271 indexed
D3FENDD3FEND defensive techniques
271 MITRE D3FEND defences across 7 tactics (Model, Harden, Detect, Isolate, Deceive, Evict, Restore). Filter to a tactic or browse the full set. Authored by Adam Lundqvist.
271 across 7 categories
Model27
| ID | Title | Summary |
|---|---|---|
| D3-AI | Asset Inventory | |
| D3-ALLM | Active Logical Link Mapping | Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather… |
| D3-AM | Access Modeling | Access modeling captures and records the access permissions granted to identities (e.g., administrators, users, groups, systems) and optionally includes detail… |
| D3-APLM | Active Physical Link Mapping | Active physical link mapping sends and receives network traffic as a means to map the physical layer. |
| D3-AVE | Asset Vulnerability Enumeration | Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities. |
| D3-CI | Configuration Inventory | Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization. |
| D3-CIA | Container Image Analysis | Analyzing a Container Image with respect to a set of policies. |
| D3-DEM | Data Exchange Mapping | Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the app… |
| D3-DI | Data Inventory | Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture. |
| D3-DPLM | Direct Physical Link Mapping | Direct physical link mapping creates a physical link map by direct observation and recording of the physical network links. |
| D3-HCI | Hardware Component Inventory | Hardware component inventorying identifies and records the hardware items in the organization's architecture. |
| D3-LLM | Logical Link Mapping | Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata. |
| D3-NM | Network Mapping | |
| D3-NNI | Network Node Inventory | Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture. |
| D3-NTPM | Network Traffic Policy Mapping | Network traffic policy mapping identifies and models the allowed pathways of data at the network, transport, and/or application levels. |
| D3-NVA | Network Vulnerability Assessment | Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can … |
| D3-OAM | Operational Activity Mapping | |
| D3-ODM | Operational Dependency Mapping | Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (peop… |
| D3-OM | Organization Mapping | Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them. |
| D3-ORA | Operational Risk Assessment | Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole. |
| D3-PLLM | Passive Logical Link Mapping | Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rath… |
| D3-PLM | Physical Link Mapping | Physical link mapping identifies and models the link connectivity of the network devices within a physical network. |
| D3-SVCDM | Service Dependency Mapping | Service dependency mapping determines the services on which each given service relies. |
| D3-SWI | Software Inventory | Software inventorying identifies and records the software items in the organization's architecture. |
| D3-SYSDM | System Dependency Mapping | System dependency mapping identifies and models the dependencies of system components on each other to carry out their function. |
| D3-SYSM | System Mapping | |
| D3-SYSVA | System Vulnerability Assessment | System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and ca… |
Harden55
| ID | Title | Summary |
|---|---|---|
| D3-AA | Agent Authentication | |
| D3-ACH | Application Configuration Hardening | Modifying an application's configuration to reduce its attack surface. |
| D3-AH | Application Hardening | |
| D3-BA | Bootloader Authentication | Cryptographically authenticating the bootloader software before system boot. |
| D3-BAN | Biometric Authentication | Using biological measures in order to authenticate a user. |
| D3-BMA | Bus Message Authentication | Applies cryptographic primitives to individual bus frames to verify the sender's identity and ensure the integrity of the data payload. |
| D3-CBAN | Certificate-based Authentication | Requiring a digital certificate in order to authenticate a user. |
| D3-CDP | Change Default Password | Changing the default password means replacing the factory-set credentials with a strong, unique password before the device is deployed, preventing unauthorized… |
| D3-CERO | Certificate Rotation | Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise ri… |
| D3-CFI | Control Flow Integrity | Enforcing legal control flow transfers during application process execution. |
| D3-CH | Credential Hardening | |
| D3-CP | Certificate Pinning | Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in … |
| D3-CRO | Credential Rotation | Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replace… |
| D3-CS | Credential Scrubbing | The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access. |
| D3-DCE | Dead Code Elimination | Removing unreachable or "dead code" from compiled source code. |
| D3-DENCR | Disk Encryption | Encrypting a hard disk partition to prevent cleartext access to a file system. |
| D3-DLIC | Driver Load Integrity Checking | Ensuring the integrity of drivers loaded during initialization of the operating system. |
