuffing attacks, by creating alerts for failed logins and successful logins tied to a specific user
- Detecting anomalous user activity like logging in from an unusual geographic location
- Detecting suspicious API-based attack techniques
Red Teaming and Penetration Testing
Your security team can use D3FEND when responding to red team and pentest reports. By mapping the ATT&CK technique used to a mitigation, they can more effectively identify where they have tooling or skill gaps.
Budgeting
When looking to improve your security posture, you need to identify the solutions that give you the most bang for your buck. You can use D3FEND’s vocabulary to define the critical capabilities necessary to mitigate risk, then use those to identify the solutions that fit your financial and staffing constraints.
Proof of Concept
When you have a clear list of gaps you need to fill, you can map them to the D3FEND countermeasures and techniques. Once you narrow down your list of needs, you can use D3FEND during your proof of concept (PoC) as a checklist to help you determine which vendor best supports your security objectives.
Graylog Security: Cost-Effectively Defend Against Security Threats
Graylog Security offers the advanced detection, investigation, and response capabilities you need while providing short and long-term budget flexibility with a low total cost of ownership (TCO). Graylog Illuminate content packs give you a library of curated event definitions, alerts, and dashboards with risk-based scoring so you can more efficiently and effectively respond to potential incidents. With our guided workflows, your security team can reduce key metrics, like mean time to respond (MTTR), that enhance investigations workflows and make collaboration easier.
To see how Graylog Security responds to your defensive needs, contact us for a demo.