Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Three Ways to Improve Defense Readiness Using MITRE D3FEND

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations improve their defensive cybersecurity posture.

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations improve their defensive cybersecurity posture.

MITRE D3FEND is complementary to the MITRE ATT&CK framework, which is a library of cybercriminal tactics, techniques, and procedures (TTP). D3FEND maps relationships between ATT&CK’s TTP and defensive countermeasures for developing strategies to known attacker behavior.

Using D3FEND To Bolster Defensive Readiness

D3FEND gives organizations a defensive cybersecurity language and classification hierarchy, enabling them to create a new cybersecurity program or to improve an existing one. Organizations can use the framework to assess and compare the security posture of software products and services, and to make informed acquisitions and investments.

At its core, D3FEND provides security teams with the taxonomy of skills they need to achieve defensive readiness. This taxonomy provides a highly formal and organized insight into defensive countermeasures that security teams can take to mitigate attacks, while laying the groundwork for a long-term strategy to monitor, detect, and respond to cyberattacks.

A great example of this taxonomy in action is D3FEND’s technique of message analysis. It details the tools and defensive readiness skills people need to analyze messages to see what kinds of attacks might be contained in them. These tools and skills range from high-level ones to very specific ones, such as analyzing header information, the body content of emails, links, and attachments.

Pitfalls to Avoid

Don’t try to boil the D3FEND ocean. Some organizations embrace the all-or-nothing approach to cybersecurity, and unfortunately many pay the price for doing so. In the case of D3FEND — and its vast framework of measures and components — the average organization should not try to implement everything it contains. In fact, most enterprises only need to embrace a fraction of D3FEND to improve their security posture.

Advertisement. Scroll to continue reading.

Failing to focus on the top threats facing the organization. To achieve cyber readiness, every organization needs to identify the top threats facing it and to determine the essential skills needed for protection. 

The key is to be strategic — focus on the most relevant type of attacks, attacker profiles, and their tools and tactics. The next step is to assess the organization’s skills and tools for defending this narrower band of attacks/attackers, and to improve them where necessary.

This is where D3FEND can help by giving organizations the information to align specific skills and tools to quash specific threats. 

Improving Defensive Readiness with D3FEND

Choose the right D3FEND capabilities. Given the complexity and depth of D3FEND, it is wise to take baby steps in the beginning, by acquiring those skills and products vital to protecting the organization from the top threats it faces daily. 

Develop training paths for individual and teams based on their current skill set. The basic building block is individual, hands-on training that enables individuals to work at their own pace so they can build the muscle memory vital to their learning. This approach will allow them to hone their skills by following pre-built or prescribed learning paths. 

Ideally, skills development should be flexible enough to allow the program leader to tailor it to meet the security needs of the organization as well as the team needs of other security staff.

Validate that skills have been acquired using team threat exercises. The validation of skills is absolutely crucial to the success of cyber readiness training. The  process should encompass routine assessments of an individual’s skills using  team-based exercises conducted in realistic settings. 

To be authentic and effective, the process must take into account that people have different talents, some are faster than others in certain situations, some make better decisions, some are better defenders and others are better attackers.

The MITRE D3FEND framework is an excellent tool for enhancing cyber defense readiness. But, it is only as effective as the planning that goes into making sure it is properly aligned with the top threats facing the organization. This includes tailoring content to the current skills and desired achievement levels for both individual analysts and the security team as a whole.

Related: ATT&CK v9 Introduces Containers, Google Workspace

Related: ATT&CK Framework to Evaluate Enterprise Security Products

Related: MITRE ATT&CK Used for Cybersecurity Skills Development

Related: Where To Begin With MITRE ATT&CK Matrix

Written By

Jeff Orloff is Vice President of Products and Technical Services at RangeForce, a cybersecurity training company. He has over ten years of experience in cybersecurity, computer and network security and system administration. Prior to RangeForce, he was Director of Product Management and UX at COFENSE, a company specializing in email security, phishing detection and response. He also served as Technology Coordinator for the Palm Beach County Florida School District.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...