D3-AI
Asset Inventory
Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.
D3-CI
Configuration Inventory
Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.
D3-DI
Data Inventory
Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.
D3-SWI
Software Inventory
Software inventorying identifies and records the software items in the organization's architecture.
D3-AVE
Asset Vulnerability Enumeration
Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.
D3-NNI
Network Node Inventory
Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.
D3-HCI
Hardware Component Inventory
Hardware component inventorying identifies and records the hardware items in the organization's architecture.
D3-NM
Network Mapping
Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.
D3-LLM
Logical Link Mapping
Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.
D3-ALLM
Active Logical Link Mapping
Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection
D3-PLLM
Passive Logical Link Mapping
Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.
D3-NVA
Network Vulnerability Assessment
Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.
D3-PLM
Physical Link Mapping
Physical link mapping identifies and models the link connectivity of the network devices within a physical network.
D3-APLM
Active Physical Link Mapping
Active physical link mapping sends and receives network traffic as a means to map the physical layer.
D3-PPLM
Passive Physical Link Mapping
Passive physical link mapping only listens to network traffic as a means to map the physical layer.
D3-NTPM
Network Traffic Policy Mapping
Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.
D3-OAM
Operational Activity Mapping
Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.,Identifying staff and organizational structure is part of operational activity mapping. One inventories assets; people are *not* assets, but are resources. Grasping operations and activities (missions) and mapping them to people is (notionally) last phase of modeling architecture.
D3-AM
Access Modeling
Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.
D3-ODM
Operational Dependency Mapping
Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.
D3-ORA
Operational Risk Assessment
Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.
D3-OM
Organization Mapping
Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.
D3-SYSM
System Mapping
System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.
D3-DEM
Data Exchange Mapping
Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.
D3-SVCDM
Service Dependency Mapping
Service dependency mapping determines the services on which each given service relies.
D3-SYSDM
System Dependency Mapping
System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.
D3-SYSVA
System Vulnerability Assessment
System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.
D3-MH
Message Hardening
Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.
D3-MAN
Message Authentication
Authenticating the sender of a message and ensuring message integrity.
D3-MENCR
Message Encryption
Encrypting a message body using a cryptographic key.
D3-TAAN
Transfer Agent Authentication
Validating that server components of a messaging infrastructure are authorized to send a particular message.
D3-CH
Credential Hardening
Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.
D3-BAN
Biometric Authentication
Using biological measures in order to authenticate a user.
D3-CBAN
Certificate-based Authentication
Requiring a digital certificate in order to authenticate a user.
D3-CP
Certificate Pinning
Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.
D3-CTS
Credential Transmission Scoping
Limiting the transmission of a credential to a scoped set of relying parties.
D3-DTP
Domain Trust Policy
Restricting inter-domain trust by modifying domain configuration.
D3-MFA
Multi-factor Authentication
Requiring proof of two or more pieces of evidence in order to authenticate a user.
D3-OTP
One-time Password
A one-time password is valid for only one user authentication.
D3-SPP
Strong Password Policy
Modifying system configuration to increase password strength.
D3-UAP
User Account Permissions
Restricting a user account's access to resources.
D3-CRO
Credential Rotation
Expiring an existing set of credentials and reissuing a new valid set
D3-PH
Platform Hardening
Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components
D3-BA
Bootloader Authentication
Cryptographically authenticating the bootloader software before system boot.
D3-DENCR
Disk Encryption
Encrypting a hard disk partition to prevent cleartext access to a file system.
D3-DLIC
Driver Load Integrity Checking
Ensuring the integrity of drivers loaded during initialization of the operating system.
D3-FE
File Encryption
Encrypting a file using a cryptographic key.
D3-LFP
Local File Permissions
Restricting access to a local file by configuring operating system functionality.
D3-RFS
RF Shielding
Adding physical barriers to a platform to prevent undesired radio interference.
D3-SU
Software Update
Replacing old software on a computer system component.
D3-SCP
System Configuration Permissions
Restricting system configuration modifications to a specific user or group of users.
D3-TBI
TPM Boot Integrity
Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).
D3-AH
Application Hardening
Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
D3-ACH
Application Configuration Hardening
Modifying an application's configuration to reduce its attack surface.
D3-DCE
Dead Code Elimination
Removing unreachable or "dead code" from compiled source code.
D3-EHPV
Exception Handler Pointer Validation
Validates that a referenced exception handler pointer is a valid exception handler.
D3-PAN
Pointer Authentication
Comparing the cryptographic hash or derivative of a pointer's value to an expected value.
D3-PSEP
Process Segment Execution Prevention
Preventing execution of any address in a memory region other than the code segment.
D3-SAOR
Segment Address Offset Randomization
Randomizing the base (start) address of one or more segments of memory during the initialization of a process.
D3-SFCV
Stack Frame Canary Validation
Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.
D3-NTA
Network Traffic Analysis
Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
D3-ANAA
Administrative Network Activity Analysis
Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
D3-BSE
Byte Sequence Emulation
Analyzing sequences of bytes and determining if they likely represent malicious shellcode.
