Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.
Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.
Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.
Software inventorying identifies and records the software items in the organization's architecture.
Asset Vulnerability Enumeration
Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.
Network Node Inventory
Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.
Hardware Component Inventory
Hardware component inventorying identifies and records the hardware items in the organization's architecture.
Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.
Logical Link Mapping
Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.
Active Logical Link Mapping
Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection
Passive Logical Link Mapping
Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.
Network Vulnerability Assessment
Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.
Physical Link Mapping
Physical link mapping identifies and models the link connectivity of the network devices within a physical network.
Active Physical Link Mapping
Active physical link mapping sends and receives network traffic as a means to map the physical layer.
Passive Physical Link Mapping
Passive physical link mapping only listens to network traffic as a means to map the physical layer.
Network Traffic Policy Mapping
Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.
Operational Activity Mapping
Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.,Identifying staff and organizational structure is part of operational activity mapping. One inventories assets; people are *not* assets, but are resources. Grasping operations and activities (missions) and mapping them to people is (notionally) last phase of modeling architecture.
Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.
Operational Dependency Mapping
Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.
Operational Risk Assessment
Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.
Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.
System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.
Data Exchange Mapping
Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.
Service Dependency Mapping
Service dependency mapping determines the services on which each given service relies.
System Dependency Mapping
System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.
System Vulnerability Assessment
System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.
Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.
Authenticating the sender of a message and ensuring message integrity.
Encrypting a message body using a cryptographic key.
Transfer Agent Authentication
Validating that server components of a messaging infrastructure are authorized to send a particular message.
Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.
Using biological measures in order to authenticate a user.
Requiring a digital certificate in order to authenticate a user.
Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.
Credential Transmission Scoping
Limiting the transmission of a credential to a scoped set of relying parties.
Domain Trust Policy
Restricting inter-domain trust by modifying domain configuration.
Requiring proof of two or more pieces of evidence in order to authenticate a user.
A one-time password is valid for only one user authentication.
Strong Password Policy
Modifying system configuration to increase password strength.
User Account Permissions
Restricting a user account's access to resources.
Expiring an existing set of credentials and reissuing a new valid set
Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components
Cryptographically authenticating the bootloader software before system boot.
Encrypting a hard disk partition to prevent cleartext access to a file system.
Driver Load Integrity Checking
Ensuring the integrity of drivers loaded during initialization of the operating system.
Encrypting a file using a cryptographic key.
Local File Permissions
Restricting access to a local file by configuring operating system functionality.
Adding physical barriers to a platform to prevent undesired radio interference.
Replacing old software on a computer system component.
System Configuration Permissions
Restricting system configuration modifications to a specific user or group of users.
TPM Boot Integrity
Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).
Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
Application Configuration Hardening
Modifying an application's configuration to reduce its attack surface.
Dead Code Elimination
Removing unreachable or "dead code" from compiled source code.
Exception Handler Pointer Validation
Validates that a referenced exception handler pointer is a valid exception handler.
Comparing the cryptographic hash or derivative of a pointer's value to an expected value.
Process Segment Execution Prevention
Preventing execution of any address in a memory region other than the code segment.
Segment Address Offset Randomization
Randomizing the base (start) address of one or more segments of memory during the initialization of a process.
Stack Frame Canary Validation
Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.
Network Traffic Analysis
Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
Administrative Network Activity Analysis
Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
Byte Sequence Emulation
Analyzing sequences of bytes and determining if they likely represent malicious shellcode.
Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.
Active Certificate Analysis
Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.
Passive Certificate Analysis
['Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.', 'Passively collecting certificates and analyzing them.']
Client-server Payload Profiling
Comparing client-server request and response payloads to a baseline profile to identify outliers.
Connection Attempt Analysis
Analyzing failed connections in a network to detect unauthorized activity.
DNS Traffic Analysis
Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.
Identifying and extracting files from network application protocols through the use of network stream reassembly software.
Inbound Session Volume Analysis
Analyzing inbound network session or connection attempt volume.
IPC Traffic Analysis
Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.
Network Traffic Community Deviation
Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.
Per Host Download-Upload Ratio Analysis
Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.
Protocol Metadata Anomaly Detection
Collecting network communication protocol metadata and identifying statistical outliers.
Relay Pattern Analysis
The detection of an internal host relaying traffic between the internal network and the external network.
Remote Terminal Session Detection
Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
RPC Traffic Analysis
Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.
Monitoring platform components such as operating systems software, hardware devices, or firmware.
Firmware Behavior Analysis
Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.
Firmware Embedded Monitoring Code
Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.
Cryptographically verifying firmware integrity.
Peripheral Firmware Verification
Cryptographically verifying peripheral firmware integrity.
System Firmware Verification
Cryptographically verifying installed system firmware integrity.
Operating System Monitoring
The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.
Endpoint Health Beacon
Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
Input Device Analysis
Operating system level mechanisms to prevent abusive input device exploitation.
Memory Boundary Tracking
Analyzing a call stack for return addresses which point to unexpected memory locations.
Scheduled Job Analysis
Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.
System Daemon Monitoring
Tracking changes to the state or configuration of critical system level processes.
System File Analysis
Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
Service Binary Verification
Analyzing changes in service binary files by comparing to a source of truth.
System Init Config Analysis
Analysis of any system process startup configuration.
