Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations improve their defensive cybersecurity posture.
MITRE D3FEND is complementary to the MITRE ATT&CK framework, which is a library of cybercriminal tactics, techniques, and procedures (TTP). D3FEND maps relationships between ATT&CK’s TTP and defensive countermeasures for developing strategies to known attacker behavior.
Using D3FEND To Bolster Defensive Readiness
D3FEND gives organizations a defensive cybersecurity language and classification hierarchy, enabling them to create a new cybersecurity program or to improve an existing one. Organizations can use the framework to assess and compare the security posture of software products and services, and to make informed acquisitions and investments.
At its core, D3FEND provides security teams with the taxonomy of skills they need to achieve defensive readiness. This taxonomy provides a highly formal and organized insight into defensive countermeasures that security teams can take to mitigate attacks, while laying the groundwork for a long-term strategy to monitor, detect, and respond to cyberattacks.
A great example of this taxonomy in action is D3FEND’s technique of message analysis. It details the tools and defensive readiness skills people need to analyze messages to see what kinds of attacks might be contained in them. These tools and skills range from high-level ones to very specific ones, such as analyzing header information, the body content of emails, links, and attachments.
Pitfalls to Avoid
Don’t try to boil the D3FEND ocean. Some organizations embrace the all-or-nothing approach to cybersecurity, and unfortunately many pay the price for doing so. In the case of D3FEND — and its vast framework of measures and components — the average organization should not try to implement everything it contains. In fact, most enterprises only need to embrace a fraction of D3FEND to improve their security posture.
Failing to focus on the top threats facing the organization. To achieve cyber readiness, every organization needs to identify the top threats facing it and to determine the essential skills needed for protection.
The key is to be strategic — focus on the most relevant type of attacks, attacker profiles, and their tools and tactics. The next step is to assess the organization’s skills and tools for defending this narrower band of attacks/attackers, and to improve them where necessary.
This is where D3FEND can help by giving organizations the information to align specific skills and tools to quash specific threats.
Improving Defensive Readiness with D3FEND
Choose the right D3FEND capabilities. Given the complexity and depth of D3FEND, it is wise to take baby steps in the beginning, by acquiring those skills and products vital to protecting the organization from the top threats it faces daily.
Develop training paths for individual and teams based on their current skill set. The basic building block is individual, hands-on training that enables individuals to work at their own pace so they can build the muscle memory vital to their learning. This approach will allow them to hone their skills by following pre-built or prescribed learning paths.
Ideally, skills development should be flexible enough to allow the program leader to tailor it to meet the security needs of the organization as well as the team needs of other security staff.
Validate that skills have been acquired using team threat exercises. The validation of skills is absolutely crucial to the success of cyber readiness training. The process should encompass routine assessments of an individual’s skills using team-based exercises conducted in realistic settings.
To be authentic and effective, the process must take into account that people have different talents, some are faster than others in certain situations, some make better decisions, some are better defenders and others are better attackers.
The MITRE D3FEND framework is an excellent tool for enhancing cyber defense readiness. But, it is only as effective as the planning that goes into making sure it is properly aligned with the top threats facing the organization. This includes tailoring content to the current skills and desired achievement levels for both individual analysts and the security team as a whole.