Everyone in the security community knows the ATT&CK framework produced by MITRE. ATT&CK, which means Adversary, Tactics, Techniques, and Common Knowledge, is really a comprehensive knowledge base of adversary behaviors utilized by threat actors over the threat lifecycle. While ATT&CK assumes the perspective of the adversary, there is no documented group of defensive countermeasures, as yet.  In this website post, I speak to Pete Kaloroumakis from MITRE, who is rolling out the D3FEND framework.

Q: We’ve known one another for several years. Reveal a little about your background.

Pete Kaloroumakis: I began with technology when I enlisted in the usa Air Force. From then on I became a member of Northrop Grumman as a network engineer focusing on large-scale computer network emulation. I acquired into and fell deeply in love with development and research. I could write all night about that process, however the net result has been that I began to build things. The initial had been a commercial cybersecurity company which do malware detection on high-speed networks. I done that for six years. I QUICKLY found MITRE where my biggest focus provides already been building the MITRE D3FEND knowledge graph.

Q: So, MITRE developed the ATT&CK framework back 2013 and both red teams and blue teams have already been deploying it to classify attacks and also go as far as to figure out how exactly to reduce the chances of them. So, how do the essential idea for D3FEND arrive?

Pete Kaloroumakis: We focus on diverse problems at MITRE, and we execute a complete large amount of modeling. You often need abstractions to aid modeling initiatives so you may effectively generalize in regards to a domain and ultimately create recommendations or predictions. We found a nagging problem which required an in depth technical abstraction to spell it out the technology utilized by cyber defenders. After some extensive research, we were amazed to get that nothing available arrived near meeting our needs concerning both abstraction and technical detail. So, we proposed a extensive research project to build what became D3FEND.

Q: Just how long have you already been focusing on D3FEND?

Pete Kaloroumakis: We’ve been functioning on D3FEND because the summer of 2018, so just a little over three years.

Q: Is usually D3FEND an acronym?

Pete Kaloroumakis: D3FEND means Detection, Denial, and Disruption Framework Empowering Network Defense.

Q: D3FEND aims to map each item in the ATT&CK matrix to specific ways where the attack could be countered or detected, right? Take for instance, active scanning that is the initial item in the reconnaissance column of the ATT&CK matrix. What D3FEND countermeasures will that map to?

Pete Kaloroumakis: This can be surprising, nevertheless, you happened to pick a method that is not modeled in D3FEND’s ontology however, although we’ve modeled a huge selection of others. This can be a good possibility to explain the true way we’d model this, and map it countermeasures ultimately.

In D3FEND, we usually do not directly map an offensive technique (ATT&CK) to the defensive technique (D3FEND). We design what each technique does with regards to what “ digital artifacts ” they connect to. This generates a graph structure. We’ve more than 400 of the digital artifacts defined. They are all of the essential concepts in computer engineering, and their relationships between each other. In this case, we’d specify that active scanning (T1595) creates inbound internet network traffic . This might map in then, or as we state, “relate” any countermeasures which interacts with inbound internet network traffic.

The reasoning logic which produces these relationship processes considers the taxonomical properties of both techniques and digital artifact specifications. This technique we can generalize and move beyond simplistic one-to-one hard-coded mappings effectively.

Q: D3FEND happens to be in beta (latest version appears to be 0.10.0-BETA-2). Why therefore? When do you consider D3FEND shall emerge from BETA and what must happen for it achieve this?

Pete Kaloroumakis: It is a great question. D3FEND been general public for seven months and we’ve the beta tag about the release still. Straightforward use-cases may use D3FEND as is, but also for sophisticated use-cases we had a need to level-set where we have been so we could create necessary changes in the ontology. Because D3FEND utilizes an ontology, we predicted that some organizations would begin extending the ontology to create custom applications along with it. Our predictions emerged true, and a whole lot of those people have reached out to us to supply feedback. Therefore, the fact it had been called a beta pointed out to the program developer types to attain out and build relationships us to mature it.

