-
Notifications
You must be signed in to change notification settings - Fork 9
Files
/
Copy pathd3fend.csv
183 lines (183 loc) · 23.5 KB
/
d3fend.csv
1 | ID | D3FEND Tactic | D3FEND Technique | D3FEND Technique Level 0 | D3FEND Technique Level 1 | Definition |
---|---|---|---|---|---|---|
2 | D3-AI | Model | Asset Inventory | |||
3 | D3-HCI | Model | Hardware Component Inventory | Hardware component inventorying identifies and records the hardware items in the organization's architecture. | ||
4 | D3-DI | Model | Data Inventory | Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture. | ||
5 | D3-NNI | Model | Network Node Inventory | Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture. | ||
6 | D3-AVE | Model | Asset Vulnerability Enumeration | Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities. | ||
7 | D3-CIA | Model | Container Image Analysis | Analyzing a Container Image with respect to a set of policies. | ||
8 | D3-CI | Model | Configuration Inventory | Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization. | ||
9 | D3-SWI | Model | Software Inventory | Software inventorying identifies and records the software items in the organization's architecture. | ||
10 | D3-NM | Model | Network Mapping | |||
11 | D3-PLM | Model | Physical Link Mapping | Physical link mapping identifies and models the link connectivity of the network devices within a physical network. | ||
12 | D3-PPLM | Model | Passive Physical Link Mapping | Passive physical link mapping only listens to network traffic as a means to map the physical layer. | ||
13 | D3-APLM | Model | Active Physical Link Mapping | Active physical link mapping sends and receives network traffic as a means to map the physical layer. | ||
14 | D3-NVA | Model | Network Vulnerability Assessment | Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities. | ||
15 | D3-NTPM | Model | Network Traffic Policy Mapping | Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels. | ||
16 | D3-LLM | Model | Logical Link Mapping | Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata. | ||
17 | D3-PLLM | Model | Passive Logical Link Mapping | Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections. | ||
18 | D3-ALLM | Model | Active Logical Link Mapping | Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection | ||
19 | D3-OAM | Model | Operational Activity Mapping | |||
20 | D3-ODM | Model | Operational Dependency Mapping | Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities. | ||
21 | D3-ORA | Model | Operational Risk Assessment | Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole. | ||
22 | D3-OM | Model | Organization Mapping | Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them. | ||
23 | D3-AM | Model | Access Modeling | Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems. | ||
24 | D3-SYSM | Model | System Mapping | |||
25 | D3-SYSVA | Model | System Vulnerability Assessment | System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities. | ||
26 | D3-SYSDM | Model | System Dependency Mapping | System dependency mapping identifies and models the dependencies of system components on each other to carry out their function. | ||
27 | D3-SVCDM | Model | Service Dependency Mapping | Service dependency mapping determines the services on which each given service relies. | ||
28 | D3-DEM | Model | Data Exchange Mapping | Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer. | ||
29 | D3-AH | Harden | Application Hardening | |||
30 | D3-EHPV | Harden | Exception Handler Pointer Validation | Validates that a referenced exception handler pointer is a valid exception handler. | ||
31 | D3-ACH | Harden | Application Configuration Hardening | Modifying an application's configuration to reduce its attack surface. | ||
32 | D3-PAN | Harden | Pointer Authentication | Comparing the cryptographic hash or derivative of a pointer's value to an expected value. | ||
33 | D3-DCE | Harden | Dead Code Elimination | Removing unreachable or "dead code" from compiled source code. | ||
34 | D3-PSEP | Harden | Process Segment Execution Prevention | Preventing execution of any address in a memory region other than the code segment. | ||
35 | D3-SAOR | Harden | Segment Address Offset Randomization | Randomizing the base (start) address of one or more segments of memory during the initialization of a process. | ||
36 | D3-SFCV | Harden | Stack Frame Canary Validation | Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite. | ||
37 | D3-CH | Harden | Credential Hardening | |||
38 | D3-CTS | Harden | Credential Transmission Scoping | Limiting the transmission of a credential to a scoped set of relying parties. | ||
39 | D3-UAP | Harden | User Account Permissions | Restricting a user account's access to resources. | ||
40 | D3-CBAN | Harden | Certificate-based Authentication | Requiring a digital certificate in order to authenticate a user. | ||
41 | D3-CP | Harden | Certificate Pinning | Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections. | ||
42 | D3-DTP | Harden | Domain Trust Policy | Restricting inter-domain trust by modifying domain configuration. | ||
43 | D3-BAN | Harden | Biometric Authentication | Using biological measures in order to authenticate a user. | ||
44 | D3-OTP | Harden | One-time Password | A one-time password is valid for only one user authentication. | ||
45 | D3-SPP | Harden | Strong Password Policy | Modifying system configuration to increase password strength. | ||
46 | D3-CRO | Harden | Credential Rotation | Expiring an existing set of credentials and reissuing a new valid set | ||
47 | D3-MFA | Harden | Multi-factor Authentication | Requiring proof of two or more pieces of evidence in order to authenticate a user. | ||
48 | D3-MH | Harden | Message Hardening | |||
49 | D3-TAAN | Harden | Transfer Agent Authentication | Validating that server components of a messaging infrastructure are authorized to send a particular message. | ||
50 | D3-MENCR | Harden | Message Encryption | Encrypting a message body using a cryptographic key. | ||
51 | D3-MAN | Harden | Message Authentication | Authenticating the sender of a message and ensuring message integrity. | ||
52 | D3-PH | Harden | Platform Hardening | |||
53 | D3-DENCR | Harden | Disk Encryption | Encrypting a hard disk partition to prevent cleartext access to a file system. | ||
54 | D3-TBI | Harden | TPM Boot Integrity | Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM). | ||
55 | D3-RFS | Harden | RF Shielding | Adding physical barriers to a platform to prevent undesired radio interference. | ||
56 | D3-BA | Harden | Bootloader Authentication | Cryptographically authenticating the bootloader software before system boot. | ||
57 | D3-SCP | Harden | System Configuration Permissions | Restricting system configuration modifications to a specific user or group of users. | ||
58 | D3-FE | Harden | File Encryption | Encrypting a file using a cryptographic key. | ||
59 | D3-SU | Harden | Software Update | Replacing old software on a computer system component. | ||
60 | D3-DLIC | Harden | Driver Load Integrity Checking | Ensuring the integrity of drivers loaded during initialization of the operating system. | ||
61 | D3-LFP | Harden | Local File Permissions | Restricting access to a local file by configuring operating system functionality. | ||
62 | D3-UBA | Detect | User Behavior Analysis | |||
63 | D3-DAM | Detect | Domain Account Monitoring | Monitoring the existence of or changes to Domain User Accounts. | ||
64 | D3-SDA | Detect | Session Duration Analysis | Analyzing the duration of user sessions in order to detect unauthorized activity. | ||
65 | D3-UGLPA | Detect | User Geolocation Logon Pattern Analysis | Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location. | ||
66 | D3-WSAA | Detect | Web Session Activity Analysis | Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior. | ||
67 | D3-JFAPA | Detect | Job Function Access Pattern Analysis | Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department. | ||
68 | D3-CCSA | Detect | Credential Compromise Scope Analysis | Determining which credentials may have been compromised by analyzing the user logon history of a particular system. | ||
69 | D3-AZET | Detect | Authorization Event Thresholding | Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile. | ||
70 | D3-ANET | Detect | Authentication Event Thresholding | Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile. | ||
71 | D3-RAPA | Detect | Resource Access Pattern Analysis | Analyzing the resources accessed by a user to identify unauthorized activity. | ||
72 | D3-LAM | Detect | Local Account Monitoring | Analyzing local user accounts to detect unauthorized activity. | ||
