MITRE D3FEND (TM) — A knowledge graph of cybersecurity countermeasures.
Mitre recently released the D3FEND framework, a countermeasure knowledge base for blue teams.
This framework includes semantically rigorous types and relations that define both the key concepts in the cybersecurity countermeasure domain and the relations necessary to link those concepts to each other.
The Mitre D3FEND framework in its Beta release is structured around five main sections: Harden, Detect, Isolate, Deceive and Evict.
The Mitre ATT&CK framework defines a set of tactics, techniques and procedures commonly used by attackers and entities. The D3FEND framework provides guidelines for blue teams and mitigation techniques.
The Mitre ATT&CK framework includes examples of how well-known entities use different procedures and it also details how to detect and mitigate TTPs.
From a blue team point of view, the ATT&CK framework can be used to help investigations, providing context and attribution. It can also help in finding and correlating different TTPs. Indicators or observables related to specific procedures (phishing, for example) can provide hints on other indicators and TTPs normally found in attack chains.
Finally, the ATT&CK framework plays also an important role while running simulations, testing detection and response capabilities for a set of TTPs.
The Mitre D3FEND framework, on the other hand, focuses on countermeasures: actions that need to be taken to increase the defense capabilities in the organisation. All countermeasures are organised in techniques and subtechniques. In the D3FEND matrix each technique includes a number (top left corner), indicating how many countermeasures are included and detailed.
What’s included in each subtechnique?
- A definition.
- How the countermeasure works.
- Considerations or potential caveats on implementing the countermeasure.
- How the countermeasure is linked to artifacts.
- How the countermeasure relates to the ATT&CK framework; in other words, which TTPs we’re trying to address/mitigate with each specific countermeasure.
- Finally, there’s also a list of references (NIST, MITRE, articles, white-papers, etc):
The relationships information should be read as what digital artifacts will be strengthened after applying the countermeasure. Each artifact includes a hyperlink that provides additional information, properties, context and all the other countermeasures where the artifact is used in a relationship.
All artifacts belong to different categories, such as “Files”, “Network”, “Software”, etc.
As with the Mitre ATT&CK framework, using and implementing the D3FEND framework can be a long and winding road. Ideally you’d want to go through all the techniques and subtechniques and implement the countermeasures included there. In subsequent blog entries we’ll actually do that here. Whenever possible, we’ll add additional context to each of the countermeasures covered (CIS Benchmarks, for systems hardening; detection tools that can be used to apply detection countermeasures, etc.).
Another approach can be applying countermeasures by artifact or artifact type. In this case, the implementation starts with hardening one or several artifacts with special relevance to the organisation, and selecting all the countermeasures where these artifacts are referenced.
A third approach is starting with the ATT&CK framework. The D3FEND matrix includes a Mitre ATT&CK lookup on the top left:
By running a lookup on one specific TTP the matrix will provide the list of artifacts and countermeasures that can be used to address that TTP.