Currently viewing SPARTA v1.0. Learn more about the versioning system or see the live site.

TECHNIQUES

D3FEND

Model

D3-AI - Asset Inventory

D3-CI - Configuration Inventory

D3-DI - Data Inventory

D3-SWI - Software Inventory

D3-AVE - Asset Vulnerability Enumeration

D3-NNI - Network Node Inventory

D3-HCI - Hardware Component Inventory

D3-NM - Network Mapping

D3-LLM - Logical Link Mapping

D3-ALLM - Active Logical Link Mapping

D3-PLLM - Passive Logical Link Mapping

D3-NVA - Network Vulnerability Assessment

D3-PLM - Physical Link Mapping

D3-APLM - Active Physical Link Mapping

D3-PPLM - Passive Physical Link Mapping

D3-NTPM - Network Traffic Policy Mapping

D3-OAM - Operational Activity Mapping

D3-AM - Access Modeling

D3-ODM - Operational Dependency Mapping

D3-ORA - Operational Risk Assessment

D3-OM - Organization Mapping

D3-SYSM - System Mapping

D3-DEM - Data Exchange Mapping

D3-SVCDM - Service Dependency Mapping

D3-SYSDM - System Dependency Mapping

D3-SYSVA - System Vulnerability Assessment

Harden

D3-MH - Message Hardening

D3-MAN - Message Authentication

D3-MENCR - Message Encryption

D3-TAAN - Transfer Agent Authentication

D3-CH - Credential Hardening

D3-BAN - Biometric Authentication

D3-CBAN - Certificate-based Authentication

D3-CP - Certificate Pinning

D3-CTS - Credential Transmission Scoping

D3-DTP - Domain Trust Policy

D3-MFA - Multi-factor Authentication

D3-OTP - One-time Password

D3-SPP - Strong Password Policy

D3-UAP - User Account Permissions

D3-CRO - Credential Rotation

D3-PH - Platform Hardening

D3-BA - Bootloader Authentication

D3-DENCR - Disk Encryption

D3-DLIC - Driver Load Integrity Checking

D3-FE - File Encryption

D3-LFP - Local File Permissions

D3-RFS - RF Shielding

D3-SU - Software Update

D3-SCP - System Configuration Permissions

D3-TBI - TPM Boot Integrity

D3-AH - Application Hardening

D3-ACH - Application Configuration Hardening

D3-DCE - Dead Code Elimination

D3-EHPV - Exception Handler Pointer Validation

D3-PAN - Pointer Authentication

D3-PSEP - Process Segment Execution Prevention

D3-SAOR - Segment Address Offset Randomization

D3-SFCV - Stack Frame Canary Validation

Detect

D3-NTA - Network Traffic Analysis

D3-ANAA - Administrative Network Activity Analysis

D3-BSE - Byte Sequence Emulation

D3-CA - Certificate Analysis

D3-ACA - Active Certificate Analysis

D3-PCA - Passive Certificate Analysis

D3-CSPP - Client-server Payload Profiling

D3-CAA - Connection Attempt Analysis

D3-DNSTA - DNS Traffic Analysis

D3-FC - File Carving

D3-ISVA - Inbound Session Volume Analysis

D3-IPCTA - IPC Traffic Analysis

D3-NTCD - Network Traffic Community Deviation

D3-PHDURA - Per Host Download-Upload Ratio Analysis

D3-PMAD - Protocol Metadata Anomaly Detection

D3-RPA - Relay Pattern Analysis

D3-RTSD - Remote Terminal Session Detection

D3-RTA - RPC Traffic Analysis

D3-PM - Platform Monitoring

D3-FBA - Firmware Behavior Analysis

D3-FEMC - Firmware Embedded Monitoring Code

D3-FV - Firmware Verification

D3-PFV - Peripheral Firmware Verification

D3-SFV - System Firmware Verification

D3-OSM - Operating System Monitoring

D3-EHB - Endpoint Health Beacon

D3-IDA - Input Device Analysis

D3-MBT - Memory Boundary Tracking

D3-SJA - Scheduled Job Analysis

D3-SDM - System Daemon Monitoring

D3-SFA - System File Analysis

D3-SBV - Service Binary Verification

D3-SICA - System Init Config Analysis

D3-USICA - User Session Init Config Analysis

D3-PA - Process Analysis

D3-DQSA - Database Query String Analysis

D3-FAPA - File Access Pattern Analysis

D3-IBCA - Indirect Branch Call Analysis

D3-PCSV - Process Code Segment Verification

D3-PSMD - Process Self-Modification Detection

D3-PSA - Process Spawn Analysis

D3-PLA - Process Lineage Analysis

D3-SEA - Script Execution Analysis

