Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Defensive Security Glossary

MITRE D3FEND

MITRE D3FEND is the counterpart to ATT&CK from a defender’s perspective: a structured knowledge model for defensive cybersecurity techniques such as hardening, detection, isolation, and deception—with direct mappings to ATT&CK attack techniques.;

MITRE D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense) is an NSA-sponsored knowledge model that systematically catalogs defensive cybersecurity techniques—similar to how MITRE ATT&CK catalogs attack techniques.

D3FEND vs. ATT&CK: Complementary Frameworks

While ATT&CK documents how attackers operate (TTPs), D3FEND documents how defenders can respond:

  • MITRE ATT&CK: Attacker perspective—tactics, techniques, sub-techniques
  • MITRE D3FEND: Defender’s perspective – defensive techniques effective against ATT&CK techniques;

The core promise: For every ATT&CK technique, there is one or more countermeasures in D3FEND with explicit mapping.

D3FEND Defensive Tactics

  1. HARDEN - Reduce the attack surface before an attack occurs

    • Application Hardening (Removing Unused Components)
    • Credential Hardening (Multi-factor Authentication)
    • Message Hardening (Email Header Analysis)
    • Network Traffic Filtering (Inbound Session Volume Analysis)

  2. DETECT (Detection) - Detect attacks in real time before they cause damage

    • File Analysis (Dynamic Analysis, Emulation)
    • Network Traffic Analysis (Protocol Anomaly Detection)
    • Platform Monitoring (System Call Analysis)
    • User Behavior Analysis (Authentication Event Thresholding)

  3. ISOLATE (Isolation) - Mitigate damage by isolating compromised systems

    • Network Isolation (Broadcast Domain Isolation)
    • Execution Isolation (Sandbox)
    • Credential Isolation (Certificate-based Authentication)

  4. DECEIVE (Deception) - Mislead and stop attackers

    • Decoy Environment (Honeypot, Honeynet)
    • Decoy Content (Honey Credentials, Canary Tokens)
    • Decoy System (Decoy Network Resource)

  5. EVICT (Removal) - Remove attackers from the system after they have penetrated it

    • Credential Eviction (Account Locking)
    • Process Eviction (Process Termination)
    • Execution Eviction (Driver Load Integrity Checking)

D3FEND in Practice: Gap Analysis

D3FEND enables a structured gap analysis of your own defense capabilities:

Example: ATT&CK; T1566.001 (Spearphishing Attachment) → D3FEND Countermeasures:

  • M1049: Antivirus/Antimalware (DETECT: File Analysis)
  • M1031: Email Content Filtering (HARDEN: Message Filtering)
  • M1017: User Training (HARDEN: User Education)
  • M1021: Restrict Web-Based Content (ISOLATE: Web Content Filtering)
  • D3-DAM: Dynamic Analysis → Sandbox analysis of attachments

Questions for the gap analysis:

  • Do we have email attachment sandboxing? (DETECT)
  • Do we have DKIM/DMARC/SPF for outgoing emails? (HARDEN)
  • Do we have user awareness training? (HARDEN)
  • Do we have EDR with behavioral detection? (DETECT + EVICT)

D3FEND Ontology

An important feature of D3FEND is its machine-readable ontology (OWL/RDF format)—it enables automation:

  • Automatic mapping: Which controls cover which ATT&CK techniques?
  • Coverage reports: How many techniques are covered vs. blind spots?
  • Tool integration: SIEM vendors can tag their rules directly with D3FEND

D3FEND is freely available at with an interactive knowledge graph, technique search, and ATT&CK mapping tool.;

AWARE7 Services on This Topic

Security Beratung Penetrationstest
Back to Glossary Book a free consultation