Modal Title

What Is MITRE D3FEND, and How Do You Use It?

Learn how this common language around defensive techniques eliminates ambiguity and keeps security teams on the same page.
Oct 12th, 2022 1:27pm by
Featued image for: What Is MITRE D3FEND, and How Do You Use It?

MITRE is a world-renowned research organization that aims to help build a safer world. It is probably best known in the information security industry for being the organization behind the industry-standard CVE (Common Vulnerabilities and Exposures) list. Each entry on the list is supposed to include an explanation of how the vulnerability could be exploited.

These attack vectors are tracked and defined in another well-known knowledge base called ATT&CK, which is also maintained by MITRE. While both the so-called red and blue teams (offensive and defensive security teams) rely on ATT&CK to provide a standardized language around offensive techniques, it does not do the same for defensive techniques. This is where D3FEND comes into play.

What Exactly Is MITRE D3FEND?

D3FEND, which was assembled over several years and first released in mid-2021, is a welcome addition to MITRE’s collection of resources. MITRE defines D3FEND as a “knowledge graph of cybersecurity countermeasure techniques.”

The goal is not to prescribe, prioritize or even rate the effectiveness of the countermeasures it describes, but rather, to provide a standardized language and framework for defensive techniques. In other words, it does for the blue team what the ATT&CK framework has done for the red team and offensive techniques since 2013.

The D3FEND Matrix looks a bit like the periodic table. Each record contains a definition of the countermeasure, a description of how it works, a list of considerations that must be taken into account when using the countermeasure and information about relevant types of digital artifacts.

D3FEND also provides a useful reference map that shows which countermeasures will help mitigate against various offensive techniques described in the ATT&CK knowledge base. In addition, it contains a general-purpose reference section that includes information about patents, among other things.

Why Do We Need MITRE D3FEND?

In short, the D3FEND framework provides standardized terminology that members of the blue team can use among themselves and with their vendors to ensure that everyone is talking about the same technique. Previously, different vendors would use slightly different terminology or rely on the ATT&CK framework as their point of reference. But while the ATT&CK framework is great for some parts of a security organization, it’s not universal. That’s why D3FEND is important: It gives everyone a common language around defensive techniques that eliminates ambiguity.

Security relies on specifics more than most areas of the information technology world, which can make it feel very pedantic. There are no gray areas in security — you are either vulnerable, or you are not. When you ask someone if a vulnerability applies, for example, or if a countermeasure is in place, “it depends” is not what you want to hear. That’s because “it depends” really means that there is a possibility that you are vulnerable — (or, at the very least, it creates some uncertainty about your security status). The precise terminology introduced by D3FEND provides the clarity and certainty that are critical to the blue team’s world.

Next Steps: Embed D3FEND into Your Security Processes

The next step is to start leveraging the data that MITRE D3FEND brings to the table by enhancing your security processes and procedures, especially by using utilizing security automation solutions.

You could apply this to many different use cases, but probably the easiest way to take advantage of it is to enhance any CVE notification workflows that you have in place. Whether a CVE comes in from a vendor or is identified in an in-house application by an SCA or SAST tool, the attack vectors are included in the CVE data (found on sites like NVD). These attack vectors, particularly when combined with the descriptions, can be used to identify potential countermeasures. You can then include links to the appropriate D3FEND countermeasures in the messages that go to the support and maintenance team for that application. This extra data will allow the team to make more timely decisions, which will in turn increase how fast they can mitigate any risk introduced by the CVE.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Torq.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.