D3-SSC - Shadow Stack Comparisons

D3-SCA - System Call Analysis

D3-FCA - File Creation Analysis

D3-MA - Message Analysis

D3-SMRA - Sender MTA Reputation Analysis

D3-SRA - Sender Reputation Analysis

D3-ID - Identifier Analysis

D3-HD - Homoglyph Detection

D3-UA - URL Analysis

D3-IRA - Identifier Reputation Analysis

D3-DNRA - Domain Name Reputation Analysis

D3-FHRA - File Hash Reputation Analysis

D3-IPRA - IP Reputation Analysis

D3-URA - URL Reputation Analysis

D3-IAA - Identifier Activity Analysis

D3-UBA - User Behavior Analysis

D3-ANET - Authentication Event Thresholding

D3-AZET - Authorization Event Thresholding

D3-CCSA - Credential Compromise Scope Analysis

D3-DAM - Domain Account Monitoring

D3-JFAPA - Job Function Access Pattern Analysis

D3-LAM - Local Account Monitoring

D3-RAPA - Resource Access Pattern Analysis

D3-SDA - Session Duration Analysis

D3-UDTA - User Data Transfer Analysis

D3-UGLPA - User Geolocation Logon Pattern Analysis

D3-WSAA - Web Session Activity Analysis

D3-FA - File Analysis

D3-DA - Dynamic Analysis

D3-EFA - Emulated File Analysis

D3-FCR - File Content Rules

D3-FH - File Hashing

Isolate

D3-NI - Network Isolation

D3-BDI - Broadcast Domain Isolation

D3-DNSAL - DNS Allowlisting

D3-DNSDL - DNS Denylisting

D3-FRDDL - Forward Resolution Domain Denylisting

D3-HDDL - Hierarchical Domain Denylisting

D3-HDL - Homoglyph Denylisting

D3-FRIDL - Forward Resolution IP Denylisting

D3-RRDD - Reverse Resolution Domain Denylisting

D3-RRID - Reverse Resolution IP Denylisting

D3-ET - Encrypted Tunnels

D3-NTF - Network Traffic Filtering

D3-ITF - Inbound Traffic Filtering

D3-OTF - Outbound Traffic Filtering

D3-EI - Execution Isolation

D3-EAL - Executable Allowlisting

D3-EDL - Executable Denylisting

D3-HBPI - Hardware-based Process Isolation

D3-IOPR - IO Port Restriction

D3-KBPI - Kernel-based Process Isolation

D3-MAC - Mandatory Access Control

D3-SCF - System Call Filtering

Deceive

D3-DE - Decoy Environment

D3-CHN - Connected Honeynet

D3-IHN - Integrated Honeynet

D3-SHN - Standalone Honeynet

D3-DO - Decoy Object

D3-DF - Decoy File

D3-DNR - Decoy Network Resource

D3-DP - Decoy Persona

D3-DPR - Decoy Public Release

D3-DST - Decoy Session Token

D3-DUC - Decoy User Credential

Evict

D3-FEV - File Eviction

D3-FR - File Removal

D3-ER - Email Removal

D3-CE - Credential Eviction

D3-AL - Account Locking

D3-ANCI - Authentication Cache Invalidation

D3-CR - Credential Revoking

D3-PE - Process Eviction

D3-PT - Process Termination

D3-PS - Process Suspension

User Behavior Analysis

Analysis of user behavior and patterns for the purpose of detecting unauthorized user activity.,User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.

Subclasses ( 11 )

ID	Name
D3-ANET	Authentication Event Thresholding
D3-AZET	Authorization Event Thresholding
D3-CCSA	Credential Compromise Scope Analysis
D3-DAM	Domain Account Monitoring
D3-JFAPA	Job Function Access Pattern Analysis
D3-LAM	Local Account Monitoring
D3-RAPA	Resource Access Pattern Analysis
D3-SDA	Session Duration Analysis
D3-UDTA	User Data Transfer Analysis
D3-UGLPA	User Geolocation Logon Pattern Analysis
D3-WSAA	Web Session Activity Analysis

ID: D3-UBA

Subclasses: D3-ANET | D3-AZET | D3-CCSA | D3-DAM | D3-JFAPA | D3-LAM | D3-RAPA | D3-SDA | D3-UDTA | D3-UGLPA | D3-WSAA

Artifacts: Network Traffic | Credential | Authentication | Authorization | Local User Account | Domain User Account

ⓘ

Tactic: Detect

Informational References

https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis/

Countermeasures

ID		Name	Description	NIST Rev5	D3FEND	ISO 27001

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description

Space Threats Mapped

ID		Description

Sample Requirements

Requirement	Rationale/Additional Guidance/Notes