271 defences3,962 crosswalks

D3FENDD3FEND defensive matrix

7 tactics · 271 defensive techniques · 3,962 defends_against crosswalks to MITRE ATT&CK. Authored by Adam Lundqvist.

TACTICModel Harden Detect Isolate Deceive Evict RestoreLEVELTechnique Sub-technique

ATT&CK coverage

0

1

2-3

4-5

6+

MODModel0 techniques

HARHarden0 techniques

DETDetect68 techniques

Platform Monitoring

File Content Analysis

File Integrity Monitoring

User Behavior Analysis

Network Traffic Analysis

Application Protocol Command Analysis

Client-server Payload Profiling

Network Traffic Community Deviation

Network Traffic Signature Analysis

Per Host Download-Upload Ratio Analysis

Protocol Metadata Anomaly Detection

Remote Terminal Session Detection

User Geolocation Logon Pattern Analysis

Process Analysis

Operating System Monitoring

System Call Analysis

Dynamic Analysis

Emulated File Analysis

Process Spawn Analysis

Relay Pattern Analysis

Credential Compromise Scope Analysis

Connection Attempt Analysis

Application Performance Monitoring

Process Self-Modification Detection

Operational Process Monitoring

Administrative Network Activity Analysis

Homoglyph Detection

Identifier Analysis

Process Code Segment Verification

Certificate Analysis

Inbound Session Volume Analysis

Domain Account Monitoring

Shadow Stack Comparisons

Firmware Behavior Analysis

Firmware Embedded Monitoring Code

Firmware Verification

Identifier Activity Analysis

Identifier Reputation Analysis

Message Analysis

Sender MTA Reputation Analysis

Sender Reputation Analysis

DNS Traffic Analysis

Local Account Monitoring

Database Query String Analysis

IPC Traffic Analysis

Physical Access Monitoring

RPC Traffic Analysis

Video Surveillance

Authentication Event Thresholding

Authorization Event Thresholding

Byte Sequence Emulation

Electronic Lock Monitoring

File Access Pattern Analysis

Indirect Branch Call Analysis

Job Function Access Pattern Analysis

Motion Sensor Monitoring

Operating Mode Monitoring

Proximity Sensor Monitoring

Platform Uptime Monitoring

Resource Access Pattern Analysis

Session Duration Analysis

Script Execution Analysis

User Data Transfer Analysis

Web Session Activity Analysis

ISOIsolate31 techniques

Access Mediation

Access Policy Administration

Content Filtering

Network Resource Access Mediation

Content Quarantine

Content Validation

Local File Permissions

Content Modification

Network Isolation

Network Traffic Filtering

Execution Isolation

System Call Filtering

Executable Allowlisting

Executable Denylisting

Hardware-based Process Isolation

Credential Transmission Scoping

User Account Permissions

Application-based Process Isolation

Kernel-based Process Isolation

IO Port Restriction

DNS Allowlisting

DNS Denylisting

Domain Trust Policy

Broadcast Domain Isolation

Directional Network Link

Encrypted Tunnels

Network Access Mediation

Operating Mode Restriction

OT Variable Access Restriction

Physical Access Mediation

User Group Permissions

DECDeceive0 techniques

EVIEvict15 techniques

Object Eviction

Credential Eviction

Process Eviction

Authentication Cache Invalidation

Credential Revocation

Account Locking

Process Suspension

Process Termination

Session Termination

Disk Formatting

Registry Key Deletion

DNS Cache Eviction

Domain Registration Takedown

RESRestore10 techniques

Restore Configuration

Restore Software

Restore Database

Reissue Credential

Restore User Account Access

Restore Network Access

Restore Disk Image

Sourced from MITRE D3FEND ontology. Cross-walks ingested via the D3FEND CSV feed. Curated by Adam Lundqvist, Founder at SQUR.

D3FEND defensive matrix | SQUR Knowledge Base