Coworkers in a server room

D3FEND Knowledge Graph Guides Security Architects to Design Better Cyber Defenses

By Jeremy Singer

MITRE is looking for help from the cybersecurity community to build out an NSA-funded framework for network defense. The goal is to help security architects quickly understand the specific capabilities of a wide variety of defensive technologies.

MITRE is looking for help from the cybersecurity community to build out a National Security Agency (NSA)-funded framework for network defense. The goal is to help security architects quickly understand the specific capabilities of a wide variety of defensive technologies.

As cybersecurity architects seek out new products to better defend their networks, the number of choices can be overwhelming. It can be surprisingly difficult to determine what specific technical functions a product or capability performs.

That’s why MITRE worked to create D3FEND (pronounced “defend”), a knowledge graph that describes specific technical functions within cyber technologies in a common language of “countermeasure techniques.” This research was conducted by MITRE and funded by the NSA to improve the cybersecurity of national security systems, the Department of Defense, and the defense industrial base. This framework is being shared publicly so all can benefit from these efforts and so the cybersecurity community can further refine it.

D3FEND also provides a large collection of digital artifact definitions—the specific technical elements these cyber products secure or analyze—to model cyber systems and related countermeasures. This creates a foundation for digital engineering and automated analysis about the complex interplay between computer network architectures, threats, and cyber countermeasures, helping security architects understand how a new product will interact with or complement others as part of an integrated network defense.

“Our goal is to make it easier for architects to better understand how countermeasures work, so that they can more effectively design, deploy, and ultimately better defend networked systems,” says Peter Kaloroumakis, a principal cybersecurity engineer at MITRE who leads the work on D3FEND.

In this early stage of development, MITRE is seeking feedback from the cybersecurity community to improve and evolve the framework.

D3FEND’s Mission: Characterize Cyber Countermeasures

In 2018, a small MITRE team supporting the NSA’s cybersecurity mission began working on a research and development effort to model the defensive capabilities needed to respond to the adversary behaviors described in models like MITRE ATT&CK® and CAPEC™.

They gained a few crucial insights. Cybersecurity capabilities often include combinations of multiple countermeasure techniques. They also observed that cybersecurity technologies are embedded in various layers of information technology infrastructure.

These technologies are often incorporated at different phases in engineering and acquisition lifecycles. Further, these cybersecurity capabilities have various technical stakeholders who need to coordinate to maximize their effectiveness.

A Flexible Yet Structured Model of Cyber Countermeasures

Organizing this knowledge into a coherent model that could readily cross-reference to other models and frameworks in a flexible, structured, and clearly specified manner was one key technical challenge for D3FEND. In addition, the knowledge must be both relatable to human experts and machine interpretable.

The resulting knowledge graph is the foundation for a wide variety of use cases. For instance, it has the ability to find and explain the connections between system elements and relate them to the offensive and defensive cyber techniques that operate on them.

In addition to evaluating cybersecurity tools, D3FEND has the potential, once fully realized, to support deeper and more actionable understanding of a system’s defensive posture and the impact of any proposed changes to the defensive toolset.

While D3FEND has mapped its systems model to the ATT&CK framework for the characterization of cyber threats, it also supports mapping to other offensive cyber models.

“Understanding what specific functions cyber technologies perform is integral to our sponsoring agency’s mission and operations," says Michael Smith, a principal artificial intelligence engineer and D3FEND co-creator at MITRE. 

"We believe MITRE’s National Security Engineering Center is well positioned to address this long-term research and development need for the National Security Agency and broader Department of Defense because we're required to operate in the public interest, free from conflicts of interest, and with objectivity and independence.” 

Access the D3FEND knowledge base. Please send feedback to the team.