| D3-DLV | Domain Logic Validation | Validation of variable state in the context of the domain application. |
| D3-DRA | Disable Remote Access | Limiting access to a computing device which is not required through or from a non-organization-controlled network. |
| D3-EHPV | Exception Handler Pointer Validation | Validates that a referenced exception handler pointer is a valid exception handler. |
| D3-EMH | Electromagnetic Radiation Hardening | The application of physical and material-level design measures to electronic systems, components, or facilities to reduce their susceptibility to damage or dis… |
| D3-FE | File Encryption | Encrypting a file using a cryptographic key. |
| D3-HBWP | Hardware-based Write Protection | Physical methods of preventing data from being written to computer storage. |
| D3-IRV | Integer Range Validation | Ensuring that an integer is within a valid range. |
| D3-MAN | Message Authentication | Authenticating the sender of a message and ensuring message integrity. |
| D3-MBSV | Memory Block Start Validation | Ensuring that a pointer accurately references the beginning of a designated memory block. |
| D3-MENCR | Message Encryption | Encrypting a message body using a cryptographic key. |
| D3-MFA | Multi-factor Authentication | Requiring proof of two or more pieces of evidence in order to authenticate a user. |
| D3-MH | Message Hardening | |
| D3-NPC | Null Pointer Checking | Checking if a pointer is NULL. |
| D3-OLV | Operational Logic Validation | Validation of variable state in the context of the control logic of the operational application. |
| D3-OTP | One-time Password | A one-time password is valid for only one user authentication. |
| D3-PAN | Pointer Authentication | Comparing the cryptographic hash or derivative of a pointer's value to an expected value. |
| D3-PEH | Physical Enclosure Hardening | Physical changes to a computer enclosure which reduce the ability for agents or the environment to affect the contained computer system. |
| D3-PH | Platform Hardening | |
| D3-PR | Password Rotation | Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromis… |
| D3-PSEP | Process Segment Execution Prevention | Preventing execution of any address in a memory region other than the code segment. |
| D3-PV | Pointer Validation | Ensuring that a pointer variable has the required properties for use. |
| D3-PWA | Password Authentication | Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the inpu… |
| D3-RFS | RF Shielding | Adding physical barriers to a platform to prevent undesired radio interference. |
| D3-RH | Radiation Hardening | Radiation hardening is the process of making electronic components and circuits resistant to damage or malfunction caused by high levels of ionizing radiation. |
| D3-RN | Reference Nullification | Invalidating all pointers that reference a specific memory block, ensuring that the block cannot be accessed or modified after deallocation. |
| D3-SAOR | Segment Address Offset Randomization | Randomizing the base (start) address of one or more segments of memory during the initialization of a process. |
| D3-SCH | Source Code Hardening | |
| D3-SCP | System Configuration Permissions | Restricting system configuration modifications to a specific user or group of users. |
| D3-SFCV | Stack Frame Canary Validation | Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite. |
| D3-SPP | Strong Password Policy | Modifying system configuration to increase password strength. |
| D3-SU | Software Update | Replacing old software on a computer system component. |
| D3-TAAN | Transfer Agent Authentication | Validating that server components of a messaging infrastructure are authorized to send a particular message. |
| D3-TB | Token Binding | Token binding is a security mechanism used to enhance the protection of tokens, such as cookies or OAuth tokens, by binding them to a specific connection. |
| D3-TBA | Token-based Authentication | Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the web… |
| D3-TBI | TPM Boot Integrity | Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the … |
| D3-TL | Trusted Library | A trusted library is a collection of pre-verified and secure code modules or components that are used within software applications to perform specific function… |
| D3-VI | Variable Initialization | Setting variables to a known value before use. |
| D3-VTV | Variable Type Validation | Ensuring that a variable has the correct type. |
Detect90
| ID | Title | Summary |
|---|---|---|
| D3-ACA | Active Certificate Analysis | Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis. |
| D3-AEM | Application Exception Monitoring | Monitoring the failures of system counters and timers. |
| D3-ANAA | Administrative Network Activity Analysis | Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline. |
| D3-ANET | Authentication Event Thresholding | Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile. |
| D3-APCA | Application Protocol Command Analysis | Analyzing application protocol level remote commands to detect unauthorized activity. |
