man at computer

MITRE’S D3FEND Connects the Cyber Community to Counter Threats

By Denise Schiavone

MITRE’s D3FEND™ provides a one-stop shop for understanding defensive cyber techniques—and demonstrates the power of collaboration across the public and private sectors in countering malicious cyber activity.

The invasion of Ukraine. Chinese and Russian targeting of U.S. and allied networks. Risks to critical infrastructure. Never before has protecting against cyber threats been more essential.

MITRE engages across the public and private sectors to take a whole-of-nation approach to cybersecurity. And our playbook considers defense and offense equally important strategies.

On the defensive side, the MITRE-developed, National Security Agency (NSA)-funded D3FEND™ framework offers an open model with standardized vocabulary for employing techniques to counter malicious cyber activity.

For example, along with MITRE ATT&CK®, D3FEND informed a 2021 report on Chinese state-sponsored cyber operations. The public advisory helps network defenders understand available cyber countermeasures—and serves a wide range of stakeholders. Among them: government agencies, medical facilities, universities, and defense industry leaders.

D3FEND demonstrates the power of collaboration across the cyber community, as NSA seeks input to “further refine D3FEND and to promote the adoption of this vocabulary by cybersecurity professionals across government, industry, and academia.”

MITRE incorporates community input to continually enhance the framework. The collaborative strategy has been a key driver of D3FEND’s success.  

“Doing long-term, high-risk research and development requires a special relationship built on trust,” says cybersecurity engineer Peter Kaloroumakis, MITRE’s lead for D3FEND. “NSA created an R&D environment that set us up for success.”

Since June 2021, D3FEND has attracted more than 128K global users to The capability offers far-reaching impact for real-world cyber operations.

“D3FEND is a prime example of NSA leaning forward within the cybersecurity community, in partnership with MITRE,” says Michelle Griffith, tech lead for NSA’s threat-based cybersecurity team supporting DODCAR (DoD Cybersecurity Analysis and Review).

“Early adopters have already demonstrated it as a game changer for security architects, engineers, and assessment teams in driving a more resilient security posture.”

D3FEND Helps Organizations Speak the Same Cyber Language

How does D3FEND work? Take the example of a large financial institution.

The company may purchase hundreds of network security products to protect its data. Each product might perform dozens of discrete functions, and each of those functions addresses specific issues—from compliance requirements to detection of specific cyber adversaries. 

The D3FEND difference? It provides the ability to go to one place that connects all these different concepts. It enables users to differentiate among defensive cyber technologies and better understand which solutions to employ.

To advance such critical cyber innovations, we draw on our decades of experience in cybersecurity. We also manage the federal R&D center for national cybersecurity and have a rich heritage developing other frameworks, like CALDERA™, MITRE Engage™, and ATT&CK.

D3FEND pairs closely with ATT&CK, which describes adversary tactics and techniques, based on real-world observations. D3FEND maps defensive measures that cyber operators can employ to counter those adversary behaviors.

“To successfully fight against threat actors, it’s imperative to ‘know yourself and know your enemy,’” Griffith explains. “Together, D3FEND and ATT&CK enable organizations to understand the environment and implement the best cybersecurity practices.”

MITRE designed D3FEND for compatibility with other cybersecurity and even engineering frameworks. It’s encoded using standards-based technology, making the model extensible to a  wide variety of uses.

Additionally, D3FEND connects multiple stakeholders—from government customers to corporate executives to cybersecurity vendors—and provides a common language to talk about defensive cyber technology. This creates the opportunity to address security problems earlier in a system’s acquisition and development life cycle—when it’s less expensive to introduce changes.  

“The impact of these cyber innovations can’t be overstated,” says Keoki Jackson, senior vice president and general manager of MITRE’s national security sector.

“They’re vital to enabling our national security and U.S. success in the long-term global strategic competition that threatens our economy and industrial base, critical R&D investments, and our democratic institutions.”

About MITRE Cyber

MITRE empowers the cyber community with the knowledge, training, and expertise to implement an effective threat-informed defense strategy. As part of our cybersecurity research in the public interest, MITRE has a long history of developing standards and tools, such as MITRE ATT&CK®CALDERA™,CAPEC™, D3FEND™, and MITRE Engage™, used by the cybersecurity community across multiple industries.

Our new book, "11 Strategies of a World-Class Cybersecurity Operations Center," brings forth the best principles and practices within MITRE to help the entire cyber ecosystem leverage up their defenses and operations. MITRE Engenuity’s Center for Threat-Informed Defense also brings those tools and research to private and public sector organizations to advance best practices in cybersecurity.