D3FEND, a framework for cybersecurity professionals to tailor defenses against specific cyber threats, is now available through MITRE. NSA funded MITRE’s research for D3FEND to improve the cybersecurity of National Security Systems, the Department of Defense, and the Defense Industrial Base. The D3FEND technical knowledge base of defensive countermeasures for common offensive techniques is complementary to MITRE’s ATT&CK, a knowledge base of cyber adversary behavior.
D3FEND establishes terminology of computer network defensive techniques and illuminates previously-unspecified relationships between defensive and offensive methods. This framework illustrates the complex interplay between computer network architectures, threats, and cyber countermeasures.
MITRE released D3FEND as a complement to its existing ATT&CK framework, a free, globally-accessible knowledge base of cyber adversary tactics and techniques based on real-world observations. Industry and government use ATT&CK as a foundation to develop specific cyber threat models and methodologies.
Complementary to the threat-based ATT&CK model, D3FEND provides a model of ways to counter common offensive techniques, enumerating how defensive techniques impact an actor’s ability to succeed. By framing computer network defender complexity of countermeasure functions and techniques as granularly as ATT&CK frames computer network attacker techniques, D3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system’s potential attack surface. As a result, D3FEND will drive more effective design, deployment, and defense of networked systems writ large.
Frameworks such as ATT&CK and D3FEND provide mission-agnostic tools for industry and government to conduct analyses and communicate findings. Whether categorizing adversary behavior or detailing how defensive capabilities mitigate threats, frameworks provide common descriptions that empower information sharing and operational collaboration for an ever-evolving cyber landscape.
NSA and MITRE encourage the cybersecurity community to promote the adoption of this vocabulary by cybersecurity professionals across government, industry, and academia. Cybersecurity professionals can provide comments to improve and add to the framework by contacting the MITRE D3FEND team at https://d3fend.mitre.org.