MITRE D3FEND

Defensive techniques mapped against ATT&CK — know how to defend

All 27 techniques Model 27 Harden 55 Detect 90 Isolate 56 Deceive 11 Evict 19 Restore 12
D3-AM Model
Access Modeling
Access modeling captures and records the access permissions granted to identities (e.g., administrators, users, groups, systems) and optionally includes details on how these identities are stored, managed, and shared across systems.
Counters 12 ATT&CK
D3-ALLM Model
Active Logical Link Mapping
Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection
D3-APLM Model
Active Physical Link Mapping
Active physical link mapping sends and receives network traffic as a means to map the physical layer.
D3-AI Model
Asset Inventory
Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.
D3-AVE Model
Asset Vulnerability Enumeration
Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.
Counters 19 ATT&CK
D3-CI Model
Configuration Inventory
Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.
Counters 24 ATT&CK
D3-CIA Model
Container Image Analysis
Analyzing a Container Image with respect to a set of policies.
Counters 1 ATT&CK
D3-DEM Model
Data Exchange Mapping
Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.
D3-DI Model
Data Inventory
Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.
Counters 18 ATT&CK
D3-DPLM Model
Direct Physical Link Mapping
Direct physical link mapping creates a physical link map by direct observation and recording of the physical network links.
D3-HCI Model
Hardware Component Inventory
Hardware component inventorying identifies and records the hardware items in the organization's architecture.
Counters 11 ATT&CK
D3-LLM Model
Logical Link Mapping
Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.
Counters 4 ATT&CK
D3-NM Model
Network Mapping
Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.
D3-NNI Model
Network Node Inventory
Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.
Counters 4 ATT&CK
D3-NTPM Model
Network Traffic Policy Mapping
Network traffic policy mapping identifies and models the allowed pathways of data at the network, transport, and/or application levels.
Counters 7 ATT&CK
D3-NVA Model
Network Vulnerability Assessment
Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.
D3-OAM Model
Operational Activity Mapping
Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.
D3-ODM Model
Operational Dependency Mapping
Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.
D3-ORA Model
Operational Risk Assessment
Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.
D3-OM Model
Organization Mapping
Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.
D3-PLLM Model
Passive Logical Link Mapping
Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.
D3-PLM Model
Physical Link Mapping
Physical link mapping identifies and models the link connectivity of the network devices within a physical network.
Counters 4 ATT&CK
D3-SVCDM Model
Service Dependency Mapping
Service dependency mapping determines the services on which each given service relies.
D3-SWI Model
Software Inventory
Software inventorying identifies and records the software items in the organization's architecture.
Counters 19 ATT&CK
D3-SYSDM Model
System Dependency Mapping
System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.
D3-SYSM Model
System Mapping
System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.
D3-SYSVA Model
System Vulnerability Assessment
System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.
Counters 1 ATT&CK