MITRE D3FEND Knowledge Guides to Design Better Cyber Defenses

0

OVERVIEW

MITRE is an American-based nonprofitable organization whose main focus is to develop multiple security frameworks for both offense and defense posture, team MITRE has published several work such as MITRE ATT&CK, MITRE | SHIELD & MITRE D3FEND.


MITRE ATT&CK: an open-source framework that mainly focuses to understand or familiarize yourself with adversary tactics and techniques based on real-world observations.

MITRE SHIELD: an open-source framework publicly hosted to provide proactive countermeasures to actively defend against cyberattacks, the primary focus of the active defense framework.

MITRE D3FEND: 

MITRE D3FEND is an open-source framework that describes more about the cybersecurity countermeasure components and capabilities, which typically includes a knowledge graph of cybersecurity countermeasures.

This specific framework describes Digital Artifact Ontology and D3FEND Matrix

Digital Artifact Ontology

Is a process of correlating offensive models with defensive techniques to frame a simplified version of attack and defense countermeasure. 

D3FEND Matrix

D3FEND Matrix is a graphical representation of cybersecurity countermeasures that includes various phases such as 

  1. Harden
  2. Detect
  3. Isolate
  4. Deceive
  5. Evict

HARDEN:

HARDENING is a process of applying security countermeasures to a server/computer to minimize its attack surface, or surface of vulnerability, and potential attack vectors

MITRE D3FEND includes  32 countermeasure techniques for hardening techniques

Application HardeningCredential HardeningMessage HardeningPlatform Hardening
Pointer AuthenticationMulti-factor AuthenticationMessage AuthenticationFile Encryption
Application Configuration HardeningOne-time PasswordMessage EncryptionLocal File Permissions
Dead Code EliminationCertificate-based AuthenticationTransfer Agent AuthenticationBootloader Authentication
Exception Handler Pointer ValidationBiometric AuthenticationDisk Encryption
Process Segment Execution PreventionCertificate PinningDriver Load Integrity Checking
Segment Address Offset RandomizationCredential Transmission ScopingRF Shielding
Stack Frame Canary ValidationDomain Trust PolicySoftware Update
Strong Password PolicySystem Configuration Permissions
User Account PermissionsTPM Boot Integrity

Detect:

The process or techniques used to identify and detect adversary access to or unauthorized activity on computer networks

MITRE D3FEND includes  69 countermeasure techniques for Detect techniques

File AnalysisIdentifier AnalysisMessage AnalysisNetwork Traffic AnalysisPlatform MonitoringProcess AnalysisUser Behavior Analysis
Dynamic AnalysisHomoglyph DetectionSender MTA Reputation AnalysisByte Sequence EmulationFirmware Behavior AnalysisDatabase Query String AnalysisAuthentication Event Thresholding
Emulated File AnalysisURL AnalysisSender Reputation AnalysisCertificate AnalysisFirmware Embedded Monitoring CodeFile Access Pattern AnalysisCredential Compromise Scope Analysis
File Content RulesClient-server Payload ProfilingFirmware VerificationIndirect Branch Call AnalysisDomain Account Monitoring
File HashingConnection Attempt AnalysisOperating System MonitoringProcess Code Segment VerificationJob Function Access Pattern Analysis
DNS Traffic AnalysisPeripheral Firmware VerificationProcess Self-Modification DetectionLocal Account Monitoring
File CarvingSystem Firmware VerificationProcess Spawn AnalysisResource Access Pattern Analysis
Administrative Network Activity AnalysisService Binary VerificationScript Execution AnalysisSession Duration Analysis
Inbound Session Volume AnalysisInput Device AnalysisShadow Stack ComparisonsUser Data Transfer Analysis
IPC Traffic AnalysisMemory Boundary TrackingSystem Call AnalysisUser Geolocation Logon Pattern Analysis
Network Traffic Community DeviationScheduled Job AnalysisFile Creation AnalysisWeb Session Activity Analysis
Per Host Download-Upload Ratio AnalysisSystem Daemon MonitoringProcess Lineage Analysis
Protocol Metadata Anomaly DetectionSystem File Analysis
Relay Pattern AnalysisSystem Init Config Analysis
Active Certificate AnalysisUser Session Init Config Analysis
Passive Certificate AnalysisEndpoint Health Beacon
Remote Terminal Session Detection
RPC Traffic Analysis

Isolate:

The process or techniques used to create isolated environments to create a logical or physical barrier in a system which reduces opportunities for adversaries’ intrusions

MITRE D3FEND includes 22 countermeasure techniques for isolate techniques

Execution IsolationNetwork Isolation
Executable AllowlistingDNS Allowlisting
Executable DenylistingDNS Denylisting
Hardware-based Process IsolationEncrypted Tunnels
IO Port RestrictionNetwork Traffic Filtering
Kernel-based Process IsolationForward Resolution Domain Denylisting
Mandatory Access ControlForward Resolution IP Denylisting
System Call FilteringInbound Traffic Filtering
Outbound Traffic Filtering
Hierarchical Domain Denylisting
Homoglyph Denylisting
Broadcast Domain Isolation
Reverse Resolution Domain Denylisting
Reverse Resolution IP Denylisting

Deceive

The process or techniques used to create a deceive or a false environment to allow potential attackers access to an observed or controlled environment. Which is typically used to gain the main ideology behind the attack

MITRE D3FEND includes 11 countermeasure techniques for Deceive techniques

Decoy EnvironmentDecoy Object
Integrated HoneynetDecoy File
Connected HoneynetDecoy Network Resource
Standalone HoneynetDecoy Persona
Decoy Public Release
Decoy Session Token
Decoy User Credential

Evict

The eviction tactic is used to completely remove an adversary from an internal infrastructure.

MITRE D3FEND includes 5 countermeasure techniques for Evict techniques

Credential EvictionProcess Eviction
Account LockingProcess Termination
Authentication Cache Invalidation

GOALS of MITRE D3FEND 

  • To create a Digital Artifact Ontology
  • Provides countermeasure components and capabilities
  • Includes graphical representation of cybersecurity countermeasures
  • Open-source

Conclusion

MITRE D3FEND is an open-source framework that typically correlates the adversary techniques [MITRE ATT&CK] with Defensive strategies [MITRE SHIELD]

The main ideology is to provide various countermeasure components and capabilities mapped with the D3FEND matrix.

Reference:


Previous articleTop 7 Internet Safety Rules & What Not to Do Online
Next articleIcedID Banking Trojan returns with new TTPS – Detection & Response
A Cyber Security Aspirant Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here