| D3-APM | Application Performance Monitoring | Monitoring the count and duration of the application or program cycle. |
| D3-AZET | Authorization Event Thresholding | Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile. |
| D3-BSE | Byte Sequence Emulation | Analyzing sequences of bytes and determining if they likely represent malicious shellcode. |
| D3-CA | Certificate Analysis | Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-… |
| D3-CAA | Connection Attempt Analysis | Analyzing failed connections in a network to detect unauthorized activity. |
| D3-CCSA | Credential Compromise Scope Analysis | Determining which credentials may have been compromised by analyzing the user logon history of a particular system. |
| D3-CSPP | Client-server Payload Profiling | Comparing client-server request and response payloads to a baseline profile to identify outliers. |
| D3-DA | Dynamic Analysis | Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such a… |
| D3-DAM | Domain Account Monitoring | Monitoring the existence of or changes to Domain User Accounts. |
| D3-DNRA | Domain Name Reputation Analysis | Analyzing the reputation of a domain name. |
| D3-DNSTA | DNS Traffic Analysis | Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host. |
| D3-DQSA | Database Query String Analysis | Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html). |
| D3-EFA | Emulated File Analysis | Emulating instructions in a file looking for specific patterns. |
| D3-EHB | Endpoint Health Beacon | Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has b… |
| D3-ELM | Electronic Lock Monitoring | Monitoring electronic lock and door hardware states and access events (e.g., locked/unlocked, access granted/denied, door forced/held, tamper) to detect and re… |
| D3-FA | File Analysis | |
| D3-FAPA | File Access Pattern Analysis | Analyzing the files accessed by a process to identify unauthorized activity. |
| D3-FBA | Firmware Behavior Analysis | Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity. |
| D3-FC | File Carving | Identifying and extracting files from network application protocols through the use of network stream reassembly software. |
| D3-FCA | File Creation Analysis | Analyzing the properties of file create system call invocations. |
| D3-FCOA | File Content Analysis | Employing a pattern matching algorithm to statically analyze the content of files. |
| D3-FCR | File Content Rules | Employing a pattern matching rule language to analyze the content of files. |
| D3-FEMC | Firmware Embedded Monitoring Code | Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data. |
| D3-FH | File Hashing | Employing file hash comparisons to detect known malware. |
| D3-FHRA | File Hash Reputation Analysis | Analyzing the reputation of a file hash. |
| D3-FIM | File Integrity Monitoring | Detecting any suspicious changes to files in a computer system. |
| D3-FV | Firmware Verification | Cryptographically verifying firmware integrity. |
| D3-HD | Homoglyph Detection | Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user. |
| D3-IAA | Identifier Activity Analysis | Taking known malicious identifiers and determining if they are present in a system. |
| D3-IBCA | Indirect Branch Call Analysis | Analyzing vendor specific branch call recording in order to detect ROP style attacks. |
| D3-ID | Identifier Analysis | |
| D3-IDA | Input Device Analysis | Operating system level mechanisms to prevent abusive input device exploitation. |
| D3-IPCTA | IPC Traffic Analysis | Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity. |
| D3-IPRA | IP Reputation Analysis | Analyzing the reputation of an IP address. |
| D3-IRA | Identifier Reputation Analysis | Analyzing the reputation of an identifier. |
| D3-ISVA | Inbound Session Volume Analysis | Analyzing inbound network session or connection attempt volume. |
| D3-JFAPA | Job Function Access Pattern Analysis | Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function,… |
| D3-LAM | Local Account Monitoring | Analyzing local user accounts to detect unauthorized activity. |
| D3-MA | Message Analysis | |
| D3-MBT | Memory Boundary Tracking | Analyzing a call stack for return addresses which point to unexpected memory locations. |
| D3-MSM | Motion Sensor Monitoring | Monitoring events from motion detectors (e.g., passive IR, microwave, dual-technology) to detect presence or movement within protected areas. |
| D3-NTA | Network Traffic Analysis | |
| D3-NTCD | Network Traffic Community Deviation | Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication. |
| D3-NTSA | Network Traffic Signature Analysis | Analyzing network traffic and compares it to known signatures |
| D3-OMM | Operating Mode Monitoring | Detects operating modes such as Program, Run, Remote, or Stop. |
| D3-OPM | Operational Process Monitoring | Monitoring physical parameters and operator actions related to an operational environment. |
| D3-OSM | Operating System Monitoring | The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic.… |
| D3-PA | Process Analysis | |