D3-CA
Certificate Analysis
Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.
D3-ACA
Active Certificate Analysis
Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.
D3-PCA
Passive Certificate Analysis
['Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.', 'Passively collecting certificates and analyzing them.']
D3-CSPP
Client-server Payload Profiling
Comparing client-server request and response payloads to a baseline profile to identify outliers.
D3-CAA
Connection Attempt Analysis
Analyzing failed connections in a network to detect unauthorized activity.
D3-DNSTA
DNS Traffic Analysis
Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.
D3-FC
File Carving
Identifying and extracting files from network application protocols through the use of network stream reassembly software.
D3-ISVA
Inbound Session Volume Analysis
Analyzing inbound network session or connection attempt volume.
D3-IPCTA
IPC Traffic Analysis
Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.
D3-NTCD
Network Traffic Community Deviation
Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.
D3-PHDURA
Per Host Download-Upload Ratio Analysis
Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.
D3-PMAD
Protocol Metadata Anomaly Detection
Collecting network communication protocol metadata and identifying statistical outliers.
D3-RPA
Relay Pattern Analysis
The detection of an internal host relaying traffic between the internal network and the external network.
D3-RTSD
Remote Terminal Session Detection
Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
D3-RTA
RPC Traffic Analysis
Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.
D3-PM
Platform Monitoring
Monitoring platform components such as operating systems software, hardware devices, or firmware.
D3-FBA
Firmware Behavior Analysis
Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.
D3-FEMC
Firmware Embedded Monitoring Code
Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.
D3-FV
Firmware Verification
Cryptographically verifying firmware integrity.
D3-PFV
Peripheral Firmware Verification
Cryptographically verifying peripheral firmware integrity.
D3-SFV
System Firmware Verification
Cryptographically verifying installed system firmware integrity.
D3-OSM
Operating System Monitoring
The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.
D3-EHB
Endpoint Health Beacon
Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
D3-IDA
Input Device Analysis
Operating system level mechanisms to prevent abusive input device exploitation.
D3-MBT
Memory Boundary Tracking
Analyzing a call stack for return addresses which point to unexpected memory locations.
D3-SJA
Scheduled Job Analysis
Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.
D3-SDM
System Daemon Monitoring
Tracking changes to the state or configuration of critical system level processes.
D3-SFA
System File Analysis
Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
D3-SBV
Service Binary Verification
Analyzing changes in service binary files by comparing to a source of truth.
D3-SICA
System Init Config Analysis
Analysis of any system process startup configuration.
D3-USICA
User Session Init Config Analysis
Analyzing modifications to user session config files such as .bashrc or .bash_profile.
D3-PA
Process Analysis
Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.
D3-DQSA
Database Query String Analysis
Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).
D3-FAPA
File Access Pattern Analysis
Analyzing the files accessed by a process to identify unauthorized activity.
D3-IBCA
Indirect Branch Call Analysis
Analyzing vendor specific branch call recording in order to detect ROP style attacks.
D3-PCSV
Process Code Segment Verification
Comparing the "text" or "code" memory segments to a source of truth.
D3-PSMD
Process Self-Modification Detection
Detects processes that modify, change, or replace their own code at runtime.
D3-PSA
Process Spawn Analysis
Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
D3-PLA
Process Lineage Analysis
Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.
D3-SEA
Script Execution Analysis
Analyzing the execution of a script to detect unauthorized user activity.
D3-SSC
Shadow Stack Comparisons
Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.
D3-SCA
System Call Analysis
Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.
D3-FCA
File Creation Analysis
Analyzing the properties of file create system call invocations.
D3-MA
Message Analysis
Analyzing email or instant message content to detect unauthorized activity.
D3-SMRA
Sender MTA Reputation Analysis
Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.
D3-SRA
Sender Reputation Analysis
Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).
D3-ID
Identifier Analysis
Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.
D3-HD
Homoglyph Detection
Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.
D3-UA
URL Analysis
Determining if a URL is benign or malicious by analyzing the URL or its components.
D3-IRA
Identifier Reputation Analysis
Analyzing the reputation of an identifier.
D3-DNRA
Domain Name Reputation Analysis
Analyzing the reputation of a domain name.
D3-FHRA
File Hash Reputation Analysis
Analyzing the reputation of a file hash.
D3-IPRA
IP Reputation Analysis
Analyzing the reputation of an IP address.
D3-URA
URL Reputation Analysis
Analyzing the reputation of a URL.
D3-IAA
Identifier Activity Analysis
Taking known malicious identifiers and determining if they are present in a system.
D3-UBA
User Behavior Analysis
Analysis of user behavior and patterns for the purpose of detecting unauthorized user activity.,User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
D3-ANET
Authentication Event Thresholding
Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.
D3-AZET
Authorization Event Thresholding
Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.
D3-CCSA
Credential Compromise Scope Analysis
Determining which credentials may have been compromised by analyzing the user logon history of a particular system.
D3-DAM
Domain Account Monitoring
Monitoring the existence of or changes to Domain User Accounts.
