MITRE D3FEND

Defensive techniques mapped against ATT&CK — know how to defend

All 90 techniques Model 27 Harden 55 Detect 90 Isolate 56 Deceive 11 Evict 19 Restore 12
D3-ACA Detect
Active Certificate Analysis
Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.
D3-ANAA Detect
Administrative Network Activity Analysis
Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
Counters 6 ATT&CK
D3-AEM Detect
Application Exception Monitoring
Monitoring the failures of system counters and timers.
Counters 8 ATT&CK
D3-APM Detect
Application Performance Monitoring
Monitoring the count and duration of the application or program cycle.
D3-APCA Detect
Application Protocol Command Analysis
Analyzing application protocol level remote commands to detect unauthorized activity.
Counters 48 ATT&CK
D3-ANET Detect
Authentication Event Thresholding
Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.
D3-AZET Detect
Authorization Event Thresholding
Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.
D3-BSE Detect
Byte Sequence Emulation
Analyzing sequences of bytes and determining if they likely represent malicious shellcode.
D3-CA Detect
Certificate Analysis
Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.
Counters 5 ATT&CK
D3-CSPP Detect
Client-server Payload Profiling
Comparing client-server request and response payloads to a baseline profile to identify outliers.
Counters 48 ATT&CK
D3-CAA Detect
Connection Attempt Analysis
Analyzing failed connections in a network to detect unauthorized activity.
Counters 13 ATT&CK
D3-CCSA Detect
Credential Compromise Scope Analysis
Determining which credentials may have been compromised by analyzing the user logon history of a particular system.
Counters 10 ATT&CK
D3-DNSTA Detect
DNS Traffic Analysis
Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.
Counters 3 ATT&CK
D3-DQSA Detect
Database Query String Analysis
Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).
Counters 1 ATT&CK
D3-DAM Detect
Domain Account Monitoring
Monitoring the existence of or changes to Domain User Accounts.
Counters 4 ATT&CK
D3-DNRA Detect
Domain Name Reputation Analysis
Analyzing the reputation of a domain name.
D3-DA Detect
Dynamic Analysis
Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.
Counters 22 ATT&CK
D3-ELM Detect
Electronic Lock Monitoring
Monitoring electronic lock and door hardware states and access events (e.g., locked/unlocked, access granted/denied, door forced/held, tamper) to detect and respond to unauthorized entry.
D3-EFA Detect
Emulated File Analysis
Emulating instructions in a file looking for specific patterns.
Counters 22 ATT&CK
D3-EHB Detect
Endpoint Health Beacon
Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
Counters 4 ATT&CK
D3-FAPA Detect
File Access Pattern Analysis
Analyzing the files accessed by a process to identify unauthorized activity.
D3-FA Detect
File Analysis
File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.
Counters 46 ATT&CK
D3-FC Detect
File Carving
Identifying and extracting files from network application protocols through the use of network stream reassembly software.
Counters 2 ATT&CK
D3-FCOA Detect
File Content Analysis
Employing a pattern matching algorithm to statically analyze the content of files.
D3-FCR Detect
File Content Rules
Employing a pattern matching rule language to analyze the content of files.
D3-FCA Detect
File Creation Analysis
Analyzing the properties of file create system call invocations.
Counters 2 ATT&CK
D3-FHRA Detect
File Hash Reputation Analysis
Analyzing the reputation of a file hash.
D3-FH Detect
File Hashing
Employing file hash comparisons to detect known malware.
D3-FIM Detect
File Integrity Monitoring
Detecting any suspicious changes to files in a computer system.
Counters 46 ATT&CK
D3-FBA Detect
Firmware Behavior Analysis
Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.
Counters 2 ATT&CK
D3-FEMC Detect
Firmware Embedded Monitoring Code
Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.
Counters 2 ATT&CK
D3-FV Detect
Firmware Verification
Cryptographically verifying firmware integrity.
Counters 2 ATT&CK
D3-HD Detect
Homoglyph Detection
Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.
Counters 5 ATT&CK
D3-IPRA Detect
IP Reputation Analysis
Analyzing the reputation of an IP address.
D3-IPCTA Detect
IPC Traffic Analysis
Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.
Counters 1 ATT&CK
D3-IAA Detect
Identifier Activity Analysis
Taking known malicious identifiers and determining if they are present in a system.
Counters 3 ATT&CK
D3-ID Detect
Identifier Analysis
Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.
D3-IRA Detect
Identifier Reputation Analysis
Analyzing the reputation of an identifier.
D3-ISVA Detect
Inbound Session Volume Analysis
Analyzing inbound network session or connection attempt volume.
Counters 4 ATT&CK
D3-IBCA Detect
Indirect Branch Call Analysis
Analyzing vendor specific branch call recording in order to detect ROP style attacks.
D3-IDA Detect
Input Device Analysis
Operating system level mechanisms to prevent abusive input device exploitation.
Counters 3 ATT&CK
D3-JFAPA Detect
Job Function Access Pattern Analysis
Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.
D3-LAM Detect
Local Account Monitoring
Analyzing local user accounts to detect unauthorized activity.
Counters 3 ATT&CK
D3-MBT Detect
Memory Boundary Tracking
Analyzing a call stack for return addresses which point to unexpected memory locations.
Counters 7 ATT&CK
D3-MA Detect
Message Analysis
Analyzing email or instant message content to detect unauthorized activity.