| D3-PCA | Passive Certificate Analysis | Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity. |
| D3-PCSV | Process Code Segment Verification | Comparing the "text" or "code" memory segments to a source of truth. |
| D3-PFV | Peripheral Firmware Verification | Cryptographically verifying peripheral firmware integrity. |
| D3-PHAM | Physical Access Monitoring | |
| D3-PHDURA | Per Host Download-Upload Ratio Analysis | Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host. |
| D3-PLA | Process Lineage Analysis | Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of eac… |
| D3-PM | Platform Monitoring | |
| D3-PMAD | Protocol Metadata Anomaly Detection | Collecting network communication protocol metadata and identifying statistical outliers. |
| D3-PSA | Process Spawn Analysis | Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized. |
| D3-PSM | Proximity Sensor Monitoring | Monitoring events from proximity sensors that indicate a credential or tagged asset is within the sensor’s read range or a defined zone. Common enabling techno… |
| D3-PSMD | Process Self-Modification Detection | Detects processes that modify, change, or replace their own code at runtime. |
| D3-PUM | Platform Uptime Monitoring | Monitor the amount of time since the last power cycle or restart. |
| D3-RAPA | Resource Access Pattern Analysis | Analyzing the resources accessed by a user to identify unauthorized activity. |
| D3-RFUM | Remote Firmware Update Monitoring | Monitoring of remote firmware update commands to identify unauthorized software installations. |
| D3-RPA | Relay Pattern Analysis | The detection of an internal host relaying traffic between the internal network and the external network. |
| D3-RTA | RPC Traffic Analysis | Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities. |
| D3-RTSD | Remote Terminal Session Detection | Detection of an unauthorized remote live terminal console session by examining network traffic to a network host. |
| D3-SBV | Service Binary Verification | Analyzing changes in service binary files by comparing to a source of truth. |
| D3-SCA | System Call Analysis | Analyzing system calls to determine whether a process is exhibiting unauthorized behavior. |
| D3-SDA | Session Duration Analysis | Analyzing the duration of user sessions in order to detect unauthorized activity. |
| D3-SDM | System Daemon Monitoring | Tracking changes to the state or configuration of critical system level processes. |
| D3-SEA | Script Execution Analysis | Analyzing the execution of a script to detect unauthorized user activity. |
| D3-SFA | System File Analysis | Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering. |
| D3-SFV | System Firmware Verification | Cryptographically verifying installed system firmware integrity. |
| D3-SICA | System Init Config Analysis | Analysis of any system process startup configuration. |
| D3-SJA | Scheduled Job Analysis | Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling. |
| D3-SMRA | Sender MTA Reputation Analysis | Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails. |
| D3-SRA | Sender Reputation Analysis | Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging). |
| D3-SSC | Shadow Stack Comparisons | Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity. |
| D3-UA | URL Analysis | Determining if a URL is benign or malicious by analyzing the URL or its components. |
| D3-UBA | User Behavior Analysis | |
| D3-UDTA | User Data Transfer Analysis | Analyzing the amount of data transferred by a user. |
| D3-UGLPA | User Geolocation Logon Pattern Analysis | Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location. |
| D3-URA | URL Reputation Analysis | Analyzing the reputation of a URL. |
| D3-USICA | User Session Init Config Analysis | Analyzing modifications to user session config files such as .bashrc or .bash_profile. |
| D3-VS | Video Surveillance | Monitoring of physical areas via camera video feeds to deter, detect, and investigate unauthorized access and related security events. |
| D3-WSAA | Web Session Activity Analysis | Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined maliciou… |
Isolate57
| ID | Title | Summary |
|---|---|---|
| D3-ABPI | Application-based Process Isolation | Application code which prevents its own subroutines from accessing intra-process / internal memory space. |
| D3-AMED | Access Mediation | |
| D3-APA | Access Policy Administration | |
| D3-BDI | Broadcast Domain Isolation | Broadcast isolation restricts the number of computers a host can contact on their LAN. |
| D3-CF | Content Filtering | |
| D3-CFC | Content Format Conversion | Content format conversion is mechanical transformation from one format to another which may be normalization or specifically flattening. |
| D3-CM | Content Modification | Modify content that does not comply with policy. |
| D3-CNE | Content Excision | Removing specific, potentially malicious, parts of content |
| D3-CNR | Content Rebuild | Rebuild the file according to the spec so any unreferenced components or objects are removed. |
