 back to blog

MITRE D3FEND: Learn MITRE D3FEND Framework & Techniques

Rohan Chitradurga
Director of Product Management
July 13, 2021
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

MITRE ATT&CK has proven to be a valuable tool for security teams to talk about the near-infinite number of actions an attacker can take by categorizing those actions into tactics and techniques. ATT&CK provides a powerful language to talk about attacks, but it lacks clear guidance for how to counter attacker actions and data exfiltration techniques.

MITRE D3FEND closes the loop by defining the countermeasures necessary to address the techniques defined in ATT&CK. Created by NSA and MITRE, D3FEND provides a framework for identifying the strength and weakness of security teams as it relates to their tools and processes.

We at Vectra applaud the efforts of the NSA and MITRE in framing these countermeasures. We have watched security teams struggle to evaluate their capabilities and tools against ATT&CK, often with limited success. Our own best efforts to map against ATT&CK have seemed imprecise at times, and we’ve watched claims from other vendors in amusement wondering how any security team could decipher actual coverage. D3FEND takes the opposing approach by laying out the set of capabilities that should be in place to provide the best possible coverage for modern attacks.

We are also proud to be the company with the most patents referenced in D3FEND (and the only network detection and response company with any). This is the result of an obsessive focus over many years to push the limits in using AI to detect a broad set of fundamental attacker behaviors, which is precisely what D3FEND encapsulates.

Maybe more important than the patents themselves is the culture of innovation that they represent. Our work is not done. Attackers never stand still. Vectra will continue to push the limits of AI for threat detection—both in networks and in the cloud—for years to come. Our R&D investment will more than double in 2021, powered by recent funding led by Blackstone.

We are excited about the impact of D3FEND on the security industry and look forward to also contributing to countermeasures in the cloud, based on our ongoing research into Office 365, Azure AD, and public cloud control planes.

List of techniques referencing Vectra patents:

D3FEND Technique Patent Reference Link Filed Date
Administrative Network Activity Analysis https://patents.google.com/patent/US20180077186A1 09/12/2016
Client-server Payload Profiling https://patents.google.com/patent/EP3293937A1/en?oq=EP-3293937-Al 09/12/2016
Connection Attempt Analysis https://patents.google.com/patent/US20150264070A1 03/11/2014
DNS Traffic Analysis https://patents.google.com/patent/US20150264070A1 03/11/2014
Network Traffic Community Deviation https://patents.google.com/patent/US20160191560A1 11/03/2014
Per Host Download-Upload Ratio Analysis https://patents.google.com/patent/US20160191563A1 11/03/2014
Protocol Metadata Anomaly Detection https://patents.google.com/patent/US20160149936A1 11/18/2014
Protocol Metadata Anomaly Detection https://patents.google.com/patent/US20160191551A1 11/18/2014
Protocol Metadata Anomaly Detection https://patents.google.com/patent/US20160191560A1 11/03/2014
Relay Pattern Analysis https://patents.google.com/patent/US20150264083A1 03/11/2014
Remote Terminal Session Detection https://patents.google.com/patent/US9407647B2/en?oq=US-9407647-B2 03/11/2014
User Data Transfer Analysis https://patents.google.com/patent/US20160191559A1 11/03/2014

A few countermeasures are directly attributed to Vectra’s patents alone:

MITRE D3FEND countermeasures and description

We are committed to making the world a safer and fairer place. As such we look forward to continuing to contribute our unique innovations [and patents] to the D3FEND matrix as it matures and expands to cover additional countermeasures.

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch