MITRE D3FEND assists understanding cyber defensives, as need for protection against cyber threats becomes more essential   

MITRE announced that its D3FEND framework will provide a one-stop destination for understanding defensive cyber techniques. It will showcase the power of collaboration across the public and private sectors in countering malicious cyber activity. The move comes in the wake of the invasion of Ukraine, targeting of U.S. and allied networks by Chinese and Russian hackers, and risks to critical infrastructure. 

MITRE engages across the public and private sectors to take a whole-of-nation approach to cybersecurity, and its playbook considers defense and offense equally important strategies. On the defensive side, the MITRE-developed, National Security Agency (NSA)-funded D3FEND framework offers an open model with standardized vocabulary for employing techniques to counter malicious cyber activity.

MITRE incorporates community input to continually enhance the framework. The collaborative strategy has been a key driver of D3FEND’s success, Denise Schiavone wrote in a MITRE publication. “D3FEND demonstrates the power of collaboration across the cyber community, as NSA seeks input to ‘further refine D3FEND and to promote the adoption of this vocabulary by cybersecurity professionals across government, industry, and academia,’” she added.

“Doing long-term, high-risk research and development requires a special relationship built on trust,” Peter Kaloroumakis, a cybersecurity engineer and MITRE’s lead for D3FEND, said in the publication. “NSA created an R&D environment that set us up for success.”

“D3FEND is a prime example of NSA leaning forward within the cybersecurity community, in partnership with MITRE,” Michelle Griffith, tech lead for NSA’s threat-based cybersecurity team supporting DODCAR (DoD Cybersecurity Analysis and Review), said. “Early adopters have already demonstrated it as a game-changer for security architects, engineers, and assessment teams in driving a more resilient security posture.”

The D3FEND framework was released by MITRE last June and is funded by the agency. The framework aims to improve the cybersecurity of national security systems, the Department of Defense, and the defense industrial base, in addition to adding defensive cybersecurity techniques to the existing ATT&CK framework. Since its release, D3FEND has attracted more than 128,000 global users to d3fend.mitre.org. The capability offers a far-reaching impact on real-world cyber operations.

To advance critical cyber innovations, MITRE draws on its cybersecurity experience. “We also manage the federal R&D center for national cybersecurity and have a rich heritage developing other frameworks, like CALDERA, MITRE Engage, and ATT&CK,” Schiavone said. D3FEND pairs closely with ATT&CK, which describes adversary tactics and techniques, based on real-world observations. D3FEND maps defensive measures that cyber operators can employ to counter those adversary behaviors, she added.

“To successfully fight against threat actors, it’s imperative to ‘know yourself and know your enemy,’” Griffith explains. “Together, D3FEND and ATT&CK enable organizations to understand the environment and implement the best cybersecurity practices.”

MITRE designed D3FEND for compatibility with other cybersecurity and even engineering frameworks. It’s encoded using standards-based technology, making the model extensible to a  wide variety of uses.

Additionally, D3FEND connects multiple stakeholders—from government customers to corporate executives to cybersecurity vendors—and provides a common language to talk about defensive cyber technology. This creates the opportunity to address security problems earlier in a system’s acquisition and development lifecycle when it’s less expensive to introduce changes.  

“The impact of these cyber innovations can’t be overstated,” Keoki Jackson, senior vice president and general manager of MITRE’s national security sector, said. “They’re vital to enabling our national security and U.S. success in the long-term global strategic competition that threatens our economy and industrial base, critical R&D investments, and our democratic institutions.”

Recognizing the “shift of our personal and professional lives even more online has created new vulnerabilities. And malicious cyber actors are going to continue to take advantage of people and networks,” Christopher Wray, director of the Federal Bureau of Investigation, said this week. “That includes cybercriminals holding data for ransom and nation-states like China stealing defense and industrial secrets. And lately, that’s included Russia trying to influence what happens in the ground war they started—by threatening attacks against the West in cyberspace.”

“I think, if we’re going to address cyber security properly, we’ve got to talk about how we’re responding to each of those threats,” Wray added. “We’ve got to hold the line on multiple fronts—all at once—to help people and businesses protect themselves, to support victims, and to inflict costs on criminals. And we can’t let up on China or Iran or criminal syndicates while we’re focused on Russia. So that’s what we’re doing, taking on all these threats and shifting resources quickly to respond,” he added.

The MITRE announcement coincides with Forescout Technologies’ findings this week of details of a new attack approach called Ransomware for IoT or R4IoT, which covers next-generation ransomware that exploits IoT devices for initial access, targets IT devices to deploy ransomware and cryptominers, and leverages poor OT security practices to cause physical disruption to business operations.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.