271 defences5,014 crosswalks

D3FENDD3FEND defensive matrix

7 tactics · 271 defensive techniques · 5,014 defends_against crosswalks to MITRE ATT&CK. Authored by Adam Lundqvist.

TACTICModelHardenDetectIsolateDeceiveEvictRestoreLEVELTechniqueSub-technique
ATT&CK coverage
0
1
2-3
4-5
6+

MODModel0 techniques

HARHarden0 techniques

DETDetect90 techniques

D3-PM
Platform Monitoring
D3-FA
File Analysis
D3-FCOA
File Content Analysis
D3-FCR
File Content Rules
D3-FH
File Hashing
D3-FIM
File Integrity Monitoring
D3-UBA
User Behavior Analysis
D3-NTA
Network Traffic Analysis
D3-APCA
Application Protocol Command Analysis
D3-CSPP
Client-server Payload Profiling
D3-NTCD
Network Traffic Community Deviation
D3-NTSA
Network Traffic Signature Analysis
D3-PHDURA
Per Host Download-Upload Ratio Analysis
D3-PMAD
Protocol Metadata Anomaly Detection
D3-RTSD
Remote Terminal Session Detection
D3-UGLPA
User Geolocation Logon Pattern Analysis
D3-PA
Process Analysis
D3-OSM
Operating System Monitoring
D3-SCA
System Call Analysis
D3-DA
Dynamic Analysis
D3-EFA
Emulated File Analysis
D3-PSA
Process Spawn Analysis
D3-RPA
Relay Pattern Analysis
D3-CCSA
Credential Compromise Scope Analysis
D3-SBV
Service Binary Verification
D3-SFA
System File Analysis
D3-CAA
Connection Attempt Analysis
D3-AEM
Application Exception Monitoring
D3-APM
Application Performance Monitoring
D3-PLA
Process Lineage Analysis
D3-PSMD
Process Self-Modification Detection
D3-OPM
Operational Process Monitoring
D3-ANAA
Administrative Network Activity Analysis
D3-EHB
Endpoint Health Beacon
D3-HD
Homoglyph Detection
D3-ID
Identifier Analysis
D3-MBT
Memory Boundary Tracking
D3-PCSV
Process Code Segment Verification
D3-ACA
Active Certificate Analysis
D3-CA
Certificate Analysis
D3-ISVA
Inbound Session Volume Analysis
D3-PCA
Passive Certificate Analysis
D3-DAM
Domain Account Monitoring
D3-SICA
System Init Config Analysis
D3-SSC
Shadow Stack Comparisons
D3-FBA
Firmware Behavior Analysis
D3-FEMC
Firmware Embedded Monitoring Code
D3-FV
Firmware Verification
D3-IAA
Identifier Activity Analysis
D3-IRA
Identifier Reputation Analysis
D3-MA
Message Analysis
D3-SMRA
Sender MTA Reputation Analysis
D3-SRA
Sender Reputation Analysis
D3-UA
URL Analysis
D3-URA
URL Reputation Analysis
D3-DNSTA
DNS Traffic Analysis
D3-IDA
Input Device Analysis
D3-LAM
Local Account Monitoring
D3-SDM
System Daemon Monitoring
D3-FC
File Carving
D3-FCA
File Creation Analysis
D3-SFV
System Firmware Verification
D3-SJA
Scheduled Job Analysis
D3-USICA
User Session Init Config Analysis
D3-DQSA
Database Query String Analysis
D3-IPCTA
IPC Traffic Analysis
D3-PHAM
Physical Access Monitoring
D3-RTA
RPC Traffic Analysis
D3-VS
Video Surveillance
D3-ANET
Authentication Event Thresholding
D3-AZET
Authorization Event Thresholding
D3-BSE
Byte Sequence Emulation
D3-DNRA
Domain Name Reputation Analysis
D3-ELM
Electronic Lock Monitoring
D3-FAPA
File Access Pattern Analysis
D3-FHRA
File Hash Reputation Analysis
D3-IBCA
Indirect Branch Call Analysis
D3-IPRA
IP Reputation Analysis
D3-JFAPA
Job Function Access Pattern Analysis
D3-MSM
Motion Sensor Monitoring
D3-OMM
Operating Mode Monitoring
D3-PFV
Peripheral Firmware Verification
D3-PSM
Proximity Sensor Monitoring
D3-PUM
Platform Uptime Monitoring
D3-RAPA
Resource Access Pattern Analysis
D3-RFUM
Remote Firmware Update Monitoring
D3-SDA
Session Duration Analysis
D3-SEA
Script Execution Analysis
D3-UDTA
User Data Transfer Analysis
D3-WSAA
Web Session Activity Analysis