D3-JFAPA
Job Function Access Pattern Analysis
Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.
D3-LAM
Local Account Monitoring
Analyzing local user accounts to detect unauthorized activity.
D3-RAPA
Resource Access Pattern Analysis
Analyzing the resources accessed by a user to identify unauthorized activity.
D3-SDA
Session Duration Analysis
Analyzing the duration of user sessions in order to detect unauthorized activity.
D3-UDTA
User Data Transfer Analysis
Analyzing the amount of data transferred by a user.
D3-UGLPA
User Geolocation Logon Pattern Analysis
Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.
D3-WSAA
Web Session Activity Analysis
Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.
D3-FA
File Analysis
File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.
D3-DA
Dynamic Analysis
Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.
D3-EFA
Emulated File Analysis
Emulating instructions in a file looking for specific patterns.
D3-FCR
File Content Rules
Employing a pattern matching rule language to analyze files.
D3-FH
File Hashing
Employing file hash comparisons to detect known malware.
D3-NI
Network Isolation
Network Isolation techniques prevent network hosts from accessing non-essential system network resources.
D3-BDI
Broadcast Domain Isolation
Broadcast isolation restricts the number of computers a host can contact on their LAN.
D3-DNSAL
DNS Allowlisting
Permitting only approved domains and their subdomains to be resolved.
D3-DNSDL
DNS Denylisting
Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.
D3-FRDDL
Forward Resolution Domain Denylisting
Blocking a lookup based on the query's domain name value.
D3-HDDL
Hierarchical Domain Denylisting
Blocking the resolution of any subdomain of a specified domain name.
D3-HDL
Homoglyph Denylisting
Blocking DNS queries that are deceptively similar to legitimate domain names.
D3-FRIDL
Forward Resolution IP Denylisting
Blocking a DNS lookup's answer's IP address value.
D3-RRDD
Reverse Resolution Domain Denylisting
Blocking a reverse DNS lookup's answer's domain name value.
D3-RRID
Reverse Resolution IP Denylisting
Blocking a reverse lookup based on the query's IP address value.
D3-ET
Encrypted Tunnels
Encrypted encapsulation of routable network traffic.
D3-NTF
Network Traffic Filtering
Restricting network traffic originating from any location.
D3-ITF
Inbound Traffic Filtering
Restricting network traffic originating from untrusted networks destined towards a private host or enclave.
D3-OTF
Outbound Traffic Filtering
Restricting network traffic originating from a private host or enclave destined towards untrusted networks.
D3-EI
Execution Isolation
Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.
D3-EAL
Executable Allowlisting
Using a digital signature to authenticate a file before opening.
D3-EDL
Executable Denylisting
Blocking the execution of files on a host in accordance with defined application policy rules.
D3-HBPI
Hardware-based Process Isolation
Preventing one process from writing to the memory space of another process through hardware based address manager implementations.
D3-IOPR
IO Port Restriction
Limiting access to computer input/output (IO) ports to restrict unauthorized devices.
D3-KBPI
Kernel-based Process Isolation
Using kernel-level capabilities to isolate processes.
D3-MAC
Mandatory Access Control
Controlling access to local computer system resources with kernel-level capabilities.
D3-SCF
System Call Filtering
Configuring a kernel to use an allow or deny list to filter kernel api calls.
D3-DE
Decoy Environment
A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.
D3-CHN
Connected Honeynet
A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.
D3-IHN
Integrated Honeynet
The practice of setting decoys in a production environment to entice interaction from attackers.
D3-SHN
Standalone Honeynet
An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.
D3-DO
Decoy Object
A Decoy Object is created and deployed for the purposes of deceiving attackers.
D3-DF
Decoy File
A file created for the purposes of deceiving an adversary.
D3-DNR
Decoy Network Resource
Deploying a network resource for the purposes of deceiving an adversary.
D3-DP
Decoy Persona
Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.
D3-DPR
Decoy Public Release
Issuing publicly released media to deceive adversaries.
D3-DST
Decoy Session Token
An authentication token created for the purposes of deceiving an adversary.
D3-DUC
Decoy User Credential
A Credential created for the purpose of deceiving an adversary.
D3-FEV
File Eviction
File eviction techniques evict files from system storage.
D3-FR
File Removal
The file removal technique deletes malicious artifacts or programs from a computer system.
D3-ER
Email Removal
The email removal technique deletes email files from system storage.
D3-CE
Credential Eviction
Credential Eviction techniques disable or remove compromised credentials from a computer network.
D3-AL
Account Locking
The process of temporarily disabling user accounts on a system or domain.
D3-ANCI
Authentication Cache Invalidation
Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.
D3-CR
Credential Revoking
Deleting a set of credentials permanently to prevent them from being used to authenticate.
D3-PE
Process Eviction
Process eviction techniques terminate or remove running process.
D3-PT
Process Termination
Terminating a running application process on a computer system.
D3-PS
Process Suspension
Suspending a running process on a computer system.