D3FEND Techniques

MITRE published Detection, Denial, and Disruption Framework Empowering Network Defense (D3FEND) in 2021 and defines D3FEND as a “knowledge graph of cybersecurity countermeasure techniques.” Like SPARTA, D3FEND discusses cyber countermeasures which are actions that need to be taken to increase cyber defense. D3FEND’s goal is not to prescribe the exact implementation for a countermeasure, but rather, to provide a lexicon and framework for defensive techniques. Similar to other frameworks (i.e., ATT&CK, SPARTA, etc.), the D3FEND Matrix contains a definition of the countermeasure, how it works, considerations when using the countermeasure, and information about relevant types of digital artifacts.

D3FEND provides its own reference that depicts which countermeasures will help mitigate against various ATT&CK elements. Similarly, SPARTA wanted to provide a translation/mapping of D3FEND techniques and artifacts to the relevant SPARTA countermeasures. This should enable users of SPARTA to bridge the gap between countermeasures / courses of actions (COAs). Currently SPARTA’s countermeasures provide varying levels of abstraction on details. Mapping SPARTA countermeasures to NIST 800-53, ISO 27001, and now D3FEND gives the SPARTA users additional context and data to improve cyber defenses on space systems.

ID Name Description
D3-AI Asset Inventory
D3-CI Configuration Inventory
D3-DI Data Inventory
D3-SWI Software Inventory
D3-AVE Asset Vulnerability Enumeration
D3-NNI Network Node Inventory
D3-HCI Hardware Component Inventory
D3-NM Network Mapping
D3-LLM Logical Link Mapping
D3-ALLM Active Logical Link Mapping
D3-PLLM Passive Logical Link Mapping
D3-NVA Network Vulnerability Assessment
D3-PLM Physical Link Mapping
D3-APLM Active Physical Link Mapping
D3-PPLM Passive Physical Link Mapping
D3-NTPM Network Traffic Policy Mapping
D3-OAM Operational Activity Mapping
D3-AM Access Modeling
D3-ODM Operational Dependency Mapping
D3-ORA Operational Risk Assessment
D3-OM Organization Mapping
D3-SYSM System Mapping
D3-DEM Data Exchange Mapping
D3-SVCDM Service Dependency Mapping
D3-SYSDM System Dependency Mapping
D3-SYSVA System Vulnerability Assessment
D3-MH Message Hardening
D3-MAN Message Authentication
D3-MENCR Message Encryption
D3-TAAN Transfer Agent Authentication
D3-CH Credential Hardening
D3-BAN Biometric Authentication
D3-CBAN Certificate-based Authentication
D3-CP Certificate Pinning
D3-CTS Credential Transmission Scoping
D3-DTP Domain Trust Policy
D3-MFA Multi-factor Authentication
D3-OTP One-time Password
D3-SPP Strong Password Policy
D3-UAP User Account Permissions
D3-CRO Credential Rotation
D3-PH Platform Hardening
D3-BA Bootloader Authentication
D3-DENCR Disk Encryption
D3-DLIC Driver Load Integrity Checking
D3-FE File Encryption
D3-LFP Local File Permissions
D3-RFS RF Shielding
D3-SU Software Update
D3-SCP System Configuration Permissions
D3-TBI TPM Boot Integrity
D3-AH Application Hardening
D3-ACH Application Configuration Hardening
D3-DCE Dead Code Elimination
D3-EHPV Exception Handler Pointer Validation
D3-PAN Pointer Authentication
D3-PSEP Process Segment Execution Prevention
D3-SAOR Segment Address Offset Randomization
D3-SFCV Stack Frame Canary Validation
D3-NTA Network Traffic Analysis
D3-ANAA Administrative Network Activity Analysis
D3-BSE Byte Sequence Emulation
D3-CA Certificate Analysis
D3-ACA Active Certificate Analysis
D3-PCA Passive Certificate Analysis
D3-CSPP Client-server Payload Profiling
D3-CAA Connection Attempt Analysis
