As an Amazon Associate I earn from qualifying purchases from

Q&A on the MITRE D3FEND Framework

Everybody within the safety group is conversant in the ATT&CK framework developed by MITRE. ATT&CK, which stands for Adversary, Techniques, Strategies, and Widespread Data, is a complete information base of adversary behaviors utilized by menace actors throughout the menace lifecycle. Whereas ATT&CK takes on the angle of the adversary, there was no documented set of defensive countermeasures, till now. 

On this weblog submit, I speak to Pete Kaloroumakis from MITRE, who has developed the D3FEND framework.


Q: We’ve identified one another for a number of years. Inform us a bit about your background.

Pete Kaloroumakis: I began with expertise once I enlisted in the USA Air Drive. After that I joined Northrop Grumman as a community engineer engaged on large-scale laptop community emulation. I received into and fell in love with analysis and improvement. I might write for hours about that course of, however the web outcome was that I began to construct issues. The primary was a business cybersecurity firm which did malware detection on high-speed networks. I labored on that for six years. Then I got here to MITRE the place my largest focus has been constructing the MITRE D3FEND information graph.

Q: So, MITRE got here up with the ATT&CK framework again in 2013 and each pink groups and blue groups have been utilizing it to categorise assaults and even go as far as to determine the best way to defend towards them. So, how did the concept for D3FEND come alongside?

Pete Kaloroumakis: We work on numerous issues at MITRE, and we do loads of modeling. You usually want abstractions to assist modeling initiatives so that you could be successfully generalize a few area and finally make suggestions or predictions. We got here throughout an issue which required an in depth technical abstraction to explain the expertise utilized by cyber defenders. After some analysis, we have been shocked to seek out that nothing accessible got here near assembly our wants relating to each abstraction and technical element. So, we proposed a analysis challenge to construct what turned D3FEND.

Q: How lengthy have you ever been engaged on D3FEND?

Pete Kaloroumakis: Now we have been engaged on D3FEND for the reason that summer time of 2018, so a bit over three years.

Q: Is D3FEND an acronym?

Pete Kaloroumakis: D3FEND stands for Detection, Denial, and Disruption Framework Empowering Community Protection.

Q: D3FEND goals to map every merchandise within the ATT&CK matrix to particular methods by which the assault could be detected or countered, proper? Take for instance, lively scanning which is the primary merchandise within the reconnaissance column of the ATT&CK matrix. What D3FEND countermeasures does that map to?

Pete Kaloroumakis: This can be shocking, however you occurred to select a method which isn’t but modeled in D3FEND’s ontology, though we’ve modeled a whole lot of others. This can be a good alternative to clarify the way in which we’d mannequin this, and finally map it countermeasures.

In D3FEND, we don’t immediately map an offensive method (ATT&CK) to a defensive method (D3FEND). We mannequin what every method is doing by way of what “digital artifacts” they work together with. This produces a graph construction. Now we have greater than 400 of those digital artifacts outlined. These are all of the important ideas in laptop engineering, and their relationships between each other. On this case, we’d specify that lively scanning (T1595) produces inbound web community site visitors. This may then map in, or as we are saying, “relate” any countermeasures which interacts with inbound web community site visitors.

The reasoning logic which produces these relationship processes considers the taxonomical properties of each strategies and digital artifact specs. This technique permits us to generalize successfully and transfer past simplistic one-to-one hard-coded mappings.

Q: D3FEND is presently in beta (most up-to-date model appears to be 0.10.0-BETA-2). Why so? When do you assume D3FEND will come out of BETA and what must occur for it achieve this?

Pete Kaloroumakis: This can be a nice query. D3FEND been public for seven months and we nonetheless have the beta tag on the discharge. Easy use-cases can use D3FEND as is, however for superior use-cases we wanted to level-set the place we’re so we might make obligatory adjustments within the ontology. As a result of D3FEND makes use of an ontology, we predicted that some organizations would begin extending the ontology to construct customized functions on prime of it. Our predictions got here true, and loads of these of us have reached out to us to offer suggestions. So, the very fact it was labeled as a beta indicated to the software program developer sorts to succeed in out and interact with us to mature it.

Moreover, D3FEND was constructed from the bottom-up by design. As you may see on the web site, the detection part is quite a bit greater than the others. We initially centered on detection since that was our background, and we wish to fill out extra of the matrix this yr. Now we have obtained nice suggestions on the mannequin/ontology from the group and we wish to launch a secure model this yr. At that time we’ll drop the beta tag from the discharge.

Q: D3FEND builds its ontology as we speak primarily from patents and papers. However there’s loads of performance and concepts which can be proprietary or not effectively documented. Will there be a technique to embrace these as effectively?

Pete Kaloroumakis: D3FEND does reference loads of patents, however it additionally references different sources together with exterior knowledgebases, technical specification requirements, and even supply code on GitHub. After we develop a D3FEND method, we should level to some technical doc which sufficiently particulars what the expertise is doing. If there aren’t any public technical references to make use of as proof, we are able to’t embrace it.

Q: A cybersecurity countermeasure is outlined as any course of or expertise developed to negate or offset offensive cyber exercise. There are numerous countermeasures that don’t essentially fall into that class, however when mixed with different strategies, they may negate or offset. The place does one draw the road then?

Pete Kaloroumakis: We selected a really broad definition to accommodate future modeling initiatives. We presently draw the road on the requirement to explain performance and relate it digital artifacts. For instance, many organizations spend money on worker cybersecurity consciousness coaching packages. Coaching packages don’t immediately work together with digital artifacts; due to this fact, they aren’t in scope.

Q: Who’s the target market for the D3FEND framework?

Pete Kaloroumakis: Now we have initially described the viewers as safety architects. These are the oldsters who’re answerable for choosing and typically deploying these applied sciences. They know the way these cybersecurity instruments work, they usually usually know their strengths and weaknesses. Nonetheless, since we launched D3FEND final June, we even have seen different audiences start to make use of it, significantly programs engineers or programs safety engineers. They sometimes have superior use-cases the place they leverage the ontology we’ve constructed. That is an space we wish to develop. Now we have quite a lot of early-stage initiatives on this house that I’m enthusiastic about.

Q: How does a cybersecurity vendor like Cisco contribute to the D3FEND framework?

Pete Kaloroumakis: Because the launch, we’ve obtained contributions from each practitioners and distributors. Now we have an electronic mail tackle and slack channel the place we settle for contributions and suggestions.

Q: Right now, many cybersecurity distributors reference their cyber talents utilizing the ATT&CK framework. Do you see distributors referencing the D3FEND framework as effectively?

Pete Kaloroumakis: Now we have seen some distributors begin to make claims about their capabilities utilizing D3FEND. That is beginning to occur organically, and we encourage distributors to lean ahead on this. D3FEND affords the distributors an important alternative to clarify what their merchandise do in a brand new, clear method. One of many challenges within the trade is that it is vitally arduous to articulate what set of capabilities a product performs. When this occurs, it’s a lose-lose proposition: distributors can’t differentiate their capabilities, and buyer have hassle discovering options to contemplate when they’re making a purchase order. I feel when distributors begin to articulate what the merchandise are doing in an ordinary method, it allows them to spotlight differentiation on different dimensions like efficiency and effectiveness.

Q: It’s been an absolute pleasure speaking to you about D3FEND, Peter. We’re trying ahead to collaborating with you and making this an enormous success. Do you will have any remaining ideas or feedback?

Pete Kaloroumakis: D3FEND is a part of a collection of instruments and frameworks MITRE is creating for each non-public and public organizations. Our aim is to enhance cybersecurity for everybody and we welcome partnership with trade. You possibly can be taught extra concerning the work MITRE is doing in cybersecurity on our web site.

Thanks Ajit, and likewise!


One can be taught extra about D3FEND at D3FEND wants us within the safety trade to evaluation the ontology and contribute in direction of making it extra complete (electronic mail to take part).

We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safe on social!

Cisco Safe Social Channels



We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general
Compare items
  • Total (0)
Shopping cart