SANS Publishes 2022 ATT&CK® and D3FENDTM Report
The SANS Institute, the world’s leading provider of cyber security training and certification, publishes an analysis of the cybersecurity frameworks MITRE ATT&CK® and MITRE D3FENDTM in its SANS 2022 ATT&CK® and D3FENDTM Report. It covers the strengths of the two frameworks in terms of corporate security and shows how they can be used to improve incident analysis and response. Finally, there is also an investigation of how the two frameworks can be included in a threat analysis.
Matt Bromiley, study author and SANS instructor
While the MITRE ATT&CK framework is well known, this is less the case with the MITRE D3FEND Framework. It was developed by MITRE and the National Security Agency (NSA) and is intended to pick up where defenders naturally stop. D3FEND is a collection of countermeasures, also organized by security objectives (such as “Harden”, “Detect” or “Isolate”) and then by techniques and subtechnics. Most of the countermeasures are to be located in the Detect area, which, however, is not a priority for the defenders. Rather, D3FEND is designed as a perfect complement to ATT&CK, which allows defenders to transfer the knowledge they have gained about an opponent’s technique directly to relevant countermeasures.
The report includes the two case studies:
- Abuse of remote access mechanisms by attackers
- Improper use of the DNS by the opponent
Study author and SANS instructor Matt Bromiley explains: “With the two frameworks, defenders can easily assume an attack technique, such as unauthorized remote access or DNS-C2 communication. Both require deep network inspection to detect them, let alone sufficiently record and analyze them. D3FEND helps the defenders to take effective detection and countermeasures.“
The study was sponsored by Cisco Umbrella, Devo, Extrahop, Siemplify and Uptycs.