| D3-CNS | Content Substitution | Modifies specific digital content information by replacing it with something else. |
| D3-CQ | Content Quarantine | Transfer content that does not comply with policy to a quarantine zone. |
| D3-CTS | Credential Transmission Scoping | Limiting the transmission of a credential to a scoped set of relying parties. |
| D3-CV | Content Validation | Verify and validate contents complies with policy |
| D3-DNL | Directional Network Link | Enforce one-way network communication by preventing two-way communication. |
| D3-DNSAL | DNS Allowlisting | Permitting only approved domains and their subdomains to be resolved. |
| D3-DNSDL | DNS Denylisting | Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type. |
| D3-DTP | Domain Trust Policy | Restricting inter-domain trust by modifying domain configuration. |
| D3-EAL | Executable Allowlisting | Using a digital signature to authenticate a file before opening. |
| D3-EBWSAM | Endpoint-based Web Server Access Mediation | Endpoint-based web server access mediation regulates web server access directly from user endpoints by implementing mechanisms such as client-side certificates… |
| D3-EDL | Executable Denylisting | Blocking the execution of files on a host in accordance with defined application policy rules. |
| D3-EF | Email Filtering | Filtering incoming email traffic based on specific criteria. |
| D3-EI | Execution Isolation | |
| D3-EPL | Physical Locking | Employ a mechanical locking device for securing moveable portions of physical barriers (e.g., doors, gates, drawers) in a secured position. |
| D3-ET | Encrypted Tunnels | Encrypted encapsulation of routable network traffic. |
| D3-FCDC | File Content Decompression Checking | Checking if compressed or encoded data sections can be successfully decompressed or decoded. Can follow with further analysis with semantic knowledge |
| D3-FFV | File Format Verification | Verifying that a file conforms to its expected format specifications |
| D3-FISV | File Internal Structure Verification | The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the… |
| D3-FMBV | File Magic Byte Verification | Utilizing the magic number to verify the file |
| D3-FMCV | File Metadata Consistency Validation | The process of validating the consistency between a file's metadata and its actual content, ensuring that elements like declared lengths, pointers, and checksu… |
| D3-FMVV | File Metadata Value Verification | The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the… |
| D3-FRDDL | Forward Resolution Domain Denylisting | Blocking a lookup based on the query's domain name value. |
| D3-FRIDL | Forward Resolution IP Denylisting | Blocking a DNS lookup's answer's IP address value. |
| D3-HBPI | Hardware-based Process Isolation | Preventing one process from writing to the memory space of another process through hardware based address manager implementations. |
| D3-HDDL | Hierarchical Domain Denylisting | Blocking the resolution of any subdomain of a specified domain name. |
| D3-HDL | Homoglyph Denylisting | Blocking DNS queries that are deceptively similar to legitimate domain names. |
| D3-IOPR | IO Port Restriction | Limiting access to computer input/output (IO) ports to restrict unauthorized devices. |
| D3-ITF | Inbound Traffic Filtering | Restricting network traffic originating from untrusted networks destined towards a private host or enclave. |
| D3-KBPI | Kernel-based Process Isolation | Using kernel-level capabilities to isolate processes. |
| D3-LAMED | LAN Access Mediation | LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern… |
| D3-LFAM | Local File Access Mediation | Local file access mediation is the process of an operating system granting or denying a specific access request to a local file. |
| D3-LFP | Local File Permissions | Local file permissions is the systematic process of defining, implementing, and managing access control policies that dictate user permissions for accessing fi… |
| D3-NAM | Network Access Mediation | Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a n… |
| D3-NI | Network Isolation | |
| D3-NRAM | Network Resource Access Mediation | Control of access to organizational systems and services by users or processes over a network. |
| D3-NTF | Network Traffic Filtering | Restricting network traffic originating from any location. |
| D3-OPR | Operating Mode Restriction | Restricting unauthorized changes to the operating mode prevents devices from switching into inappropriate or vulnerable states during normal use. |
| D3-OTF | Outbound Traffic Filtering | Restricting network traffic originating from a private host or enclave destined towards untrusted networks. |
| D3-OVAR | OT Variable Access Restriction | Assign read/write access controls on designated registers or data tags to prevent unauthorized writes. |
| D3-PAM | Physical Access Mediation | Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military esta… |
| D3-PBWSAM | Proxy-based Web Server Access Mediation | Proxy-based web server access mediation focuses on the regulation of web server access through intermediary proxy servers. |