D3-MSM Detect
Motion Sensor Monitoring
Monitoring events from motion detectors (e.g., passive IR, microwave, dual-technology) to detect presence or movement within protected areas.
D3-NTA Detect
Network Traffic Analysis
Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
D3-NTCD Detect
Network Traffic Community Deviation
Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.
Counters 48 ATT&CK
D3-NTSA Detect
Network Traffic Signature Analysis
Analyzing network traffic and compares it to known signatures
Counters 48 ATT&CK
D3-OMM Detect
Operating Mode Monitoring
Detects operating modes such as Program, Run, Remote, or Stop.
D3-OSM Detect
Operating System Monitoring
The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.
D3-OPM Detect
Operational Process Monitoring
Monitoring physical parameters and operator actions related to an operational environment.
Counters 8 ATT&CK
D3-PCA Detect
Passive Certificate Analysis
Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.
D3-PHDURA Detect
Per Host Download-Upload Ratio Analysis
Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.
Counters 48 ATT&CK
D3-PFV Detect
Peripheral Firmware Verification
Cryptographically verifying peripheral firmware integrity.
D3-PHAM Detect
Physical Access Monitoring
Monitoring the physical access of a specified environment through detection, recording, reviewing, and logging of who/what enters and exists areas.
D3-PM Detect
Platform Monitoring
Monitoring platform components such as operating systems software, hardware devices, or firmware.
D3-PUM Detect
Platform Uptime Monitoring
Monitor the amount of time since the last power cycle or restart.
D3-PA Detect
Process Analysis
Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.
D3-PCSV Detect
Process Code Segment Verification
Comparing the "text" or "code" memory segments to a source of truth.
Counters 7 ATT&CK
D3-PLA Detect
Process Lineage Analysis
Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.
Counters 10 ATT&CK
D3-PSMD Detect
Process Self-Modification Detection
Detects processes that modify, change, or replace their own code at runtime.
Counters 10 ATT&CK
D3-PSA Detect
Process Spawn Analysis
Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
Counters 24 ATT&CK
D3-PMAD Detect
Protocol Metadata Anomaly Detection
Collecting network communication protocol metadata and identifying statistical outliers.
Counters 48 ATT&CK
D3-PSM Detect
Proximity Sensor Monitoring
Monitoring events from proximity sensors that indicate a credential or tagged asset is within the sensor’s read range or a defined zone. Common enabling technologies include RFID, Bluetooth Low Energy (BLE), and Ultra-Wideband (UWB).
D3-RTA Detect
RPC Traffic Analysis
Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.
Counters 1 ATT&CK
D3-RPA Detect
Relay Pattern Analysis
The detection of an internal host relaying traffic between the internal network and the external network.
Counters 19 ATT&CK
D3-RFUM Detect
Remote Firmware Update Monitoring
Monitoring of remote firmware update commands to identify unauthorized software installations.
D3-RTSD Detect
Remote Terminal Session Detection
Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
Counters 48 ATT&CK
D3-RAPA Detect
Resource Access Pattern Analysis
Analyzing the resources accessed by a user to identify unauthorized activity.
D3-SJA Detect
Scheduled Job Analysis
Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.
Counters 2 ATT&CK
D3-SEA Detect
Script Execution Analysis
Analyzing the execution of a script to detect unauthorized user activity.
D3-SMRA Detect
Sender MTA Reputation Analysis
Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.
Counters 3 ATT&CK
D3-SRA Detect
Sender Reputation Analysis
Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).
Counters 3 ATT&CK
D3-SBV Detect
Service Binary Verification
Analyzing changes in service binary files by comparing to a source of truth.
Counters 6 ATT&CK
D3-SDA Detect
Session Duration Analysis
Analyzing the duration of user sessions in order to detect unauthorized activity.
D3-SSC Detect
Shadow Stack Comparisons
Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.
Counters 5 ATT&CK
D3-SCA Detect
System Call Analysis
Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.
Counters 27 ATT&CK
D3-SDM Detect
System Daemon Monitoring
Tracking changes to the state or configuration of critical system level processes.
Counters 2 ATT&CK
D3-SFA Detect
System File Analysis
Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
Counters 9 ATT&CK
D3-SFV Detect
System Firmware Verification
Cryptographically verifying installed system firmware integrity.
Counters 1 ATT&CK
D3-SICA Detect
System Init Config Analysis
Analysis of any system process startup configuration.
Counters 4 ATT&CK
D3-UA Detect
URL Analysis
Determining if a URL is benign or malicious by analyzing the URL or its components.
Counters 3 ATT&CK
D3-URA Detect
URL Reputation Analysis
Analyzing the reputation of a URL.
Counters 3 ATT&CK
D3-UBA Detect
User Behavior Analysis
User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
D3-UDTA Detect
User Data Transfer Analysis
Analyzing the amount of data transferred by a user.
D3-UGLPA Detect
User Geolocation Logon Pattern Analysis
Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.
Counters 48 ATT&CK
D3-USICA Detect
User Session Init Config Analysis
Analyzing modifications to user session config files such as .bashrc or .bash_profile.
Counters 2 ATT&CK
D3-VS Detect
Video Surveillance
Monitoring of physical areas via camera video feeds to deter, detect, and investigate unauthorized access and related security events.
Counters 1 ATT&CK
D3-WSAA Detect
Web Session Activity Analysis
Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.