MITRE D3FEND

Defensive techniques mapped against ATT&CK — know how to defend

All 56 techniques Model 27 Harden 55 Detect 90 Isolate 56 Deceive 11 Evict 19 Restore 12
D3-AMED Isolate
Access Mediation
Access mediation is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances). Access mediation decisions should enforce least privilege by granting access for scoped durations to prevent privilege creep and, where applicable, implement just-in-time (JIT) access. Denial decisions may prevent initial access or terminate access that has already been granted, ensuring continuous enforcement of security policies.
D3-APA Isolate
Access Policy Administration
Access policy administration is the systematic process of defining, implementing, and managing access control policies that dictate user permissions to resources.
D3-ABPI Isolate
Application-based Process Isolation
Application code which prevents its own subroutines from accessing intra-process / internal memory space.
Counters 10 ATT&CK
D3-BDI Isolate
Broadcast Domain Isolation
Broadcast isolation restricts the number of computers a host can contact on their LAN.
D3-CNE Isolate
Content Excision
Removing specific, potentially malicious, parts of content
D3-CF Isolate
Content Filtering
Content Filtering techniques aid in the process of analyzing an input file for malicious or erroneous content and outputing a sanitized version.
Counters 46 ATT&CK
D3-CFC Isolate
Content Format Conversion
Content format conversion is mechanical transformation from one format to another which may be normalization or specifically flattening.
D3-CM Isolate
Content Modification
Modify content that does not comply with policy.
Counters 46 ATT&CK
D3-CQ Isolate
Content Quarantine
Transfer content that does not comply with policy to a quarantine zone.
Counters 48 ATT&CK
D3-CNR Isolate
Content Rebuild
Rebuild the file according to the spec so any unreferenced components or objects are removed.
D3-CNS Isolate
Content Substitution
Modifies specific digital content information by replacing it with something else.
D3-CV Isolate
Content Validation
Verify and validate contents complies with policy
D3-CTS Isolate
Credential Transmission Scoping
Limiting the transmission of a credential to a scoped set of relying parties.
Counters 10 ATT&CK
D3-DNSAL Isolate
DNS Allowlisting
Permitting only approved domains and their subdomains to be resolved.
Counters 2 ATT&CK
D3-DNSDL Isolate
DNS Denylisting
Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.
Counters 2 ATT&CK
D3-DNL Isolate
Directional Network Link
Enforce one-way network communication by preventing two-way communication.
D3-DTP Isolate
Domain Trust Policy
Restricting inter-domain trust by modifying domain configuration.
Counters 1 ATT&CK
D3-EF Isolate
Email Filtering
Filtering incoming email traffic based on specific criteria.
Counters 3 ATT&CK
D3-ET Isolate
Encrypted Tunnels
Encrypted encapsulation of routable network traffic.
D3-EBWSAM Isolate
Endpoint-based Web Server Access Mediation
Endpoint-based web server access mediation regulates web server access directly from user endpoints by implementing mechanisms such as client-side certificates and endpoint security software to authenticate devices and ensure compliant access.
D3-EAL Isolate
Executable Allowlisting
Using a digital signature to authenticate a file before opening.
Counters 28 ATT&CK
D3-EDL Isolate
Executable Denylisting
Blocking the execution of files on a host in accordance with defined application policy rules.
Counters 28 ATT&CK
D3-EI Isolate
Execution Isolation
Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.
D3-FCDC Isolate
File Content Decompression Checking
Checking if compressed or encoded data sections can be successfully decompressed or decoded. Can follow with further analysis with semantic knowledge
D3-FFV Isolate
File Format Verification
Verifying that a file conforms to its expected format specifications
Counters 1 ATT&CK
D3-FISV Isolate
File Internal Structure Verification
The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the file format specification.
D3-FMBV Isolate
File Magic Byte Verification
Utilizing the magic number to verify the file
D3-FMCV Isolate
File Metadata Consistency Validation
The process of validating the consistency between a file's metadata and its actual content, ensuring that elements like declared lengths, pointers, and checksums accurately describe the file's content.
D3-FMVV Isolate
File Metadata Value Verification
The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the file format specification.
