Miter D3FEND Explained: A Knowledge Graph for Cybersecurity Advocates

Released last month by the nonprofit Miter Corporation, D3FEND is a blueprint that aims to establish a common language to help cyber defenders share their strategies and methods. It is a complementary project to the company’s ATT&CK framework. But the two projects are still very different. ATT&CK is a knowledge base with a framework that classifies the tools, techniques and methods used by adversaries to penetrate networks. While D3FEND is a knowledge graph capable of analyzing vendor statements on mitigations and other countermeasures.

As explained by Peter Kaloroumakis, creator and principal cyberengineer at Miter, who has been working on the scheme for several years, D3FEND combines the languages ​​and techniques of bioinformatics and “establishes a terminology of computer network defense techniques in order to clarify previously unspecified relations between defensive and offensive methods”. As mentioned in the press release, “D3FEND allows cybersecurity professionals to customize defenses against specific cyber threats, reducing a system’s potential attack surface.”

D3FEND is composed of three essential elements:

– A knowledge graph that summarizes the defensive methods. This graph results from the analysis, over a period of 20 years, of cybersecurity filings in the US patent database. It contains a list of vocabulary terms as well as taxonomies. It covers five general tactics used to categorize each defensive method: harden, detect, isolate, deceive, and oust. The knowledge graph links to source code examples to illustrate each technique.

– A series of user interfaces to access this data. The graph can be downloaded in different formats, including OWL2 semantics and RDF representations. Although these formats may not be familiar to information security professionals, they are common languages ​​used in the world of the semantic web and data modeling.

– A way to map these defensive measures to the ATT&CK model.

“Our hope is that D3FEND will clarify the specific features offered by a product and reduce the time spent analyzing vendor marketing materials,” Kaloroumakis explained. Unlike ATT&CK, the D3FEND framework does not seek to be prescriptive. “We wanted to establish a common language and vocabulary about defensive methods,” he added. Another difference: ATT&CK uses the STIX and TAXII protocols to automate interactions with security software tools, whereas D3FEND is essentially manual work, so far.

Genesis of Miter D3FEND

D3FEND is the first comprehensive analysis of this data, but putting it together has not been without its challenges. Using the patent database as the original source for this project has been inspiring and frustrating at the same time. Mr. Kaloroumakis had the idea to create D3FEND when he needed to analyze patent filings while he was the technical director of the security company Bluvector.io, before joining Mitre. “There are huge discrepancies in the technical specifics mentioned in the patents,” he said. “Some patents leave little to the imagination, while others are more generic and harder to understand.” He was surprised by the thousands of patent filings he found on cybersecurity. “Some vendors have more than a hundred filings,” he said, while clarifying that he hadn’t cataloged every cybersecurity patent in the collection. Rather, he used the collection as a means to achieve his ends, creating the project’s taxonomies and knowledge graph. He also wanted to point out that the fact that a particular security technology or method is mentioned in a patent filing does not mean that this method is found in the actual product.

For example, let’s look at one of the methods cataloged in the graph: URL parsing. A security analyst would seek to determine whether a URL is harmless or malicious by analyzing its components, the domain name and port number used, and the context from which that URL came, such as an email or web link. The method refers to an original Sophos patent and shows the different ATT&CK techniques such as spear phishing attacks and drive-by stealth attacks.

Beginnings of a Miter D3FEND ecosystem

Miter’s effort was funded by the NSA and anyone can adopt and expand it. Since the announcement of D3FEND, at least one open-source project has already been established, which helps translate methods back and forth with ATT&CK methods using Python scripts and queries. Miter expects more third-party integrations to come soon, just as ATT&CK has created its own ecosystem of tool providers. D3FEND is not the only initiative of this type, but it aims to be more comprehensive. “It seems that to date, there has never been a comprehensive public analysis of the corpus of cybersecurity patents with the aim of developing a knowledge graph of cyber countermeasures,” Mr. Kaloroumakis.

For several years, the National Institute of Standards and Technology (NIST), the agency of the United States Department of Commerce, has been at the origin of the cyber defense matrix, which is both more abstract and more specific. “Existing cybersecurity knowledge bases do not explain with sufficient fidelity and structure what these countermeasures do to meet these needs,” Kaloroumakis said. According to him, this job is to separate the defensive measures from the mechanics, or how they actually work. The goal is to determine if vendors are using different methods to attempt to solve the same problem, such as checking for a particular (and potentially malicious) code segment. He believes his project will help IT managers find functional overlaps in their current security product portfolios and guide any changes in their investments in a particular functional area. The project may also help them make better defensive decisions to protect their cyber infrastructure.