| D3-RAM | Routing Access Mediation | Routing access mediation is a network security approach that manages and controls access at the network layer using VPNs, tunneling protocols, firewall rules, … |
| D3-RFAM | Remote File Access Mediation | Remote file access mediation is the process of managing and securing access to file systems over a network to ensure that only authorized users or processes ca… |
| D3-RRID | Reverse Resolution IP Denylisting | Blocking a reverse lookup based on the query's IP address value. |
| D3-SCF | System Call Filtering | Controlling access to local computer system resources with kernel-level capabilities. |
| D3-UAP | User Account Permissions | Restricting a user account's access to resources. |
| D3-WSAM | Web Session Access Mediation | Web session access mediation secures user sessions in web applications by employing robust authentication and integrity validation, along with adaptive threat … |
| D3F-UGPH | User Group Permissions | Access control where access is determined based on attributes associated with users and the objects being accessed. |
Deceive11
| ID | Title | Summary |
|---|---|---|
| D3-CHN | Connected Honeynet | A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without e… |
| D3-DE | Decoy Environment | |
| D3-DF | Decoy File | A file created for the purposes of deceiving an adversary. |
| D3-DNR | Decoy Network Resource | Deploying a network resource for the purposes of deceiving an adversary. |
| D3-DO | Decoy Object | |
| D3-DP | Decoy Persona | Establishing a fake online identity to misdirect, deceive, and or interact with adversaries. |
| D3-DPR | Decoy Public Release | Issuing publicly released media to deceive adversaries. |
| D3-DST | Decoy Session Token | An authentication token created for the purposes of deceiving an adversary. |
| D3-DUC | Decoy User Credential | A Credential created for the purpose of deceiving an adversary. |
| D3-IHN | Integrated Honeynet | The practice of setting decoys in a production environment to entice interaction from attackers. |
| D3-SHN | Standalone Honeynet | An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems. |
Evict19
| ID | Title | Summary |
|---|---|---|
| D3-AL | Account Locking | The process of temporarily disabling user accounts on a system or domain. |
| D3-ANCI | Authentication Cache Invalidation | Removing tokens or credentials from an authentication cache to prevent further user associated account accesses. |
| D3-CE | Credential Eviction | |
| D3-CR | Credential Revocation | Deleting a set of credentials permanently to prevent them from being used to authenticate. |
| D3-DKE | Disk Erasure | Disk Erasure is the process of securely deleting all data on a disk to ensure that it cannot be recovered by any means. |
| D3-DKF | Disk Formatting | Disk Formatting is the process of preparing a data storage device, such as a hard drive, solid-state drive, or USB flash drive, for initial use. |
| D3-DKP | Disk Partitioning | Disk Partitioning is the process of dividing a disk into multiple distinct sections, known as partitions. |
| D3-DNSCE | DNS Cache Eviction | Flushing DNS to clear any IP addresses or other DNS records from the cache. |
| D3-DRT | Domain Registration Takedown | The process of performing a takedown of the attacker's domain registration infrastructure. |
| D3-ER | Email Removal | The email removal technique deletes email files from system storage. |
| D3-FEV | File Eviction | File eviction techniques delete files from system storage. |
| D3-HR | Host Reboot | Initiating a host's reboot sequence to terminate all running processes. |
| D3-HS | Host Shutdown | Initiating a host's shutdown sequence to terminate all running processes. |
| D3-OE | Object Eviction | |
| D3-PE | Process Eviction | |
| D3-PS | Process Suspension | Suspending a running process on a computer system. |
| D3-PT | Process Termination | Terminating a running application process on a computer system. |
| D3-RKD | Registry Key Deletion | Delete a registry key. |
| D3-ST | Session Termination | Forcefully end all active sessions associated with compromised accounts or devices. |
Restore12
| ID | Title | Summary |
|---|---|---|
| D3-RA | Restore Access | |
| D3-RC | Restore Configuration | Restoring an software configuration. |
| D3-RD | Restore Database | Restoring the data in a database. |
| D3-RDI | Restore Disk Image | Restoring a previously captured disk image a hard drive. |
| D3-RE | Restore Email | Restoring an email for an entity to access. |
| D3-RF | Restore File | Restoring a file for an entity to access. |
| D3-RIC | Reissue Credential | Issue a new credential to a user which supercedes their old credential. |
| D3-RNA | Restore Network Access | Restoring a entity's access to a computer network. |
| D3-RO | Restore Object | |
| D3-RS | Restore Software | Restoring software to a host. |
| D3-RUAA | Restore User Account Access | Restoring a user account's access to resources. |
| D3-ULA | Unlock Account | Restoring a user account's access to resources by unlocking a locked User Account. |