OVERVIEW
MITRE is an American-based nonprofitable organization whose main focus is to develop multiple security frameworks for both offense and defense posture, team MITRE has published several work such as MITRE ATT&CK, MITRE | SHIELD & MITRE D3FEND.
MITRE ATT&CK: an open-source framework that mainly focuses to understand or familiarize yourself with adversary tactics and techniques based on real-world observations.
MITRE SHIELD: an open-source framework publicly hosted to provide proactive countermeasures to actively defend against cyberattacks, the primary focus of the active defense framework.
MITRE D3FEND:
MITRE D3FEND is an open-source framework that describes more about the cybersecurity countermeasure components and capabilities, which typically includes a knowledge graph of cybersecurity countermeasures.
This specific framework describes Digital Artifact Ontology and D3FEND Matrix
Digital Artifact Ontology
Is a process of correlating offensive models with defensive techniques to frame a simplified version of attack and defense countermeasure.
D3FEND Matrix
D3FEND Matrix is a graphical representation of cybersecurity countermeasures that includes various phases such as
- Harden
- Detect
- Isolate
- Deceive
- Evict
HARDEN:
HARDENING is a process of applying security countermeasures to a server/computer to minimize its attack surface, or surface of vulnerability, and potential attack vectors
MITRE D3FEND includes 32 countermeasure techniques for hardening techniques
| Application Hardening | Credential Hardening | Message Hardening | Platform Hardening |
| Pointer Authentication | Multi-factor Authentication | Message Authentication | File Encryption |
| Application Configuration Hardening | One-time Password | Message Encryption | Local File Permissions |
| Dead Code Elimination | Certificate-based Authentication | Transfer Agent Authentication | Bootloader Authentication |
| Exception Handler Pointer Validation | Biometric Authentication | Disk Encryption | |
| Process Segment Execution Prevention | Certificate Pinning | Driver Load Integrity Checking | |
| Segment Address Offset Randomization | Credential Transmission Scoping | RF Shielding | |
| Stack Frame Canary Validation | Domain Trust Policy | Software Update | |
| Strong Password Policy | System Configuration Permissions | ||
| User Account Permissions | TPM Boot Integrity |
Detect:
The process or techniques used to identify and detect adversary access to or unauthorized activity on computer networks
MITRE D3FEND includes 69 countermeasure techniques for Detect techniques
| File Analysis | Identifier Analysis | Message Analysis | Network Traffic Analysis | Platform Monitoring | Process Analysis | User Behavior Analysis |
| Dynamic Analysis | Homoglyph Detection | Sender MTA Reputation Analysis | Byte Sequence Emulation | Firmware Behavior Analysis | Database Query String Analysis | Authentication Event Thresholding |
| Emulated File Analysis | URL Analysis | Sender Reputation Analysis | Certificate Analysis | Firmware Embedded Monitoring Code | File Access Pattern Analysis | Credential Compromise Scope Analysis |
| File Content Rules | Client-server Payload Profiling | Firmware Verification | Indirect Branch Call Analysis | Domain Account Monitoring | ||
| File Hashing | Connection Attempt Analysis | Operating System Monitoring | Process Code Segment Verification | Job Function Access Pattern Analysis | ||
| DNS Traffic Analysis | Peripheral Firmware Verification | Process Self-Modification Detection | Local Account Monitoring | |||
| File Carving | System Firmware Verification | Process Spawn Analysis | Resource Access Pattern Analysis | |||
| Administrative Network Activity Analysis | Service Binary Verification | Script Execution Analysis | Session Duration Analysis | |||
| Inbound Session Volume Analysis | Input Device Analysis | Shadow Stack Comparisons | User Data Transfer Analysis | |||
| IPC Traffic Analysis | Memory Boundary Tracking | System Call Analysis | User Geolocation Logon Pattern Analysis | |||
| Network Traffic Community Deviation | Scheduled Job Analysis | File Creation Analysis | Web Session Activity Analysis | |||
| Per Host Download-Upload Ratio Analysis | System Daemon Monitoring | Process Lineage Analysis | ||||
| Protocol Metadata Anomaly Detection | System File Analysis | |||||
| Relay Pattern Analysis | System Init Config Analysis | |||||
| Active Certificate Analysis | User Session Init Config Analysis | |||||
| Passive Certificate Analysis | Endpoint Health Beacon | |||||
| Remote Terminal Session Detection | ||||||
| RPC Traffic Analysis |
Isolate:
The process or techniques used to create isolated environments to create a logical or physical barrier in a system which reduces opportunities for adversaries’ intrusions
MITRE D3FEND includes 22 countermeasure techniques for isolate techniques
| Execution Isolation | Network Isolation |
| Executable Allowlisting | DNS Allowlisting |
| Executable Denylisting | DNS Denylisting |
| Hardware-based Process Isolation | Encrypted Tunnels |
| IO Port Restriction | Network Traffic Filtering |
| Kernel-based Process Isolation | Forward Resolution Domain Denylisting |
| Mandatory Access Control | Forward Resolution IP Denylisting |
| System Call Filtering | Inbound Traffic Filtering |
| Outbound Traffic Filtering | |
| Hierarchical Domain Denylisting | |
| Homoglyph Denylisting | |
| Broadcast Domain Isolation | |
| Reverse Resolution Domain Denylisting | |
| Reverse Resolution IP Denylisting |
Deceive
The process or techniques used to create a deceive or a false environment to allow potential attackers access to an observed or controlled environment. Which is typically used to gain the main ideology behind the attack
MITRE D3FEND includes 11 countermeasure techniques for Deceive techniques
| Decoy Environment | Decoy Object |
| Integrated Honeynet | Decoy File |
| Connected Honeynet | Decoy Network Resource |
| Standalone Honeynet | Decoy Persona |
| Decoy Public Release | |
| Decoy Session Token | |
| Decoy User Credential |
Evict
The eviction tactic is used to completely remove an adversary from an internal infrastructure.
MITRE D3FEND includes 5 countermeasure techniques for Evict techniques
| Credential Eviction | Process Eviction |
| Account Locking | Process Termination |
| Authentication Cache Invalidation |
GOALS of MITRE D3FEND
- To create a Digital Artifact Ontology
- Provides countermeasure components and capabilities
- Includes graphical representation of cybersecurity countermeasures
- Open-source
Conclusion
MITRE D3FEND is an open-source framework that typically correlates the adversary techniques [MITRE ATT&CK] with Defensive strategies [MITRE SHIELD]
The main ideology is to provide various countermeasure components and capabilities mapped with the D3FEND matrix.
Reference: