Skip to content

Files

Latest commit

3409275 · Feb 1, 2024

History

History
183 lines (183 loc) · 23.5 KB

d3fend.csv

File metadata and controls

183 lines (183 loc) · 23.5 KB
1
IDD3FEND TacticD3FEND TechniqueD3FEND Technique Level 0D3FEND Technique Level 1Definition
2
D3-AIModelAsset Inventory
3
D3-HCIModelHardware Component InventoryHardware component inventorying identifies and records the hardware items in the organization's architecture.
4
D3-DIModelData InventoryData inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.
5
D3-NNIModelNetwork Node InventoryNetwork node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.
6
D3-AVEModelAsset Vulnerability EnumerationAsset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.
7
D3-CIAModelContainer Image AnalysisAnalyzing a Container Image with respect to a set of policies.
8
D3-CIModelConfiguration InventoryConfiguration inventory identifies and records the configuration of software and hardware and their components throughout the organization.
9
D3-SWIModelSoftware InventorySoftware inventorying identifies and records the software items in the organization's architecture.
10
D3-NMModelNetwork Mapping
11
D3-PLMModelPhysical Link MappingPhysical link mapping identifies and models the link connectivity of the network devices within a physical network.
12
D3-PPLMModelPassive Physical Link MappingPassive physical link mapping only listens to network traffic as a means to map the physical layer.
13
D3-APLMModelActive Physical Link MappingActive physical link mapping sends and receives network traffic as a means to map the physical layer.
14
D3-NVAModelNetwork Vulnerability AssessmentNetwork vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.
15
D3-NTPMModelNetwork Traffic Policy MappingNetwork traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.
16
D3-LLMModelLogical Link MappingLogical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.
17
D3-PLLMModelPassive Logical Link MappingPassive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.
18
D3-ALLMModelActive Logical Link MappingActive logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection
19
D3-OAMModelOperational Activity Mapping
20
D3-ODMModelOperational Dependency MappingOperational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.
21
D3-ORAModelOperational Risk AssessmentOperational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.
22
D3-OMModelOrganization MappingOrganization mapping identifies and models the people, roles, and groups with an organization and the relations between them.
23
D3-AMModelAccess ModelingAccess modeling identifies and records the access permissions granted to administrators, users, groups, and systems.
24
D3-SYSMModelSystem Mapping
25
D3-SYSVAModelSystem Vulnerability AssessmentSystem vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.
26
D3-SYSDMModelSystem Dependency MappingSystem dependency mapping identifies and models the dependencies of system components on each other to carry out their function.
27
D3-SVCDMModelService Dependency MappingService dependency mapping determines the services on which each given service relies.
28
D3-DEMModelData Exchange MappingData exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.
29
D3-AHHardenApplication Hardening
30
D3-EHPVHardenException Handler Pointer ValidationValidates that a referenced exception handler pointer is a valid exception handler.
31
D3-ACHHardenApplication Configuration HardeningModifying an application's configuration to reduce its attack surface.
32
D3-PANHardenPointer AuthenticationComparing the cryptographic hash or derivative of a pointer's value to an expected value.
33
D3-DCEHardenDead Code EliminationRemoving unreachable or "dead code" from compiled source code.
34
D3-PSEPHardenProcess Segment Execution PreventionPreventing execution of any address in a memory region other than the code segment.
35
D3-SAORHardenSegment Address Offset RandomizationRandomizing the base (start) address of one or more segments of memory during the initialization of a process.
36
D3-SFCVHardenStack Frame Canary ValidationComparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.
37
D3-CHHardenCredential Hardening
38
D3-CTSHardenCredential Transmission ScopingLimiting the transmission of a credential to a scoped set of relying parties.
39
D3-UAPHardenUser Account PermissionsRestricting a user account's access to resources.
40
D3-CBANHardenCertificate-based AuthenticationRequiring a digital certificate in order to authenticate a user.
41
D3-CPHardenCertificate PinningPersisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.
42
D3-DTPHardenDomain Trust PolicyRestricting inter-domain trust by modifying domain configuration.
43
D3-BANHardenBiometric AuthenticationUsing biological measures in order to authenticate a user.
44
D3-OTPHardenOne-time PasswordA one-time password is valid for only one user authentication.
45
D3-SPPHardenStrong Password PolicyModifying system configuration to increase password strength.
46
D3-CROHardenCredential RotationExpiring an existing set of credentials and reissuing a new valid set
47
D3-MFAHardenMulti-factor AuthenticationRequiring proof of two or more pieces of evidence in order to authenticate a user.
48
D3-MHHardenMessage Hardening
49
D3-TAANHardenTransfer Agent AuthenticationValidating that server components of a messaging infrastructure are authorized to send a particular message.
50
D3-MENCRHardenMessage EncryptionEncrypting a message body using a cryptographic key.
51
D3-MANHardenMessage AuthenticationAuthenticating the sender of a message and ensuring message integrity.
52
D3-PHHardenPlatform Hardening
53
D3-DENCRHardenDisk EncryptionEncrypting a hard disk partition to prevent cleartext access to a file system.
54
D3-TBIHardenTPM Boot IntegrityAssuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).
55
D3-RFSHardenRF ShieldingAdding physical barriers to a platform to prevent undesired radio interference.
56
D3-BAHardenBootloader AuthenticationCryptographically authenticating the bootloader software before system boot.
57
D3-SCPHardenSystem Configuration PermissionsRestricting system configuration modifications to a specific user or group of users.
58
D3-FEHardenFile EncryptionEncrypting a file using a cryptographic key.
59
D3-SUHardenSoftware UpdateReplacing old software on a computer system component.
60
D3-DLICHardenDriver Load Integrity CheckingEnsuring the integrity of drivers loaded during initialization of the operating system.
61
D3-LFPHardenLocal File PermissionsRestricting access to a local file by configuring operating system functionality.
62
D3-UBADetectUser Behavior Analysis
63
D3-DAMDetectDomain Account MonitoringMonitoring the existence of or changes to Domain User Accounts.
64
D3-SDADetectSession Duration AnalysisAnalyzing the duration of user sessions in order to detect unauthorized activity.
65
D3-UGLPADetectUser Geolocation Logon Pattern AnalysisMonitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.
66
D3-WSAADetectWeb Session Activity AnalysisMonitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.
67
D3-JFAPADetectJob Function Access Pattern AnalysisDetecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.
68
D3-CCSADetectCredential Compromise Scope AnalysisDetermining which credentials may have been compromised by analyzing the user logon history of a particular system.
69
D3-AZETDetectAuthorization Event ThresholdingCollecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.
70
D3-ANETDetectAuthentication Event ThresholdingCollecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.
71
D3-RAPADetectResource Access Pattern AnalysisAnalyzing the resources accessed by a user to identify unauthorized activity.
72
D3-LAMDetectLocal Account MonitoringAnalyzing local user accounts to detect unauthorized activity.
73
D3-UDTADetectUser Data Transfer AnalysisAnalyzing the amount of data transferred by a user.
74
D3-MADetectMessage Analysis
75
D3-SRADetectSender Reputation AnalysisAscertaining sender reputation based on information associated with a message (e.g. email/instant messaging).
76
D3-SMRADetectSender MTA Reputation AnalysisCharacterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.
77
D3-FADetectFile Analysis
78
D3-FHDetectFile HashingEmploying file hash comparisons to detect known malware.
79
D3-FCOADetectFile Content AnalysisEmploying a pattern matching algorithm to statically analyze the content of files.
80
D3-FCRDetectFile Content RulesEmploying a pattern matching rule language to analyze the content of files.
81
D3-EFADetectEmulated File AnalysisEmulating instructions in a file looking for specific patterns.
82
D3-DADetectDynamic AnalysisExecuting or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.
83
D3-NTADetectNetwork Traffic Analysis
84
D3-RTADetectRPC Traffic AnalysisMonitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.
85
D3-IPCTADetectIPC Traffic AnalysisAnalyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.
86
D3-RTSDDetectRemote Terminal Session DetectionDetection of an unauthorized remote live terminal console session by examining network traffic to a network host.
87
D3-RPADetectRelay Pattern AnalysisThe detection of an internal host relaying traffic between the internal network and the external network.
88
D3-PMADDetectProtocol Metadata Anomaly DetectionCollecting network communication protocol metadata and identifying statistical outliers.
89
D3-PHDURADetectPer Host Download-Upload Ratio AnalysisDetecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.
90
D3-DNSTADetectDNS Traffic AnalysisAnalysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.
91
D3-FCDetectFile CarvingIdentifying and extracting files from network application protocols through the use of network stream reassembly software.
92
D3-ISVADetectInbound Session Volume AnalysisAnalyzing inbound network session or connection attempt volume.
93
D3-NTCDDetectNetwork Traffic Community DeviationEstablishing baseline communities of network hosts and identifying statistically divergent inter-community communication.
94
D3-CSPPDetectClient-server Payload ProfilingComparing client-server request and response payloads to a baseline profile to identify outliers.
95
D3-ANAADetectAdministrative Network Activity AnalysisDetection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
96
D3-CAADetectConnection Attempt AnalysisAnalyzing failed connections in a network to detect unauthorized activity.
97
D3-BSEDetectByte Sequence EmulationAnalyzing sequences of bytes and determining if they likely represent malicious shellcode.
98
D3-CADetectCertificate AnalysisAnalyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.
99
D3-PCADetectPassive Certificate AnalysisPassively collecting certificates and analyzing them.
100
D3-PCADetectPassive Certificate AnalysisCollecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.
101
D3-ACADetectActive Certificate AnalysisActively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.
102
D3-IDDetectIdentifier Analysis
103
D3-UADetectURL AnalysisDetermining if a URL is benign or malicious by analyzing the URL or its components.
104
D3-IRADetectIdentifier Reputation AnalysisAnalyzing the reputation of an identifier.
105
D3-URADetectURL Reputation AnalysisAnalyzing the reputation of a URL.
106
D3-IPRADetectIP Reputation AnalysisAnalyzing the reputation of an IP address.
107
D3-FHRADetectFile Hash Reputation AnalysisAnalyzing the reputation of a file hash.
108
D3-DNRADetectDomain Name Reputation AnalysisAnalyzing the reputation of a domain name.
109
D3-IAADetectIdentifier Activity AnalysisTaking known malicious identifiers and determining if they are present in a system.
110
D3-HDDetectHomoglyph DetectionComparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.
111
D3-PADetectProcess Analysis
112
D3-FAPADetectFile Access Pattern AnalysisAnalyzing the files accessed by a process to identify unauthorized activity.
113
D3-DQSADetectDatabase Query String AnalysisAnalyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).
114
D3-SSCDetectShadow Stack ComparisonsComparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.
115
D3-SEADetectScript Execution AnalysisAnalyzing the execution of a script to detect unauthorized user activity.
116
D3-PSADetectProcess Spawn AnalysisAnalyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
117
D3-PLADetectProcess Lineage AnalysisIdentification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.
118
D3-IBCADetectIndirect Branch Call AnalysisAnalyzing vendor specific branch call recording in order to detect ROP style attacks.
119
D3-SCADetectSystem Call AnalysisAnalyzing system calls to determine whether a process is exhibiting unauthorized behavior.
120
D3-FCADetectFile Creation AnalysisAnalyzing the properties of file create system call invocations.
121
D3-PSMDDetectProcess Self-Modification DetectionDetects processes that modify, change, or replace their own code at runtime.
122
D3-PCSVDetectProcess Code Segment VerificationComparing the "text" or "code" memory segments to a source of truth.
123
D3-PMDetectPlatform Monitoring
124
D3-OSMDetectOperating System MonitoringThe operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.
125
D3-SDMDetectSystem Daemon MonitoringTracking changes to the state or configuration of critical system level processes.
126
D3-USICADetectUser Session Init Config AnalysisAnalyzing modifications to user session config files such as .bashrc or .bash_profile.
127
D3-SJADetectScheduled Job AnalysisAnalysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.
128
D3-IDADetectInput Device AnalysisOperating system level mechanisms to prevent abusive input device exploitation.
129
D3-SFADetectSystem File AnalysisMonitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
130
D3-SBVDetectService Binary VerificationAnalyzing changes in service binary files by comparing to a source of truth.
131
D3-EHBDetectEndpoint Health BeaconMonitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
132
D3-MBTDetectMemory Boundary TrackingAnalyzing a call stack for return addresses which point to unexpected memory locations.
133
D3-SICADetectSystem Init Config AnalysisAnalysis of any system process startup configuration.
134
D3-FVDetectFirmware VerificationCryptographically verifying firmware integrity.
135
D3-SFVDetectSystem Firmware VerificationCryptographically verifying installed system firmware integrity.
136
D3-PFVDetectPeripheral Firmware VerificationCryptographically verifying peripheral firmware integrity.
137
D3-FEMCDetectFirmware Embedded Monitoring CodeMonitoring code is injected into firmware for integrity monitoring of firmware and firmware data.
138
D3-FBADetectFirmware Behavior AnalysisAnalyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.
139
D3-FIMDetectFile Integrity MonitoringDetecting any suspicious changes to files in a computer system.
140
D3-NIIsolateNetwork Isolation
141
D3-NTFIsolateNetwork Traffic FilteringRestricting network traffic originating from any location.
142
D3-OTFIsolateOutbound Traffic FilteringRestricting network traffic originating from a private host or enclave destined towards untrusted networks.
143
D3-ITFIsolateInbound Traffic FilteringRestricting network traffic originating from untrusted networks destined towards a private host or enclave.
144
D3-EFIsolateEmail FilteringFiltering incoming email traffic based on specific criteria.
145
D3-DNSALIsolateDNS AllowlistingPermitting only approved domains and their subdomains to be resolved.
146
D3-DNSDLIsolateDNS DenylistingBlocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.
147
D3-RRIDIsolateReverse Resolution IP DenylistingBlocking a reverse lookup based on the query's IP address value.
148
D3-RRDDIsolateReverse Resolution Domain DenylistingBlocking a reverse DNS lookup's answer's domain name value.
149
D3-FRIDLIsolateForward Resolution IP DenylistingBlocking a DNS lookup's answer's IP address value.
150
D3-FRDDLIsolateForward Resolution Domain DenylistingBlocking a lookup based on the query's domain name value.
151
D3-HDLIsolateHomoglyph DenylistingBlocking DNS queries that are deceptively similar to legitimate domain names.
152
D3-HDDLIsolateHierarchical Domain DenylistingBlocking the resolution of any subdomain of a specified domain name.
153
D3-BDIIsolateBroadcast Domain IsolationBroadcast isolation restricts the number of computers a host can contact on their LAN.
154
D3-ETIsolateEncrypted TunnelsEncrypted encapsulation of routable network traffic.
155
D3-EIIsolateExecution Isolation
156
D3-KBPIIsolateKernel-based Process IsolationUsing kernel-level capabilities to isolate processes.
157
D3-SCFIsolateSystem Call FilteringConfiguring a kernel to use an allow or deny list to filter kernel api calls.
158
D3-MACIsolateMandatory Access ControlControlling access to local computer system resources with kernel-level capabilities.
159
D3-IOPRIsolateIO Port RestrictionLimiting access to computer input/output (IO) ports to restrict unauthorized devices.
160
D3-HBPIIsolateHardware-based Process IsolationPreventing one process from writing to the memory space of another process through hardware based address manager implementations.
161
D3-EDLIsolateExecutable DenylistingBlocking the execution of files on a host in accordance with defined application policy rules.
162
D3-EALIsolateExecutable AllowlistingUsing a digital signature to authenticate a file before opening.
163
D3-DEDeceiveDecoy Environment
164
D3-SHNDeceiveStandalone HoneynetAn environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.
165
D3-IHNDeceiveIntegrated HoneynetThe practice of setting decoys in a production environment to entice interaction from attackers.
166
D3-CHNDeceiveConnected HoneynetA decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.
167
D3-DODeceiveDecoy Object
168
D3-DSTDeceiveDecoy Session TokenAn authentication token created for the purposes of deceiving an adversary.
169
D3-DPDeceiveDecoy PersonaEstablishing a fake online identity to misdirect, deceive, and or interact with adversaries.
170
D3-DPRDeceiveDecoy Public ReleaseIssuing publicly released media to deceive adversaries.
171
D3-DNRDeceiveDecoy Network ResourceDeploying a network resource for the purposes of deceiving an adversary.
172
D3-DUCDeceiveDecoy User CredentialA Credential created for the purpose of deceiving an adversary.
173
D3-DFDeceiveDecoy FileA file created for the purposes of deceiving an adversary.
174
D3-CEEvictCredential Eviction
175
D3-CREvictCredential RevokingDeleting a set of credentials permanently to prevent them from being used to authenticate.
176
D3-ANCIEvictAuthentication Cache InvalidationRemoving tokens or credentials from an authentication cache to prevent further user associated account accesses.
177
D3-ALEvictAccount LockingThe process of temporarily disabling user accounts on a system or domain.
178
D3-PEEvictProcess Eviction
179
D3-PTEvictProcess TerminationTerminating a running application process on a computer system.
180
D3-PSEvictProcess SuspensionSuspending a running process on a computer system.
181
D3-FEVEvictFile Eviction
182
D3-FREvictFile RemovalThe file removal technique deletes malicious artifacts or programs from a computer system.
183
D3-EREvictEmail RemovalThe email removal technique deletes email files from system storage.