In depth
MITRE D3FEND is the defensive counterpart to ATT&CK. Where ATT&CK enumerates what adversaries do — the techniques they use post-compromise — D3FEND enumerates what defenders can do about those techniques: harden, detect, isolate, deceive, evict. The framework was released by MITRE under NSA funding in 2021 and continues to mature; its premise is that the security industry has had a well-developed offensive taxonomy for years (ATT&CK) but no equally rigorous defensive one, leaving defenders to invent vocabulary as they go.
D3FEND organises defensive techniques into five tactic-equivalent groupings: Harden (reduce attack surface before the attack), Detect (recognise an attack in progress), Isolate (limit attacker movement), Deceive (mislead the attacker), and Evict (remove the attacker). Underneath each tactic are concrete techniques such as Application Hardening, Outbound Traffic Filtering, Authentication Cache Invalidation, Domain Trust Policy, and File Hashing. Each technique has a formal definition, a digital-artefact ontology (what objects are involved), and crucially a set of "digital-artefact" relationships to ATT&CK techniques that the defensive measure counters.
The killer feature is the ATT&CK-to-D3FEND mapping. For any ATT&CK technique an organisation cares about (T1003 OS Credential Dumping, T1078 Valid Accounts, T1486 Data Encrypted for Impact), D3FEND surfaces the concrete defensive techniques that have been documented as effective countermeasures, along with the digital artefacts the countermeasure operates on. The output is a defendable architecture diagram rather than a list of products: a Blue Team can identify the digital-artefact gaps in their telemetry (no process-tree visibility, no DNS-query logging, no Kerberos-event collection) and prioritise capability investment accordingly.
D3FEND is most effective when used together with ATT&CK Navigator and the organisation's actual telemetry inventory — the trio answers "which adversary techniques are we exposed to, what defensive techniques counter them, and what telemetry do we have to support those defences." See detection engineering and red team services.
D3FEND organises defensive techniques into five tactic-equivalent groupings: Harden (reduce attack surface before the attack), Detect (recognise an attack in progress), Isolate (limit attacker movement), Deceive (mislead the attacker), and Evict (remove the attacker). Underneath each tactic are concrete techniques such as Application Hardening, Outbound Traffic Filtering, Authentication Cache Invalidation, Domain Trust Policy, and File Hashing. Each technique has a formal definition, a digital-artefact ontology (what objects are involved), and crucially a set of "digital-artefact" relationships to ATT&CK techniques that the defensive measure counters.
The killer feature is the ATT&CK-to-D3FEND mapping. For any ATT&CK technique an organisation cares about (T1003 OS Credential Dumping, T1078 Valid Accounts, T1486 Data Encrypted for Impact), D3FEND surfaces the concrete defensive techniques that have been documented as effective countermeasures, along with the digital artefacts the countermeasure operates on. The output is a defendable architecture diagram rather than a list of products: a Blue Team can identify the digital-artefact gaps in their telemetry (no process-tree visibility, no DNS-query logging, no Kerberos-event collection) and prioritise capability investment accordingly.
D3FEND is most effective when used together with ATT&CK Navigator and the organisation's actual telemetry inventory — the trio answers "which adversary techniques are we exposed to, what defensive techniques counter them, and what telemetry do we have to support those defences." See detection engineering and red team services.