In addition, D3FEND was built from the bottom-up simply by design. As possible plainly see on the site, the detection section will be a lot bigger than others. We centered on detection since that has been our background initially, this year and you want to fill out even more of the matrix. We have received excellent feedback on the design/ontology from the city and we are seeking to to push out a stable version this season. At that true point we shall drop the beta tag from the release.

Q: D3FEND builds its ontology nowadays primarily from patents and papers. But there exists a complete large amount of functionality and ideas which are proprietary or not really well documented. Will there be a genuine solution to include those aswell?

Pete Kaloroumakis: D3FEND does reference plenty of patents, nonetheless it references other sources which includes external knowledgebases furthermore, technical specification standards, and also source code on GitHub. Whenever we create a D3FEND technique, we should point to quite a few technical document which details what the technology does sufficiently. If you can find no general public technical references to utilize as evidence, it can’t end up being included by us.

Q: A cybersecurity countermeasure means any procedure or technology created to negate or offset offensive cyber action. There are several countermeasures that don’t belong to that category necessarily, but when coupled with other techniques, they might negate or offset. Where does one then pull the line?

Pete Kaloroumakis: We opt for extremely broad definition to support future modeling initiatives. We currently attract the relative line on the necessity to explain functionality and relate it digital artifacts. For instance, many organizations spend money on employee cybersecurity awareness teaching programs. Training programs usually do not connect to digital artifacts; therefore, they’re not in scope.

Q: Who’s the mark audience for the D3FEND framework?

Pete Kaloroumakis: We’ve initially referred to the audience as protection architects. They are the folks that are in charge of selecting and deploying these technologies sometimes. They understand how these cybersecurity tools function, plus they know their strengths and weaknesses often. However, june since we released D3FEND last, we’ve seen other audiences commence to use it also, systems engineers or systems protection engineers particularly. They typically have superior use-cases where they leverage the ontology we’ve built. That is an certain area we have been looking to grow. An assortment is had by us of early-stage initiatives in this space that I’m excited about.

Q: So how exactly does a cybersecurity vendor like Cisco donate to the D3FEND framework?

Pete Kaloroumakis: Because the release, we’ve received contributions from both vendors and practitioners. We’ve an email and slack channel where we acknowledge contributions and recommendations.

Q: Today, several cybersecurity vendors reference their cyber abilities utilizing the ATT&CK framework. Can you notice vendors referencing the D3FEND framework aswell?

Pete Kaloroumakis: We’ve seen some vendors begin to make a claim about their abilities using D3FEND. That is needs to happen organically, and we encourage vendors to lean with this forward. D3FEND supplies the vendors a excellent opportunity to clarify what their products perform in a fresh, clear way. Among the challenges in the market is that it’s very difficult to articulate what group of functions something performs. At these times, it’s a lose-shed proposition: vendors can’t differentiate their features, and customer possess trouble discovering answers to consider whenever a purchase is being created by them. I believe when vendors begin to articulate what the merchandise are carrying out in a typical way, it enables them to highlight differentiation on additional dimensions like usefulness and performance.

Q: It’s been a complete pleasure speaking with you about D3FEND, Peter. We have been seeking to collaborating with you and causeing this to be an enormous success forward. Are you experiencing any final comments or thoughts?

Pete Kaloroumakis:  D3FEND is section of a suite of equipment and frameworks MITRE will be developing for both personal and open public organizations. Our goal would be to improve cybersecurity for everybody and we welcome partnership with industry. It is possible to learn even more about the task MITRE does in cybersecurity on our site .

Thank you Ajit, basically!

You can find out more about D3FEND at https://d3fend.mitre.org . D3FEND requirements us in the safety industry to examine the ontology and contribute towards rendering it even more comprehensive (email d3fend@mitre.org to participate ).

We’d want to hear everything you think. Ask a relevant question, Comment Below, and Remain Linked to Cisco Secure on social!

Cisco Protected Social Channels

Instagram
Facebook
Twitter
LinkedIn