73 | D3-UDTA | Detect | User Data Transfer Analysis | Analyzing the amount of data transferred by a user. | ||
74 | D3-MA | Detect | Message Analysis | |||
75 | D3-SRA | Detect | Sender Reputation Analysis | Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging). | ||
76 | D3-SMRA | Detect | Sender MTA Reputation Analysis | Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails. | ||
77 | D3-FA | Detect | File Analysis | |||
78 | D3-FH | Detect | File Hashing | Employing file hash comparisons to detect known malware. | ||
79 | D3-FCOA | Detect | File Content Analysis | Employing a pattern matching algorithm to statically analyze the content of files. | ||
80 | D3-FCR | Detect | File Content Rules | Employing a pattern matching rule language to analyze the content of files. | ||
81 | D3-EFA | Detect | Emulated File Analysis | Emulating instructions in a file looking for specific patterns. | ||
82 | D3-DA | Detect | Dynamic Analysis | Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader. | ||
83 | D3-NTA | Detect | Network Traffic Analysis | |||
84 | D3-RTA | Detect | RPC Traffic Analysis | Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities. | ||
85 | D3-IPCTA | Detect | IPC Traffic Analysis | Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity. | ||
86 | D3-RTSD | Detect | Remote Terminal Session Detection | Detection of an unauthorized remote live terminal console session by examining network traffic to a network host. | ||
87 | D3-RPA | Detect | Relay Pattern Analysis | The detection of an internal host relaying traffic between the internal network and the external network. | ||
88 | D3-PMAD | Detect | Protocol Metadata Anomaly Detection | Collecting network communication protocol metadata and identifying statistical outliers. | ||
89 | D3-PHDURA | Detect | Per Host Download-Upload Ratio Analysis | Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host. | ||
90 | D3-DNSTA | Detect | DNS Traffic Analysis | Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host. | ||
91 | D3-FC | Detect | File Carving | Identifying and extracting files from network application protocols through the use of network stream reassembly software. | ||
92 | D3-ISVA | Detect | Inbound Session Volume Analysis | Analyzing inbound network session or connection attempt volume. | ||
93 | D3-NTCD | Detect | Network Traffic Community Deviation | Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication. | ||
94 | D3-CSPP | Detect | Client-server Payload Profiling | Comparing client-server request and response payloads to a baseline profile to identify outliers. | ||
95 | D3-ANAA | Detect | Administrative Network Activity Analysis | Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline. | ||
96 | D3-CAA | Detect | Connection Attempt Analysis | Analyzing failed connections in a network to detect unauthorized activity. | ||
97 | D3-BSE | Detect | Byte Sequence Emulation | Analyzing sequences of bytes and determining if they likely represent malicious shellcode. | ||
98 | D3-CA | Detect | Certificate Analysis | Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs. | ||
99 | D3-PCA | Detect | Passive Certificate Analysis | Passively collecting certificates and analyzing them. | ||
100 | D3-PCA | Detect | Passive Certificate Analysis | Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity. | ||
101 | D3-ACA | Detect | Active Certificate Analysis | Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis. | ||
102 | D3-ID | Detect | Identifier Analysis | |||
103 | D3-UA | Detect | URL Analysis | Determining if a URL is benign or malicious by analyzing the URL or its components. | ||
104 | D3-IRA | Detect | Identifier Reputation Analysis | Analyzing the reputation of an identifier. | ||
105 | D3-URA | Detect | URL Reputation Analysis | Analyzing the reputation of a URL. | ||
106 | D3-IPRA | Detect | IP Reputation Analysis | Analyzing the reputation of an IP address. | ||
107 | D3-FHRA | Detect | File Hash Reputation Analysis | Analyzing the reputation of a file hash. | ||
108 | D3-DNRA | Detect | Domain Name Reputation Analysis | Analyzing the reputation of a domain name. | ||
109 | D3-IAA | Detect | Identifier Activity Analysis | Taking known malicious identifiers and determining if they are present in a system. | ||
