This paper was developed during the middle of yet another cybersecurity crisis, in which the cybersecurity industry simultaneously combatted the impact of the Apache Log4j vulnerability and an Amazon Web Services (AWS) outage. While the latter was temporary, the former sent defenders, security professionals, and developers scrambling to patch vulnerable systems and prevent attacks on, and access to, their networks.
Adversaries have embraced a new vector for gaining a foothold into a targeted organization, further adding to a long list of capabilities that they have at their disposal. Unfortunately, defenders have had to document and plan for nearly any technique adversaries could use against them, all while trying to keep their organizations’ networks secure. Luckily, during the past few years, the cybersecurity industry has witnessed the emergence of multiple frameworks that assist with this process, providing defenders with excellent resources for combatting cyber threats.
In this whitepaper, we look at two complementary frameworks that defenders should be utilizing: MITRE ATT&CK® and MITRE D3FEND™. Aptly named, these frameworks describe adversary techniques and defense countermeasures, respectively. ATT&CK is no stranger to most enterprise security practitioners: Since its introduction, multiple security controls and vendors have aligned their products and detections to ATT&CK. However, we have seen little representation of D3FEND—something we aim to change with this whitepaper.
This whitepaper covers the following topics:
- An understanding of the ATT&CK and D3FEND frameworks
- The strengths of each framework as it pertains to enterprise security
- How the frameworks can be utilized to help strengthen incident analysis and response
- How to incorporate both frameworks into your threat intelligence capabilities
If this is your first time exploring these frameworks, we encourage you to consider the following questions:
- Do these frameworks already exist within our tooling and/or threat intelligence capabilities?
- Many organizations utilize ATT&CK to explain adversary actions—have we looked at D3FEND to implement countermeasures?
- What can D3FEND tell us about the countermeasures we currently have in our organization versus what we should have?
To read full download the whitepaper:
SANS 2022 ATT&CK® and D3FEND™ Report: Incorporating Frameworks into Your Analysis and Intelligence