Cisco Blogs / Security /
Everyone in the security community is familiar with the ATT&CK framework developed by MITRE. ATT&CK, which stands for Adversary, Tactics, Techniques, and Common Knowledge, is a comprehensive knowledge base of adversary behaviors used by threat actors across the threat lifecycle. While ATT&CK takes on the perspective of the adversary, there was no documented set of defensive countermeasures, until now.
In this blog post, I talk to Pete Kaloroumakis from MITRE, who has developed the D3FEND framework.
Pete Kaloroumakis: I started with technology when I enlisted in the United States Air Force. After that I joined Northrop Grumman as a network engineer working on large-scale computer network emulation. I got into and fell in love with research and development. I could write for hours about that process, but the net result was that I started to build things. The first was a commercial cybersecurity company which did malware detection on high-speed networks. I worked on that for six years. Then I came to MITRE where my biggest focus has been building the MITRE D3FEND knowledge graph.
Pete Kaloroumakis: We work on diverse problems at MITRE, and we do a lot of modeling. You often need abstractions to support modeling initiatives so that you may effectively generalize about a domain and ultimately make recommendations or predictions. We came across a problem which required a detailed technical abstraction to describe the technology used by cyber defenders. After some research, we were surprised to find that nothing available came close to meeting our needs regarding both abstraction and technical detail. So, we proposed a research project to build what became D3FEND.
Pete Kaloroumakis: We have been working on D3FEND since the summer of 2018, so a little over three years.
Pete Kaloroumakis: D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense.
Pete Kaloroumakis: This may be surprising, but you happened to pick a technique which is not yet modeled in D3FEND’s ontology, although we have modeled hundreds of others. This is a good opportunity to explain the way we would model this, and ultimately map it countermeasures.
In D3FEND, we do not directly map an offensive technique (ATT&CK) to a defensive technique (D3FEND). We model what each technique is doing in terms of what “digital artifacts” they interact with. This produces a graph structure. We have more than 400 of these digital artifacts defined. These are all the essential concepts in computer engineering, and their relationships between one another. In this case, we would specify that active scanning (T1595) produces inbound internet network traffic. This would then map in, or as we say, “relate” any countermeasures which interacts with inbound internet network traffic.
The reasoning logic which produces these relationship processes considers the taxonomical properties of both techniques and digital artifact specifications. This method allows us to generalize effectively and move beyond simplistic one-to-one hard-coded mappings.
Pete Kaloroumakis: This is a great question. D3FEND been public for seven months and we still have the beta tag on the release. Straightforward use-cases can use D3FEND as is, but for advanced use-cases we needed to level-set where we are so we could make necessary changes in the ontology. Because D3FEND uses an ontology, we predicted that some organizations would start extending the ontology to build custom applications on top of it. Our predictions came true, and a lot of those folks have reached out to us to provide feedback. So, the fact it was labeled as a beta indicated to the software developer types to reach out and engage with us to mature it.
Additionally, D3FEND was built from the bottom-up by design. As you can see on the website, the detection section is a lot bigger than the others. We initially focused on detection since that was our background, and we want to fill out more of the matrix this year. We have received great feedback on the model/ontology from the community and we are looking to release a stable version this year. At that point we will drop the beta tag from the release.
Pete Kaloroumakis: D3FEND does reference a lot of patents, but it also references other sources including external knowledgebases, technical specification standards, and even source code on GitHub. When we develop a D3FEND technique, we must point to some technical document which sufficiently details what the technology is doing. If there are no public technical references to use as evidence, we can’t include it.
Pete Kaloroumakis: We chose a very broad definition to accommodate future modeling initiatives. We currently draw the line on the requirement to describe functionality and relate it digital artifacts. For example, many organizations invest in employee cybersecurity awareness training programs. Training programs do not directly interact with digital artifacts; therefore, they are not in scope.
Pete Kaloroumakis: We have initially described the audience as security architects. These are the folks who are responsible for selecting and sometimes deploying these technologies. They know how these cybersecurity tools work, and they often know their strengths and weaknesses. However, since we launched D3FEND last June, we also have seen other audiences begin to use it, particularly systems engineers or systems security engineers. They typically have advanced use-cases where they leverage the ontology we have built. This is an area we are looking to grow. We have a variety of early-stage initiatives in this space that I am excited about.
Pete Kaloroumakis: Since the release, we have received contributions from both practitioners and vendors. We have an email address and slack channel where we accept contributions and recommendations.
Pete Kaloroumakis: We have seen some vendors start to make claims about their capabilities using D3FEND. This is starting to happen organically, and we encourage vendors to lean forward on this. D3FEND offers the vendors a great opportunity to explain what their products do in a new, clear way. One of the challenges in the industry is that it is very hard to articulate what set of functions a product performs. When this happens, it’s a lose-lose proposition: vendors can’t differentiate their capabilities, and customer have trouble discovering solutions to consider when they are making a purchase. I think when vendors start to articulate what the products are doing in a standard way, it enables them to highlight differentiation on other dimensions like performance and effectiveness.
Pete Kaloroumakis: D3FEND is part of a suite of tools and frameworks MITRE is developing for both private and public organizations. Our goal is to improve cybersecurity for everyone and we welcome partnership with industry. You can learn more about the work MITRE is doing in cybersecurity on our website.
Thank you Ajit, and likewise!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
We’d love to hear from you! Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.
I am from the United States. With this medium, I would like to especially thank this great company that has enabled me to improve my business. I was stuck in the financial crisis and had to refinance my business, tried to get loans from various lenders both private and corporate but never with success and most banks refused me a loan until I got to know the company wintrust that had provided me with the loan amount (10,000 $) no stress, contact_____ (wintrustfinancialcompany) @gmail com,,..
Cisco Blogs / Security /