What Is MITRE D3FEND, and How Do You Use It?


· ·

This post was previously published on The New Stack.

MITRE is a world-renowned research organization that aims to help build a safer world. It is probably best known in the information security industry for being the organization behind the industry-standard CVE (Common Vulnerabilities and Exposures) list. Each entry on the list is supposed to include an explanation of how the vulnerability could be exploited.

These attack vectors are tracked and defined in another well-known knowledge base called ATT&CK, which is also maintained by MITRE. While both the so-called red and blue teams (offensive and defensive security teams) rely on ATT&CK to provide a standardized language around offensive techniques, it does not do the same for defensive techniques. This is where D3FEND comes into play.

What Exactly Is MITRE D3FEND?

D3FEND, which was assembled over several years and first released in mid-2021, is a welcome addition to MITRE’s collection of resources. MITRE defines D3FEND as a “knowledge graph of cybersecurity countermeasure techniques.”

The goal is not to prescribe, prioritize or even rate the effectiveness of the countermeasures it describes, but rather, to provide a standardized language and framework for defensive techniques. In other words, it does for the blue team what the ATT&CK framework has done for the red team and offensive techniques since 2013.

Figure 1: The MITRE D3FEND Matrix

The D3FEND Matrix looks a bit like the periodic table. Each record contains a definition of the countermeasure, a description of how it works, a list of considerations that must be taken into account when using the countermeasure and information about relevant types of digital artifacts.

Figure 2: An Individual Record in D3FEND (Part 1) 

D3FEND also provides a useful reference map that shows which countermeasures will help mitigate against various offensive techniques described in the ATT&CK knowledge base. In addition, it contains a general-purpose reference section that includes information about patents, among other things.

Figure 3: An Individual Record in D3FEND (Part 2) 

Why Do We Need MITRE D3FEND?

In short, the D3FEND framework provides standardized terminology that members of the blue team can use among themselves and with their vendors to ensure that everyone is talking about the same technique. Previously, different vendors would use slightly different terminology or rely on the ATT&CK framework as their point of reference. But while the ATT&CK framework is great for some parts of a security organization, it’s not universal. That’s why D3FEND is important: It gives everyone a common language around defensive techniques that eliminates ambiguity.

Security relies on specifics more than most areas of the information technology world, which can make it feel very pedantic. There are no gray areas in security — you are either vulnerable, or you are not. When you ask someone if a vulnerability applies, for example, or if a countermeasure is in place, “it depends” is not what you want to hear. That’s because “it depends” really means that there is a possibility that you are vulnerable — or, at the very least, it creates some uncertainty about your security status. The precise terminology introduced by D3FEND provides the clarity and certainty that are critical to the blue team’s world.

Next Steps: Embed D3FEND into Your Security Processes

The next step is to start leveraging the data that MITRE D3FEND brings to the table by enhancing your security processes and procedures, especially by using security automation solutions.

You could apply this to many different use cases, but probably the easiest way to take advantage of it is to enhance any CVE notification workflows that you have in place. Whether a CVE comes in directly from a vendor or is identified in an in-house application by a Software Composition Analysis (SCA) or Static Application Security Testing (SAST) tool, the attack vectors are included in the CVE data (found on sites like NVD). These attack vectors, particularly when combined with the descriptions, can be used to identify potential countermeasures. You can then include links to the appropriate D3FEND countermeasures in the messages that go to the support and maintenance team for that application. This extra data will allow the team to make more timely decisions, which will in turn increase how fast they can mitigate any risk introduced by the CVE.

Acronyms and Definitions

CVE. CVE stands for Common Vulnerabilities and Exposures. The CVE program is sponsored by the U.S. Department of Homeland Security and backed primarily by MITRE.

ATT&CK. ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of offensive tactics and techniques backed by MITRE.

D3FEND. D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense. It’s funded by the National Security Agency (NSA) and backed by MITRE.

Blue team. The blue team is a defensive security team within the information security space that focuses on improving security controls in the three big areas of people, processes, and technologies.

Red team. The red team is an offensive security team that focuses on identifying exploits and validating security controls through activities like penetration testing and social engineering.

NVD. The National Vulnerability Database is a standardized repository for recording CVE-related information.

Vince Power is an Enterprise Architect with a focus on digital transformation built with cloud enabled technologies. He has extensive experience working with Agile development organizations delivering their applications and services using DevOps principles including security controls, identity management, and test automation. You can find @vincepower on Twitter. Vince is a regular contributor at Fixate IO.


Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar