The MITRE Corporation performs research in several different fields, including cybersecurity. The MITRE ATT&CK framework was developed as part of this research to help improve understanding of cyberattacks and how a hacker can achieve particular objectives throughout the lifecycle of an attack campaign.
The MITRE ATT&CK framework focuses on offensive cybersecurity, describing how different attacks can be performed, detected, and mitigated. In June 2021, MITRE released D3FEND, a new framework designed to complement ATT&CK.
What is D3FEND?
D3FEND breaks cyber defense into five Tactics: Harden, Detect, Isolate, Deceive, and Evict. Below these Tactics are more specific categories (such as Application Hardening and Credential Hardening) and specific Techniques to achieve these goals.
MITRE D3FEND provides a useful collection of cybersecurity best practices that an organization can use to better protect its network and systems, but this is not all it does. Like MITRE Shield (a framework for Active Defense), D3FEND provides a mapping of its Techniques to those of the offensive MITRE ATT&CK framework. This enables an organization to learn how a specific Technique from D3FEND can help to protect the organization against certain types of attacks.
The Techniques in MITRE D3FEND lack the same wealth of information that is available in the ATT&CK framework. However, they do offer a clear description of how the technique works, important considerations, and references for additional information.
Using ATT&CK, Shield, and D3FEND
With D3FEND, MITRE closed a gap in its existing collection of frameworks. The original ATT&CK framework describes offensive behaviors. The recent Shield framework discusses how defenders can engage adversaries using Active Defense. Now, D3FEND provides information about countermeasures that defenders can use to harden and protect their infrastructure.
All three of these frameworks are interrelated and designed to provide defenders with the information and tools they need to improve their security. Each framework plays an essential role in an organization’s security strategy:
- ATT&CK describes attacker behaviors for organizations to guide the development of detection mechanisms and test defenses
- Shield outlines techniques that organizations can use to misdirect and otherwise trip up attackers within their environments
- D3FEND discusses defensive best practices that organizations should implement with links to public references for additional information
An organization’s security team would not be ill-served by systematically working through each Technique in the three frameworks and incorporating their guidance into its security strategy. Click here for more information on simplified offensive and defensive technique relationships between MITRE ATT&CK and D3FEND.
How MorganFranklin Can Help
MITRE D3FEND is the latest tool in the MITRE portfolio that began with ATT&CK. Organizations using this framework can take advantage of its guidance and use it to protect against specific ATT&CK techniques.
MorganFranklin can help guide this process within an organization by providing insight on which techniques an organization should focus on first based upon experience and threat intelligence. They also can provide advice on translating the recommendations of ATT&CK, Shield, and D3FEND into usable security controls, policies, and procedures within an organization.