D3-DNSTA DNS Traffic Analysis
D3-FC File Carving
D3-ISVA Inbound Session Volume Analysis
D3-IPCTA IPC Traffic Analysis
D3-NTCD Network Traffic Community Deviation
D3-PHDURA Per Host Download-Upload Ratio Analysis
D3-PMAD Protocol Metadata Anomaly Detection
D3-RPA Relay Pattern Analysis
D3-RTSD Remote Terminal Session Detection
D3-RTA RPC Traffic Analysis
D3-PM Platform Monitoring
D3-FBA Firmware Behavior Analysis
D3-FEMC Firmware Embedded Monitoring Code
D3-FV Firmware Verification
D3-PFV Peripheral Firmware Verification
D3-SFV System Firmware Verification
D3-OSM Operating System Monitoring
D3-EHB Endpoint Health Beacon
D3-IDA Input Device Analysis
D3-MBT Memory Boundary Tracking
D3-SJA Scheduled Job Analysis
D3-SDM System Daemon Monitoring
D3-SFA System File Analysis
D3-SBV Service Binary Verification
D3-SICA System Init Config Analysis
D3-USICA User Session Init Config Analysis
D3-PA Process Analysis
D3-DQSA Database Query String Analysis
D3-FAPA File Access Pattern Analysis
D3-IBCA Indirect Branch Call Analysis
D3-PCSV Process Code Segment Verification
D3-PSMD Process Self-Modification Detection
D3-PSA Process Spawn Analysis
D3-PLA Process Lineage Analysis
D3-SEA Script Execution Analysis
D3-SSC Shadow Stack Comparisons
D3-SCA System Call Analysis
D3-FCA File Creation Analysis
D3-MA Message Analysis
D3-SMRA Sender MTA Reputation Analysis
D3-SRA Sender Reputation Analysis
D3-ID Identifier Analysis
D3-HD Homoglyph Detection
D3-UA URL Analysis
D3-IRA Identifier Reputation Analysis
D3-DNRA Domain Name Reputation Analysis
D3-FHRA File Hash Reputation Analysis
D3-IPRA IP Reputation Analysis
D3-URA URL Reputation Analysis
D3-IAA Identifier Activity Analysis
D3-UBA User Behavior Analysis
D3-ANET Authentication Event Thresholding
D3-AZET Authorization Event Thresholding
D3-CCSA Credential Compromise Scope Analysis
D3-DAM Domain Account Monitoring
D3-JFAPA Job Function Access Pattern Analysis
D3-LAM Local Account Monitoring
D3-RAPA Resource Access Pattern Analysis
D3-SDA Session Duration Analysis
D3-UDTA User Data Transfer Analysis
D3-UGLPA User Geolocation Logon Pattern Analysis
D3-WSAA Web Session Activity Analysis
D3-FA File Analysis
D3-DA Dynamic Analysis
D3-EFA Emulated File Analysis
D3-FCR File Content Rules
D3-FH File Hashing
D3-NI Network Isolation
D3-BDI Broadcast Domain Isolation
D3-DNSAL DNS Allowlisting
D3-DNSDL DNS Denylisting
D3-FRDDL Forward Resolution Domain Denylisting
D3-HDDL Hierarchical Domain Denylisting
D3-HDL Homoglyph Denylisting
D3-FRIDL Forward Resolution IP Denylisting
D3-RRDD Reverse Resolution Domain Denylisting
D3-RRID Reverse Resolution IP Denylisting
D3-ET Encrypted Tunnels
D3-NTF Network Traffic Filtering
D3-ITF Inbound Traffic Filtering
D3-OTF Outbound Traffic Filtering
D3-EI Execution Isolation
D3-EAL Executable Allowlisting
D3-EDL Executable Denylisting
D3-HBPI Hardware-based Process Isolation
D3-IOPR IO Port Restriction
D3-KBPI Kernel-based Process Isolation
D3-MAC Mandatory Access Control
D3-SCF System Call Filtering
D3-DE Decoy Environment
D3-CHN Connected Honeynet
D3-IHN Integrated Honeynet
D3-SHN Standalone Honeynet
D3-DO Decoy Object
D3-DF Decoy File
D3-DNR Decoy Network Resource
D3-DP Decoy Persona
D3-DPR Decoy Public Release
D3-DST Decoy Session Token
D3-DUC Decoy User Credential
D3-FEV File Eviction
D3-FR File Removal
D3-ER Email Removal
D3-CE Credential Eviction
D3-AL Account Locking
D3-ANCI Authentication Cache Invalidation
D3-CR Credential Revoking
D3-PE Process Eviction
D3-PT Process Termination
D3-PS Process Suspension