All Defenses
Network
Identity
Secrets
Threats
Name | TL;DR | Techniques | D3FEND Tactic |
|---|---|---|---|
Controls access based on user attributes, resource attributes, and environment conditions. | Execution Isolation (D3-EI)Credential Hardening (D3-CH) | ||
Defines who can access an object and what actions they can perform. | Credential theft | Execution Isolation (D3-EI) | |
Locks user accounts after a number of failed login attempts. | Credential Eviction (D3-CE) | ||
Validates and enforces policies on resources in a K8s cluster. | Application Hardening (D3-AH) | ||
Assesses and enhances an organization's AI pipeline security posture. | Malicious AI modelLLMjackingLLM Prompt Injection | Application Hardening (D3-AH) | |
Manages API requests, security, and passes them to back-end services. | SQL injection | Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI) | |
A highly secured server used to access and protect internal networks. | Password bruteforcingPassword spraying | Network Isolation (D3-NI) | |
Distributes content to users from various global servers to enhance performance. | Discover origin IP of fronted domain | Network Isolation (D3-NI)Message Hardening (D3-MH) | |
Credential harvesting from code repositoryScript injection into CICD workflow | |||
Scans cloud setups for compliance and security best practices. | Abuse of cross-job access in CI/CD systemPropagation via KubeletPublic exposure abuseK8s anonymous auth abuseAzure Arc abuseAzure Run Commands abuseAzure Batch abuseAzure AD abuseAppstream abuse | Platform Hardening (D3-PH) | |
Collects and analyzes cloud logs to detect security incidents. | Policy simulationCreate new cloud userCreate or modify cloud keyAttach administrative role to accountAbuse naming patterns to guess resource IDs or fingerprint resourcesAdd attacker-controlled IdP via ADFS accessErase logsLinux fileless malware | Process Analysis (D3-PA)User Behavior Analysis (D3-UBA) | |
Protects data in use by processing it in secure, isolated environments. | Platform Hardening (D3-PH) | ||
Runs applications in isolated containers sharing an OS kernel. | SSH propagation | Execution Isolation (D3-EI) | |
Copies and archives data for recovery in case of loss or corruption. | Bucket / storage ransomwareDatabase ransomware | Restore Object (D3-RO) | |
Converts data to a coded format readable only with a key. | Data exfiltration from cloud storagePoison AI training data | Application Hardening (D3-AH) | |
Obscures sensitive data to protect it while maintaining usability. | Application Hardening (D3-AH) | ||
Copies data across locations for consistency and reliability. | Bucket / storage ransomwareDatabase ransomwarePoison AI training data | Restore Object (D3-RO) | |
Shields networks from attacks that overwhelm services with traffic. | Network Traffic Analysis (D3-NTA) | ||
Detection, investigation, and response to cybersecurity incidents. | Platform Monitoring (D3-PM) | ||
Prevents unauthorized data access, sharing, and leakage. | |||
Detects changes in files indicating cyberattacks. | Create new local user | File Analysis (D3-FA) | |
Decoy systems designed to attract, hinder, and study threat actors. | Decoy Environment (D3-DE) | ||
Inspects host and app settings to detect misconfigurations. | Abusing exposed Docker socketMisconfigured Wordpress abuseMisconfigured Redis abuseMisconfigured Docker abuseMisconfigured DB abuseMisconfigured Consul abuseMisconfigured Argo abuseMisconfigured Apache Hadoop abuseJupyter Notebook misconfig abuseJupyter Notebook ransomwarecAdvisor abuseK8s anonymous auth abuseMisconfigured Gitea Abuse | Application Hardening (D3-AH) | |
Controls user and machine access to resources within an organization. | Valid creds abuseAbuse access to existing KMS keyAbuse trust and privileges across accountsSSM-facilitated remote desktop connectionIAM privilege escalation | Execution Isolation (D3-EI)Credential Hardening (D3-CH) | |
Manages cryptographic keys for data security. | Credential theft | Credential Hardening (D3-CH) | |
Identifies and mitigates malicious software on systems. | Public malicious container imageReverse shellRootkit - LD_PRELOAD | File Analysis (D3-FA)Identifier Analysis (D3-ID) | |
Divides networks into segments to improve security and control. | Network lateral movementSSH propagation | Network Isolation (D3-NI) | |
Requires multiple verification methods for access. | Password bruteforcingPassword sprayingSmishing (SMS phishing) | Credential Hardening (D3-CH) | |
Isolates environments/resources to avoid conflicts and improve security. | Propagation via Kubelet | Execution Isolation (D3-EI) | |
Monitors and controls network traffic based on security rules. | Public exposure abuse | Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI) | |
Sets rules for creating and maintaining strong passwords. | Password bruteforcingPassword sprayingSmishing (SMS phishing) | Credential Hardening (D3-CH) | |
Defines the maximum permissions an entity can have. | Smishing (SMS phishing) | Credential Hardening (D3-CH) | |
Acts as an intermediary for requests between clients and servers. | Vulnerability exploitationMisconfigured SSH abuse | Network Isolation (D3-NI) | |
Isolates compromised files/systems to limit blast radius. | Phishing | Message Analysis (D3-MA)Credential Eviction (D3-CE) | |
Assigns permissions based on user roles. | Credential theft | Execution Isolation (D3-EI)Credential Hardening (D3-CH) | |
Lists components in a software product, enhancing transparency and security. | Supply Chain CompromisePackage dependency confusionImage dependency confusion | File Analysis (D3-FA) | |
Detects at-risk secrets across an organization's systems. | Abuse access to existing KMS keyCredential harvesting from code repositoryRegistry secret scanning | File Analysis (D3-FA) | |
Ensures devices boot only with trusted software. | Bootkit | Platform Hardening (D3-PH) | |
Physical/digital keys for multi-factor authentication. | Password bruteforcingPassword spraying | Credential Hardening (D3-CH) | |
Identifies and protects sensitive information in systems. | Data exfiltration from cloud storageRetrieve EC2 Password DataMisconfigured Power Pages abuse | File Analysis (D3-FA) | |
Collects and analyzes security data to detect and respond to threats. | Platform Monitoring (D3-PM) | ||
Allows access to multiple systems with one login. | Credential theftCredential harvesting from code repository | Credential Hardening (D3-CH) | |
Actively searching for threats within a network before they cause harm. | Platform Monitoring (D3-PM) | ||
Collecting and analyzing data on potential and existing threats. | Platform Monitoring (D3-PM) | ||
Requires admin approval for system changes. | Cluster anonymous accessAbuse trust and privileges across accountsIAM privilege escalation | Execution Isolation (D3-EI) | |
Secures connections over the Internet to a private network. | SSH propagationNetwork lateral movement | Network Isolation (D3-NI) | |
Creates isolated virtual computing resources while sharing hardware. | LSASS dumping | Execution Isolation (D3-EI) | |
Identifies security weaknesses in systems and apps. | Vulnerability exploitationSSRFSQL injection | Application Hardening (D3-AH) | |
Alerts on passwords not meeting security standards. | Password bruteforcingPassword spraying | Credential Hardening (D3-CH) | |
Protects web apps by filtering HTTP traffic. | SQL injection | Network Isolation (D3-NI) | |
Protects workloads in real-time during execution. | Vulnerability exploitationWebshell deploymentSSRFServerless executionSQL injectionRemotely execute commands or scripts on a VM Create new local userErase logsExecute Command on VM using Custom Script ExtensionLinux fileless malware | Platform Hardening (D3-PH) |