ATT&CK vs. D3FEND - Get Everyone On the Same Page

“In a fight, your doubt is a target of enemy’s attack.”
― Toba Beta,

The Frameworks Seek to Set the Scene for Cyber Battlefield

Recently significant innovations helping cybersecurity professionals to work under the same language on defense and a better way to share security info among internal and a standardized framework which also from them (ATT&CK).

This is an exciting moment for us from different backgrounds, including public/ private sectors, system integrators, or security products/ services providers. Since it is the first time, a non-profit organization promotes a common framework — both attack and defense — for all of us.

ATT&CK

Before discussing the latest update, it is essential to introduce the previous successful project from MITRE — ATT&CK Framework.Vendors use their framework to describe the same piece of malware. For example, if you search for malware on VirusTotal, you can see they use their naming methods and categories to distinguish the same malware. Before ATT&CK, we face the same problem in threat hunting.

stands for “MITRE Adversarial Tactics, Techniques, and Common Knowledge.” This framework is a selected knowledge base and model for attack behavior. It also contains the attack lifecycle, attack phases, and the OS platforms they are known to target.

| The has already created a successful foundation for analyzing the red team’s TTP. Without this framework, there is no common language for cybersecurity professionals, researchers, and vendors for analyzing and discussing attackers’ methods.Moreover, ATT&CK can be adopted to build threat models and kill chains of actual incidents, including attackers’ behaviors and tactics, techniques, and procedures (TTP) since ATT&CK is based on real-world threats. Nowadays, all vendors would use the same language — the TTP of the same attack kill chain.With the wide adoption of the ATT&CK framework, users can compare the effectiveness of the detection methods/ tools with how many TTP the product can detect. But there are limitations — to put the ATT&CK framework to its full extend, users need a way to quickly spin up their local knowledge base to the framework and efficiently contribute to the community when necessary.That is why MITRE Engenuity™ introduce the easy-to-use tool — ATT&CK Workbench.

ATT&CK Workbench

ATT&CK Workbench is the tool for users of MITRE ATT&CK to integrate their organization’s local knowledge of attackers’ tactics, techniques, and procedures (TTP) with the public ATT&CK knowledge base.From their ’s blog post:

Workbench allows users to explore, create, annotate, and share extensions of the ATT&CK knowledge base. Organizations or individuals can initialize their own instances of the application to serve as the centerpiece to a customized variant of the ATT&CK knowledge base, attaching other tools and interfaces as desired.

Open-source, API-driven platform to organize and manage all attack TTP-related threat intelligence makes this tool different. The time and effort spent trying to integrate the publicly-reported behavior with internal knowledge of attack TTP would be significantly reduced.

With ATT&CK Workbench, users can easily, according to one of the early adopters of the Workbench, :

- create a local containerized instance of the ATT&CK knowledge base, and keep it updated automatically through the publicly maintained ATT&CK knowledge base;

- create and annotate objects within the ATT&CK knowledge base;

- submit enhancements efficiently to ATT&CK, as well as to other instances of the knowledge base;

- enable information sharing centers (ISACs) and information sharing organizations (ISAOs) to share their ATT&CK knowledge base enhancements with members.

Moreover, it provides a way for users to share their extensions with the ATT&CK community globally; finding others with a similar situation would improve the overall security posture and time to respond. Workbench will help both the red and blue teams enhance defense mechanisms, threat hunting, and much more.

D3FEND

It is the initial framework for setting the standard language for the blue team capabilities and technologies. , as it’s called, aims to complement the . While ATT&CK focuses on standardizing the offense TTP, D3FEND focuses on cyber defenses.

The National Security Agency funded this new D3FEND framework to define a structure for security artifacts for cybersecurity professionals and researchers. It can serve as a helpful guide for architecting, designing, and implementing cyber defenses.

D3FEND is based, in part, on 500 countermeasure patents from the last two decades, . Because it is so detailed, the framework can guide architecting, designing, and deploying cybersecurity defenses.

Screenshot of D3FEND framework |

D3FEND also establishes the language of cybersecurity defensive techniques and interprets previously unspecified relationships between defensive and offensive methods. There are five broad categories in the framework: harden, detect, isolate, deceive, and evict.

While ATT&CK focuses on Tactics, Techniques, and Procedures to describe a kill chain, D3FEND focuses on defensive practices and products by their digital artifacts. With each security product having various digital artifacts and each digital artifact being included in different products.Rather than relying on vendors’ definition of the “Next Generation Firewall,” cybersecurity professionals would know what each product could and could not do. For example, when a firewall gets a feature update and gains additional security capabilities.

The firewall can work with EDR tools to provide XDR contextual information for the customer environment. For example, using the D3FEND framework would provide an easy view of the additional coverage.

Final Words

With this information in place, users could use this framework to check whether a function is present in the product to address a specific or several TTP. We can expect the framework would grow, like the ATT&CK, and later we can use the Workbench to work with both attack and defense.Together, the frameworks provide cyber warriors with a shared understanding of cyber concepts and a standardized vocabulary to use when talking about them, facilitating more transparent communication for sharing information and coordinating defensive operations both in and between organizations.Thank you for reading. May InfoSec be with you🖖.