D3-FRDDL Isolate
Forward Resolution Domain Denylisting
Blocking a lookup based on the query's domain name value.
Counters 2 ATT&CK
D3-FRIDL Isolate
Forward Resolution IP Denylisting
Blocking a DNS lookup's answer's IP address value.
D3-HBPI Isolate
Hardware-based Process Isolation
Preventing one process from writing to the memory space of another process through hardware based address manager implementations.
Counters 24 ATT&CK
D3-HDDL Isolate
Hierarchical Domain Denylisting
Blocking the resolution of any subdomain of a specified domain name.
D3-HDL Isolate
Homoglyph Denylisting
Blocking DNS queries that are deceptively similar to legitimate domain names.
D3-IOPR Isolate
IO Port Restriction
Limiting access to computer input/output (IO) ports to restrict unauthorized devices.
Counters 7 ATT&CK
D3-ITF Isolate
Inbound Traffic Filtering
Restricting network traffic originating from untrusted networks destined towards a private host or enclave.
Counters 4 ATT&CK
D3-KBPI Isolate
Kernel-based Process Isolation
Using kernel-level capabilities to isolate processes.
Counters 10 ATT&CK
D3-LAMED Isolate
LAN Access Mediation
LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern connectivity to a Local Area Network.
D3-LFAM Isolate
Local File Access Mediation
Local file access mediation is the process of an operating system granting or denying a specific access request to a local file.
D3-LFP Isolate
Local File Permissions
Local file permissions is the systematic process of defining, implementing, and managing access control policies that dictate user permissions for accessing files on a local system through the configuration of operating system functionality.
Counters 46 ATT&CK
D3-NAM Isolate
Network Access Mediation
Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet.
D3-NI Isolate
Network Isolation
Network Isolation techniques prevent network hosts from accessing non-essential system network resources.
D3-NRAM Isolate
Network Resource Access Mediation
Control of access to organizational systems and services by users or processes over a network.
Counters 7 ATT&CK
D3-NTF Isolate
Network Traffic Filtering
Restricting network traffic originating from any location.
Counters 48 ATT&CK
D3-OVAR Isolate
OT Variable Access Restriction
Assign read/write access controls on designated registers or data tags to prevent unauthorized writes.
D3-OPR Isolate
Operating Mode Restriction
Restricting unauthorized changes to the operating mode prevents devices from switching into inappropriate or vulnerable states during normal use.
D3-OTF Isolate
Outbound Traffic Filtering
Restricting network traffic originating from a private host or enclave destined towards untrusted networks.
Counters 19 ATT&CK
D3-PAM Isolate
Physical Access Mediation
Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances.)
D3-EPL Isolate
Physical Locking
Employ a mechanical locking device for securing moveable portions of physical barriers (e.g., doors, gates, drawers) in a secured position.
D3-PBWSAM Isolate
Proxy-based Web Server Access Mediation
Proxy-based web server access mediation focuses on the regulation of web server access through intermediary proxy servers.
D3-RFAM Isolate
Remote File Access Mediation
Remote file access mediation is the process of managing and securing access to file systems over a network to ensure that only authorized users or processes can interact with remote files.
Counters 46 ATT&CK
D3-RRID Isolate
Reverse Resolution IP Denylisting
Blocking a reverse lookup based on the query's IP address value.
Counters 2 ATT&CK
D3-RAM Isolate
Routing Access Mediation
Routing access mediation is a network security approach that manages and controls access at the network layer using VPNs, tunneling protocols, firewall rules, and traffic inspection to ensure secure and efficient data routing.
D3-SCF Isolate
System Call Filtering
Controlling access to local computer system resources with kernel-level capabilities.
Counters 33 ATT&CK
D3-UAP Isolate
User Account Permissions
Restricting a user account's access to resources.
Counters 6 ATT&CK
D3-WSAM Isolate
Web Session Access Mediation
Web session access mediation secures user sessions in web applications by employing robust authentication and integrity validation, along with adaptive threat mitigation techniques, to ensure that access to web resources is authorized and protected from session-related attacks.
Counters 7 ATT&CK