110 | D3-HD | Detect | Homoglyph Detection | Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user. | ||
111 | D3-PA | Detect | Process Analysis | |||
112 | D3-FAPA | Detect | File Access Pattern Analysis | Analyzing the files accessed by a process to identify unauthorized activity. | ||
113 | D3-DQSA | Detect | Database Query String Analysis | Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html). | ||
114 | D3-SSC | Detect | Shadow Stack Comparisons | Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity. | ||
115 | D3-SEA | Detect | Script Execution Analysis | Analyzing the execution of a script to detect unauthorized user activity. | ||
116 | D3-PSA | Detect | Process Spawn Analysis | Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized. | ||
117 | D3-PLA | Detect | Process Lineage Analysis | Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors. | ||
118 | D3-IBCA | Detect | Indirect Branch Call Analysis | Analyzing vendor specific branch call recording in order to detect ROP style attacks. | ||
119 | D3-SCA | Detect | System Call Analysis | Analyzing system calls to determine whether a process is exhibiting unauthorized behavior. | ||
120 | D3-FCA | Detect | File Creation Analysis | Analyzing the properties of file create system call invocations. | ||
121 | D3-PSMD | Detect | Process Self-Modification Detection | Detects processes that modify, change, or replace their own code at runtime. | ||
122 | D3-PCSV | Detect | Process Code Segment Verification | Comparing the "text" or "code" memory segments to a source of truth. | ||
123 | D3-PM | Detect | Platform Monitoring | |||
124 | D3-OSM | Detect | Operating System Monitoring | The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**. | ||
125 | D3-SDM | Detect | System Daemon Monitoring | Tracking changes to the state or configuration of critical system level processes. | ||
126 | D3-USICA | Detect | User Session Init Config Analysis | Analyzing modifications to user session config files such as .bashrc or .bash_profile. | ||
127 | D3-SJA | Detect | Scheduled Job Analysis | Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling. | ||
128 | D3-IDA | Detect | Input Device Analysis | Operating system level mechanisms to prevent abusive input device exploitation. | ||
129 | D3-SFA | Detect | System File Analysis | Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering. | ||
130 | D3-SBV | Detect | Service Binary Verification | Analyzing changes in service binary files by comparing to a source of truth. | ||
131 | D3-EHB | Detect | Endpoint Health Beacon | Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised. | ||
132 | D3-MBT | Detect | Memory Boundary Tracking | Analyzing a call stack for return addresses which point to unexpected memory locations. | ||
133 | D3-SICA | Detect | System Init Config Analysis | Analysis of any system process startup configuration. | ||
134 | D3-FV | Detect | Firmware Verification | Cryptographically verifying firmware integrity. | ||
135 | D3-SFV | Detect | System Firmware Verification | Cryptographically verifying installed system firmware integrity. | ||
136 | D3-PFV | Detect | Peripheral Firmware Verification | Cryptographically verifying peripheral firmware integrity. | ||
137 | D3-FEMC | Detect | Firmware Embedded Monitoring Code | Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data. | ||
138 | D3-FBA | Detect | Firmware Behavior Analysis | Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity. | ||
139 | D3-FIM | Detect | File Integrity Monitoring | Detecting any suspicious changes to files in a computer system. | ||
140 | D3-NI | Isolate | Network Isolation | |||
141 | D3-NTF | Isolate | Network Traffic Filtering | Restricting network traffic originating from any location. | ||
142 | D3-OTF | Isolate | Outbound Traffic Filtering | Restricting network traffic originating from a private host or enclave destined towards untrusted networks. | ||
143 | D3-ITF | Isolate | Inbound Traffic Filtering | Restricting network traffic originating from untrusted networks destined towards a private host or enclave. | ||
144 | D3-EF | Isolate | Email Filtering | Filtering incoming email traffic based on specific criteria. | ||
145 | D3-DNSAL | Isolate | DNS Allowlisting | Permitting only approved domains and their subdomains to be resolved. | ||
