What is\u00a0D3FEND?D3FEND is a new schema released by Mitre last month to establish a common language to help cyber defenders share strategies and methods. It is a companion project to the company\u2019s ATT&CK framework.While complementary, the two projects are very different.ATT&CK is a knowledgebase with a framework to classify tools, techniques and methods that adversaries use to breach networks. D3FEND is a knowledge graph that can parse vendor claims about mitigation and other countermeasures. It combines the languages and techniques of bioinformatics and \u201cestablishes terminology of computer network defensive techniques to illuminate previously unspecified relationships between defensive and offensive methods,\u201d says\u00a0Peter Kaloroumakis, the principle cyber engineer at Mitre and its creator who has been working on the schema for several years. As mentioned in the press release, \u201cD3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats, thereby reducing a system\u2019s potential attack surface.\u201dMitre D3FEND structureD3FEND is composed of three critical pieces:A knowledge graph that summarizes the defensive methods, taken from an analysis of 20 years of prior cybersecurity filings in the US patent database. The graph contains a vocabulary list of terms along with taxonomies. It covers five general tactics that are used to classify each defensive method: harden, detect, isolate, deceive, and evict. The knowledge graph links to source code examples as illustrations of each technique.A series of user interfaces to access this data. The graph can be downloaded in different formats including the OWL2 description logic and RDF representations.\u00a0 While these formats may not be familiar to infosec professionals, they are common languages used in the world of the semantic web and data modeling.A way to map these defensive measures to ATT&CK\u2019s model.\u00a0\u00a0\u201cOur hope is that D3FEND clarifies the specific functionality a product offers and reduces the amount of time spent analyzing vendor marketing materials,\u201d says Kaloroumakis. Unlike ATT&CK, the D3FEND framework isn\u2019t trying to be prescriptive. \u201cWe wanted to establish a common language and vocabulary on defensive methods,\u201d he said. Another difference: ATT&CK uses the STIX and TAXII protocols to automate interactions with supporting security software tools, but D3FEND is mostly a manual effort\u2014so far.How MITRE D3FEND was createdD3FEND is the first comprehensive examination of this data, but assembling it wasn\u2019t without its difficulties. Using the patent database as original source material for this project was both an inspiration and a frustration. Kaloroumakis got the idea when he had to review patent filings when he was CTO of Bluvector.io, a security company, before he came to Mitre. \u201cThere is an incredible variance in technical specifics across the patent collection,\u201d he says. \u201cWith some patents, little is left to your imagination, but others are more generic and harder to figure out.\u201dHe was surprised at the thousands of cybersecurity patent filings he found. \u201cSome vendors have more than a hundred filings,\u201d he said and noted that he has not cataloged every single cybersecurity patent in the collection. Instead, he has used the collection as a means to an end, to create the taxonomies and knowledge graph for the project. He also wanted to emphasize that just because a technology or a particular security method is mentioned in a patent filing doesn\u2019t mean that this method actually finds its way into the actual product.Let\u2019s examine just one of the cataloged methods in the graph, URL analysis. A security analyst would determine if a URL is benign or malicious by analyzing its components, such as the domain name and port number used, along with the context of where this URL comes from, such as an email or a web link. The method links to an original Sophos patent and shows the various ATT&CK techniques such as spear phishing and drive-by attacks.Beginnings of a Mitre D3FEND ecosystemThe Mitre effort was paid for by the NSA and is available to anyone to embrace and extend. Since the announcement of D3FEND, at least one open-source project has already been put together that helps translate methods back and forth with ATT&CK methods using Python scripts and queries. Mitre expects other third-party integrations to happen soon, just as ATT&CK has created its own ecosystem of tools vendors.D3FEND isn\u2019t the only effort of its kind, but it is trying to be the most comprehensive. \u201cTo date, there appears to be no comprehensive public analysis of the cybersecurity patent corpus for the purpose of developing a knowledge graph of cyber countermeasures,\u201d Kaloroumakis says.NIST has been behind the Cyber Defense Matrix for several years, which is both more abstract and more specific.\u00a0"Existing cybersecurity knowledgebases do not explain with enough fidelity and structure what these countermeasures do to meet these needs," says Kaloroumakis. He calls this separating the defensive measures from the mechanics, or how they actually work. The goal is to figure out if vendors are using different ways to try to solve the same problem, such as verifying a particular (and potentially malicious) code segment. He thinks that his project will help IT managers to find functional overlap in their current security product portfolios and guide any changes in their investments in a particular functional area, as well to help make them better defensive decisions to project their cyber infrastructure.