ISOIsolate57 techniques

D3-AMED
Access Mediation
D3-APA
Access Policy Administration
D3-CF
Content Filtering
D3-NRAM
Network Resource Access Mediation
D3-CQ
Content Quarantine
D3-CV
Content Validation
D3-FFV
File Format Verification
D3-LFP
Local File Permissions
D3-CFC
Content Format Conversion
D3-CM
Content Modification
D3-CNE
Content Excision
D3-CNR
Content Rebuild
D3-CNS
Content Substitution
D3-FCDC
File Content Decompression Checking
D3-FISV
File Internal Structure Verification
D3-FMBV
File Magic Byte Verification
D3-FMCV
File Metadata Consistency Validation
D3-FMVV
File Metadata Value Verification
D3-RFAM
Remote File Access Mediation
D3-NI
Network Isolation
D3-NTF
Network Traffic Filtering
D3-EI
Execution Isolation
D3-SCF
System Call Filtering
D3-EAL
Executable Allowlisting
D3-EDL
Executable Denylisting
D3-HBPI
Hardware-based Process Isolation
D3-OTF
Outbound Traffic Filtering
D3-CTS
Credential Transmission Scoping
D3-UAP
User Account Permissions
D3-EBWSAM
Endpoint-based Web Server Access Mediation
D3-PBWSAM
Proxy-based Web Server Access Mediation
D3-ABPI
Application-based Process Isolation
D3-KBPI
Kernel-based Process Isolation
D3-LFAM
Local File Access Mediation
D3-ITF
Inbound Traffic Filtering
D3-WSAM
Web Session Access Mediation
D3-IOPR
IO Port Restriction
D3-EF
Email Filtering
D3-DNSAL
DNS Allowlisting
D3-DNSDL
DNS Denylisting
D3-FRDDL
Forward Resolution Domain Denylisting
D3-HDDL
Hierarchical Domain Denylisting
D3-HDL
Homoglyph Denylisting
D3-RRID
Reverse Resolution IP Denylisting
D3-DTP
Domain Trust Policy
D3-BDI
Broadcast Domain Isolation
D3-DNL
Directional Network Link
D3-EPL
Physical Locking
D3-ET
Encrypted Tunnels
D3-FRIDL
Forward Resolution IP Denylisting
D3-LAMED
LAN Access Mediation
D3-NAM
Network Access Mediation
D3-OPR
Operating Mode Restriction
D3-OVAR
OT Variable Access Restriction
D3-PAM
Physical Access Mediation
D3-RAM
Routing Access Mediation
D3F-UGPH
User Group Permissions

DECDeceive0 techniques

EVIEvict0 techniques

RESRestore12 techniques

D3-RO
Restore Object
D3-RF
Restore File
D3-RC
Restore Configuration
D3-RA
Restore Access
D3-RS
Restore Software
D3-RD
Restore Database
D3-RIC
Reissue Credential
D3-RUAA
Restore User Account Access
D3-ULA
Unlock Account
D3-RNA
Restore Network Access
D3-RE
Restore Email
D3-RDI
Restore Disk Image
Sourced from MITRE D3FEND ontology. Cross-walks ingested via the D3FEND CSV feed. Curated by Adam Lundqvist, Founder at SQUR.
D3FEND defensive matrix | SQUR Knowledge Base