Everyone in the security community is familiar with the ATT&CK framework developed by MITRE. ATT&CK, which stands for Adversary, Tactics, Techniques, and Common Knowledge, is a comprehensive knowledge base of adversary behaviors used by threat actors across the threat lifecycle. While ATT&CK takes on the perspective of the adversary, there was no documented set of defensive countermeasures, until now.
In this blog post, I talk to Pete Kaloroumakis from MITRE, who has developed the D3FEND framework.
Q: We’ve known each other for several years. Tell us a bit about your background.
Pete Kaloroumakis: I started with technology when I enlisted in the United States Air Force. After that I joined Northrop Grumman as a network engineer working on large-scale computer network emulation. I got into and fell in love with research and development. I could write for hours about that process, but the net result was that I started to build things. The first was a commercial cybersecurity company which did malware detection on high-speed networks. I worked on that for six years. Then I came to MITRE where my biggest focus has been building the MITRE D3FEND knowledge graph.
Q: So, MITRE came up with the ATT&CK framework back in 2013 and both red teams and blue teams have been using it to classify attacks and even go so far as to figure out how to defend against them. So, how did the idea for D3FEND come along?
Pete Kaloroumakis: We work on diverse problems at MITRE, and we do a lot of modeling. You often need abstractions to support modeling initiatives so that you may effectively generalize about a domain and ultimately make recommendations or predictions. We came across a problem which required a detailed technical abstraction to describe the technology used by cyber defenders. After some research, we were surprised to find that nothing available came close to meeting our needs regarding both abstraction and technical detail. So, we proposed a research project to build what became D3FEND.
Q: How long have you been working on D3FEND?
Pete Kaloroumakis: We have been working on D3FEND since the summer of 2018, so a little over three years.
Q: Is D3FEND an acronym?
Pete Kaloroumakis: D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense.
Q: D3FEND aims to map each item in the ATT&CK matrix to specific ways by which the attack can be detected or countered, right? Take for example, active scanning which is the first item in the reconnaissance column of the ATT&CK matrix. What D3FEND countermeasures does that map to?
Pete Kaloroumakis: This may be surprising, but you happened to pick a technique which is not yet modeled in D3FEND’s ontology, although we have modeled hundreds of others. This is a good opportunity to explain the way we would model this, and ultimately map it countermeasures.
In D3FEND, we do not directly map an offensive technique (ATT&CK) to a defensive technique (D3FEND). We model what each technique is doing in terms of what “digital artifacts” they interact with. This produces a graph structure. We have more than 400 of these digital artifacts defined. These are all the essential concepts in computer engineering, and their relationships between one another. In this case, we would specify that active scanning (T1595) produces inbound internet network traffic. This would then map in, or as we say, “relate” any countermeasures which interacts with inbound internet network traffic.
The reasoning logic which produces these relationship processes considers the taxonomical properties of both techniques and digital artifact specifications. This method allows us to generalize effectively and move beyond simplistic one-to-one hard-coded mappings.
Q: D3FEND is currently in beta (most recent version seems to be 0.10.0-BETA-2). Why so? When do you think D3FEND will come out of BETA and what needs to happen for it do so?
Pete Kaloroumakis: This is a great question. D3FEND been public for seven months and we still have the beta tag on the release. Straightforward use-cases can use D3FEND as is, but for advanced use-cases we needed to level-set where we are so we could make necessary changes in the ontology. Because D3FEND uses an ontology, we predicted that some organizations would start extending the ontology to build custom applications on top of it. Our predictions came true, and a lot of those folks have reached out to us to provide feedback. So, the fact it was labeled as a beta indicated to the software developer types to reach out and engage with us to mature it.
Additionally, D3FEND was built from the bottom-up by design. As you can see on the website, the detection section is a lot bigger than the others. We initially focused on detection since that was our background, and we want to fill out more of the matrix this year. We have received great feedback on the model/ontology from the community and we are looking to release a stable version this year. At that point we will drop the beta tag from the release.
Q: D3FEND builds its ontology today primarily from patents and papers. But there is a lot of functionality and ideas that are proprietary or not well documented. Will there be a way to include those as well?
Pete Kaloroumakis: D3FEND does reference a lot of patents, but it also references other sources including external knowledgebases, technical specification standards, and even source code on GitHub. When we develop a D3FEND technique, we must point to some technical document which sufficiently details what the technology is doing. If there are no public technical references to use as evidence, we can’t include it.
Q: A cybersecurity countermeasure is defined as any process or technology developed to negate or offset offensive cyber activity. There are many countermeasures that don’t necessarily fall into that category, but when combined with other techniques, they could negate or offset. Where does one draw the line then?
Pete Kaloroumakis: We chose a very broad definition to accommodate future modeling initiatives. We currently draw the line on the requirement to describe functionality and relate it digital artifacts. For example, many organizations invest in employee cybersecurity awareness training programs. Training programs do not directly interact with digital artifacts; therefore, they are not in scope.
Q: Who is the target audience for the D3FEND framework?
Pete Kaloroumakis: We have initially described the audience as security architects. These are the folks who are responsible for selecting and sometimes deploying these technologies. They know how these cybersecurity tools work, and they often know their strengths and weaknesses. However, since we launched D3FEND last June, we also have seen other audiences begin to use it, particularly systems engineers or systems security engineers. They typically have advanced use-cases where they leverage the ontology we have built. This is an area we are looking to grow. We have a variety of early-stage initiatives in this space that I am excited about.
Q: How does a cybersecurity vendor like Cisco contribute to the D3FEND framework?
Pete Kaloroumakis: Since the release, we have received contributions from both practitioners and vendors. We have an email address and slack channel where we accept contributions and recommendations.
Q: Today, many cybersecurity vendors reference their cyber abilities using the ATT&CK framework. Do you see vendors referencing the D3FEND framework as well?
Pete Kaloroumakis: We have seen some vendors start to make claims about their capabilities using D3FEND. This is starting to happen organically, and we encourage vendors to lean forward on this. D3FEND offers the vendors a great opportunity to explain what their products do in a new, clear way. One of the challenges in the industry is that it is very hard to articulate what set of functions a product performs. When this happens, it’s a lose-lose proposition: vendors can’t differentiate their capabilities, and customer have trouble discovering solutions to consider when they are making a purchase. I think when vendors start to articulate what the products are doing in a standard way, it enables them to highlight differentiation on other dimensions like performance and effectiveness.
Q: It’s been an absolute pleasure talking to you about D3FEND, Peter. We are looking forward to collaborating with you and making this a huge success. Do you have any final thoughts or comments?
Pete Kaloroumakis: D3FEND is part of a suite of tools and frameworks MITRE is developing for both private and public organizations. Our goal is to improve cybersecurity for everyone and we welcome partnership with industry. You can learn more about the work MITRE is doing in cybersecurity on our website.
Thank you Ajit, and likewise!
One can learn more about D3FEND at https://d3fend.mitre.org. D3FEND needs us in the security industry to review the ontology and contribute towards making it more comprehensive (email d3fend@mitre.org to participate).
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
CONNECT WITH US