User Session Init Config Analysis
Analyzing modifications to user session config files such as .bashrc or .bash_profile.
Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.
Database Query String Analysis
Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).
File Access Pattern Analysis
Analyzing the files accessed by a process to identify unauthorized activity.
Indirect Branch Call Analysis
Analyzing vendor specific branch call recording in order to detect ROP style attacks.
Process Code Segment Verification
Comparing the "text" or "code" memory segments to a source of truth.
Process Self-Modification Detection
Detects processes that modify, change, or replace their own code at runtime.
Process Spawn Analysis
Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
Process Lineage Analysis
Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.
Script Execution Analysis
Analyzing the execution of a script to detect unauthorized user activity.
Shadow Stack Comparisons
Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.
System Call Analysis
Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.
File Creation Analysis
Analyzing the properties of file create system call invocations.
Analyzing email or instant message content to detect unauthorized activity.
Sender MTA Reputation Analysis
Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.
Sender Reputation Analysis
Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).
Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.
Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.
Determining if a URL is benign or malicious by analyzing the URL or its components.
Identifier Reputation Analysis
Analyzing the reputation of an identifier.
Domain Name Reputation Analysis
Analyzing the reputation of a domain name.
File Hash Reputation Analysis
Analyzing the reputation of a file hash.
IP Reputation Analysis
Analyzing the reputation of an IP address.
URL Reputation Analysis
Analyzing the reputation of a URL.
Identifier Activity Analysis
Taking known malicious identifiers and determining if they are present in a system.
User Behavior Analysis
Analysis of user behavior and patterns for the purpose of detecting unauthorized user activity.,User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
Authentication Event Thresholding
Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.
Authorization Event Thresholding
Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.
Credential Compromise Scope Analysis
Determining which credentials may have been compromised by analyzing the user logon history of a particular system.
Domain Account Monitoring
Monitoring the existence of or changes to Domain User Accounts.
Job Function Access Pattern Analysis
Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.
Local Account Monitoring
Analyzing local user accounts to detect unauthorized activity.
Resource Access Pattern Analysis
Analyzing the resources accessed by a user to identify unauthorized activity.
Session Duration Analysis
Analyzing the duration of user sessions in order to detect unauthorized activity.
User Data Transfer Analysis
Analyzing the amount of data transferred by a user.
User Geolocation Logon Pattern Analysis
Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.
Web Session Activity Analysis
Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.
File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.
Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.
Emulated File Analysis
Emulating instructions in a file looking for specific patterns.
File Content Rules
Employing a pattern matching rule language to analyze files.
Employing file hash comparisons to detect known malware.
Network Isolation techniques prevent network hosts from accessing non-essential system network resources.
Broadcast Domain Isolation
Broadcast isolation restricts the number of computers a host can contact on their LAN.
Permitting only approved domains and their subdomains to be resolved.
Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.
Forward Resolution Domain Denylisting
Blocking a lookup based on the query's domain name value.
Hierarchical Domain Denylisting
Blocking the resolution of any subdomain of a specified domain name.
Blocking DNS queries that are deceptively similar to legitimate domain names.
Forward Resolution IP Denylisting
Blocking a DNS lookup's answer's IP address value.
Reverse Resolution Domain Denylisting
Blocking a reverse DNS lookup's answer's domain name value.
Reverse Resolution IP Denylisting
Blocking a reverse lookup based on the query's IP address value.
Encrypted encapsulation of routable network traffic.
Network Traffic Filtering
Restricting network traffic originating from any location.
Inbound Traffic Filtering
Restricting network traffic originating from untrusted networks destined towards a private host or enclave.
Outbound Traffic Filtering
Restricting network traffic originating from a private host or enclave destined towards untrusted networks.
Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.
Using a digital signature to authenticate a file before opening.
Blocking the execution of files on a host in accordance with defined application policy rules.
Hardware-based Process Isolation
Preventing one process from writing to the memory space of another process through hardware based address manager implementations.
IO Port Restriction
Limiting access to computer input/output (IO) ports to restrict unauthorized devices.
Kernel-based Process Isolation
Using kernel-level capabilities to isolate processes.
Mandatory Access Control
Controlling access to local computer system resources with kernel-level capabilities.
System Call Filtering
Configuring a kernel to use an allow or deny list to filter kernel api calls.
A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.
A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.
The practice of setting decoys in a production environment to entice interaction from attackers.
An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.
A Decoy Object is created and deployed for the purposes of deceiving attackers.
A file created for the purposes of deceiving an adversary.
Decoy Network Resource
Deploying a network resource for the purposes of deceiving an adversary.
Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.
Decoy Public Release
Issuing publicly released media to deceive adversaries.
Decoy Session Token
An authentication token created for the purposes of deceiving an adversary.
Decoy User Credential
A Credential created for the purpose of deceiving an adversary.
File eviction techniques evict files from system storage.
The file removal technique deletes malicious artifacts or programs from a computer system.
The email removal technique deletes email files from system storage.
Credential Eviction techniques disable or remove compromised credentials from a computer network.
The process of temporarily disabling user accounts on a system or domain.
Authentication Cache Invalidation
Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.
Deleting a set of credentials permanently to prevent them from being used to authenticate.
Process eviction techniques terminate or remove running process.
Terminating a running application process on a computer system.
Suspending a running process on a computer system.