National Security Agency (NSA) is funding research for the D3FEND framework to improve the cybersecurity of National Security Systems, the Department of Defense and the Defense Industrial Base. The D3FEND technical knowledge base of defensive countermeasures for common offensive techniques is complementary to MITRE’s ATT&CK, a knowledge base of cyber adversary behaviour.
D3FEND establishes terminology of computer network defensive techniques and illuminates previously unspecified relationships between defensive and offensive methods. This framework illustrates the complex interplay between computer network architectures, threats, and cyber countermeasures.
MITRE released D3FEND as a complement to its existing ATT&CK framework, a free, globally accessible knowledge base of cyber adversary tactics and techniques based on real-world observations. Industry and government use ATT&CK as a foundation to develop specific cyber threat models and methodologies. Complementary to the threat-based ATT&CK model, D3FEND provides a model of ways to counter common offensive techniques, enumerating how defensive techniques impact an actor’s ability to succeed.
By framing computer network defender complexity of countermeasure functions and techniques as granularly as ATT&CK frames computer network attacker techniques, D3FEND enables cybersecurity professionals to tailor defences against specific cyber threats, thereby reducing a system’s potential attack surface. As a result, D3FEND will drive more effective design, deployment, and defence of networked systems writ large.
Frameworks such as ATT&CK and D3FEND provide mission-agnostic tools for industry and government to conduct analyses and communicate findings. Whether categorising adversary behaviour or detailing how defensive capabilities mitigate threats, frameworks provide common descriptions that empower information sharing and operational collaboration for an ever-evolving cyber landscape.
NSA and MITRE encourage the cybersecurity community to promote the adoption of this vocabulary by cybersecurity professionals across government, industry, and academia.
According to an article, ATT&CK Workbench allows users to explore, create, annotate, and share extensions of the ATT&CK knowledge base. Organisations or individuals can initialise their own instances of the application to serve as the centrepiece to a customised variant of the ATT&CK knowledge base, attaching other tools and interfaces as desired.
Through the Workbench, this local knowledge base can be extended with new or updated techniques, tactics, mitigations groups, and software. Additionally, Workbench provides means for a user to share their extensions with the greater ATT&CK community facilitating a greater level of collaboration within the community than is possible with current tools.
The primary utility of the Workbench is the ability to create new objects or extend existing objects with new content. Techniques, tactics, mitigations, groups, and software can all be created and edited. This means you can create an extension of the knowledge base according to your own needs, or even an entirely new dataset aligned with ATT&CK terminology and usable with ATT&CK tools.
Data created within the Workbench can be seamlessly integrated into existing ATT&CK data — new groups or software can be connected to existing techniques through procedure examples, or new sub-techniques can be created under existing ATT&CK techniques.
In the light of mounting pressure to improve its cybersecurity defences, the U.S. government has resorted to zero-trust security. As reported by OpenGov Asia, this security model assumes all traffic on a network could be a threat and requires every user to be authenticated and authorised before being granted access to any sensitive application or data.
While zero-trust security doesn’t protect networks from every possible attack, it reduces risk, speeds up threat detection and closes gaps in visibility. It is tailor-made for a world where cloud computing and an ever-increasing number of mobile devices are increasing the network attack surface and demanding finer-grain security controls.