146 | D3-DNSDL | Isolate | DNS Denylisting | Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type. | ||
147 | D3-RRID | Isolate | Reverse Resolution IP Denylisting | Blocking a reverse lookup based on the query's IP address value. | ||
148 | D3-RRDD | Isolate | Reverse Resolution Domain Denylisting | Blocking a reverse DNS lookup's answer's domain name value. | ||
149 | D3-FRIDL | Isolate | Forward Resolution IP Denylisting | Blocking a DNS lookup's answer's IP address value. | ||
150 | D3-FRDDL | Isolate | Forward Resolution Domain Denylisting | Blocking a lookup based on the query's domain name value. | ||
151 | D3-HDL | Isolate | Homoglyph Denylisting | Blocking DNS queries that are deceptively similar to legitimate domain names. | ||
152 | D3-HDDL | Isolate | Hierarchical Domain Denylisting | Blocking the resolution of any subdomain of a specified domain name. | ||
153 | D3-BDI | Isolate | Broadcast Domain Isolation | Broadcast isolation restricts the number of computers a host can contact on their LAN. | ||
154 | D3-ET | Isolate | Encrypted Tunnels | Encrypted encapsulation of routable network traffic. | ||
155 | D3-EI | Isolate | Execution Isolation | |||
156 | D3-KBPI | Isolate | Kernel-based Process Isolation | Using kernel-level capabilities to isolate processes. | ||
157 | D3-SCF | Isolate | System Call Filtering | Configuring a kernel to use an allow or deny list to filter kernel api calls. | ||
158 | D3-MAC | Isolate | Mandatory Access Control | Controlling access to local computer system resources with kernel-level capabilities. | ||
159 | D3-IOPR | Isolate | IO Port Restriction | Limiting access to computer input/output (IO) ports to restrict unauthorized devices. | ||
160 | D3-HBPI | Isolate | Hardware-based Process Isolation | Preventing one process from writing to the memory space of another process through hardware based address manager implementations. | ||
161 | D3-EDL | Isolate | Executable Denylisting | Blocking the execution of files on a host in accordance with defined application policy rules. | ||
162 | D3-EAL | Isolate | Executable Allowlisting | Using a digital signature to authenticate a file before opening. | ||
163 | D3-DE | Deceive | Decoy Environment | |||
164 | D3-SHN | Deceive | Standalone Honeynet | An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems. | ||
165 | D3-IHN | Deceive | Integrated Honeynet | The practice of setting decoys in a production environment to entice interaction from attackers. | ||
166 | D3-CHN | Deceive | Connected Honeynet | A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system. | ||
167 | D3-DO | Deceive | Decoy Object | |||
168 | D3-DST | Deceive | Decoy Session Token | An authentication token created for the purposes of deceiving an adversary. | ||
169 | D3-DP | Deceive | Decoy Persona | Establishing a fake online identity to misdirect, deceive, and or interact with adversaries. | ||
170 | D3-DPR | Deceive | Decoy Public Release | Issuing publicly released media to deceive adversaries. | ||
171 | D3-DNR | Deceive | Decoy Network Resource | Deploying a network resource for the purposes of deceiving an adversary. | ||
172 | D3-DUC | Deceive | Decoy User Credential | A Credential created for the purpose of deceiving an adversary. | ||
173 | D3-DF | Deceive | Decoy File | A file created for the purposes of deceiving an adversary. | ||
174 | D3-CE | Evict | Credential Eviction | |||
175 | D3-CR | Evict | Credential Revoking | Deleting a set of credentials permanently to prevent them from being used to authenticate. | ||
176 | D3-ANCI | Evict | Authentication Cache Invalidation | Removing tokens or credentials from an authentication cache to prevent further user associated account accesses. | ||
177 | D3-AL | Evict | Account Locking | The process of temporarily disabling user accounts on a system or domain. | ||
178 | D3-PE | Evict | Process Eviction | |||
179 | D3-PT | Evict | Process Termination | Terminating a running application process on a computer system. | ||
180 | D3-PS | Evict | Process Suspension | Suspending a running process on a computer system. | ||
181 | D3-FEV | Evict | File Eviction | |||
182 | D3-FR | Evict | File Removal | The file removal technique deletes malicious artifacts or programs from a computer system. | ||
183 | D3-ER | Evict | Email Removal | The email removal technique deletes email files from system storage. |