All Defenses
Network
Identity
Secrets
Threats
Name | TL;DR | Techniques | D3FEND Tactic |
|---|---|---|---|
ABAC | Controls access based on user attributes, resource attributes, and environment conditions. | Execution Isolation (D3-EI)Credential Hardening (D3-CH) | |
Access Control List (ACL) | Defines who can access an object and what actions they can perform. | Credential theft | Execution Isolation (D3-EI) |
Account Lockout Policies | Locks user accounts after a number of failed login attempts. | Credential Eviction (D3-CE) | |
Admission Controller | Validates and enforces policies on resources in a K8s cluster. | Application Hardening (D3-AH) | |
AI-SPM | Assesses and enhances an organization's AI pipeline security posture. | Malicious AI modelLLMjackingLLM Prompt Injection | Application Hardening (D3-AH) |
API Gateway | Manages API requests, security, and passes them to back-end services. | SQL injection | Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI) |
Bastion Host | A highly secured server used to access and protect internal networks. | Password bruteforcingPassword spraying | Network Isolation (D3-NI) |
CDN | Distributes content to users from various global servers to enhance performance. | Discover origin IP of fronted domain | Network Isolation (D3-NI)Message Hardening (D3-MH) |
CI/CD Configuration Scanning | Credential harvesting from code repositoryScript injection into CICD workflow | ||
Cloud Configuration Scanning | Scans cloud setups for compliance and security best practices. | Abuse of cross-job access in CI/CD systemPropagation via KubeletPublic exposure abuseK8s anonymous auth abuseAzure Arc abuseAzure Run Commands abuseAzure Batch abuseAzure AD abuseAppstream abuse | Platform Hardening (D3-PH) |
Cloud Log monitoring | Collects and analyzes cloud logs to detect security incidents. | Policy simulationCreate new cloud userCreate or modify cloud keyAttach administrative role to accountAbuse naming patterns to guess resource IDs or fingerprint resourcesAdd attacker-controlled IdP via ADFS accessErase logsLinux fileless malware | Process Analysis (D3-PA)User Behavior Analysis (D3-UBA) |
Confidential Computing | Protects data in use by processing it in secure, isolated environments. | Platform Hardening (D3-PH) | |
Containerization | Runs applications in isolated containers sharing an OS kernel. | SSH propagation | Execution Isolation (D3-EI) |
Data Backups | Copies and archives data for recovery in case of loss or corruption. | Bucket / storage ransomwareDatabase ransomware | Restore Object (D3-RO) |
Data Encryption | Converts data to a coded format readable only with a key. | Data exfiltration from cloud storagePoison AI training data | Application Hardening (D3-AH) |
Data Masking | Obscures sensitive data to protect it while maintaining usability. | Application Hardening (D3-AH) | |
Data Replication | Copies data across locations for consistency and reliability. | Bucket / storage ransomwareDatabase ransomwarePoison AI training data | Restore Object (D3-RO) |
DDoS Protection | Shields networks from attacks that overwhelm services with traffic. | Network Traffic Analysis (D3-NTA) | |
DFIR | Detection, investigation, and response to cybersecurity incidents. | Platform Monitoring (D3-PM) | |
DLP | Prevents unauthorized data access, sharing, and leakage. | ||
File Integrity Monitoring (FIM) | Detects changes in files indicating cyberattacks. | Create new local user | File Analysis (D3-FA) |
Honeypots | Decoy systems designed to attract, hinder, and study threat actors. | Decoy Environment (D3-DE) | |
Host Configuration Scanning | Inspects host and app settings to detect misconfigurations. | Abusing exposed Docker socketMisconfigured Wordpress abuseMisconfigured Redis abuseMisconfigured Docker abuseMisconfigured DB abuseMisconfigured Consul abuseMisconfigured Argo abuseMisconfigured Apache Hadoop abuseJupyter Notebook misconfig abuseJupyter Notebook ransomwarecAdvisor abuseK8s anonymous auth abuseMisconfigured Gitea Abuse | Application Hardening (D3-AH) |
IAM Policies | Controls user and machine access to resources within an organization. | Valid creds abuseAbuse access to existing KMS keyAbuse trust and privileges across accountsSSM-facilitated remote desktop connectionIAM privilege escalation | Execution Isolation (D3-EI)Credential Hardening (D3-CH) |
Key Management System (KMS) | Manages cryptographic keys for data security. | Credential theft | Credential Hardening (D3-CH) |
Malware Detection | Identifies and mitigates malicious software on systems. | Public malicious container imageReverse shellRootkit - LD_PRELOAD | File Analysis (D3-FA)Identifier Analysis (D3-ID) |
Microsegmentation | Divides networks into segments to improve security and control. | Network lateral movementSSH propagation | Network Isolation (D3-NI) |
Multi-Factor Authentication (MFA) | Requires multiple verification methods for access. | Password bruteforcingPassword sprayingSmishing (SMS phishing) | Credential Hardening (D3-CH) |
Namespacing | Isolates environments/resources to avoid conflicts and improve security. | Propagation via Kubelet | Execution Isolation (D3-EI) |
Network Firewall | Monitors and controls network traffic based on security rules. | Public exposure abuse | Network Traffic Analysis (D3-NTA)Network Isolation (D3-NI) |
Password Policies | Sets rules for creating and maintaining strong passwords. | Password bruteforcingPassword sprayingSmishing (SMS phishing) | Credential Hardening (D3-CH) |
Permission Boundary | Defines the maximum permissions an entity can have. | Smishing (SMS phishing) | Credential Hardening (D3-CH) |
Proxy | Acts as an intermediary for requests between clients and servers. | Vulnerability exploitationMisconfigured SSH abuse | Network Isolation (D3-NI) |
Quarantine Policies | Isolates compromised files/systems to limit blast radius. | Phishing | Message Analysis (D3-MA)Credential Eviction (D3-CE) |
Role-Based Access Control (RBAC) | Assigns permissions based on user roles. | Credential theft | Execution Isolation (D3-EI)Credential Hardening (D3-CH) |
SBOM | Lists components in a software product, enhancing transparency and security. | Supply Chain CompromisePackage dependency confusionImage dependency confusion | File Analysis (D3-FA) |
Secret Scanning | Detects at-risk secrets across an organization's systems. | Abuse access to existing KMS keyCredential harvesting from code repositoryRegistry secret scanning | File Analysis (D3-FA) |
Secure Boot | Ensures devices boot only with trusted software. | Bootkit | Platform Hardening (D3-PH) |
Security Keys | Physical/digital keys for multi-factor authentication. | Password bruteforcingPassword spraying | Credential Hardening (D3-CH) |
Sensitive Data Scanning | Identifies and protects sensitive information in systems. | Data exfiltration from cloud storageRetrieve EC2 Password DataMisconfigured Power Pages abuse | File Analysis (D3-FA) |
SIEM | Collects and analyzes security data to detect and respond to threats. | Platform Monitoring (D3-PM) | |
Single Sign-On (SSO) | Allows access to multiple systems with one login. | Credential theftCredential harvesting from code repository | Credential Hardening (D3-CH) |
Threat Hunting | Actively searching for threats within a network before they cause harm. | Platform Monitoring (D3-PM) | |
Threat Intel | Collecting and analyzing data on potential and existing threats. | Platform Monitoring (D3-PM) | |
User Account Control | Requires admin approval for system changes. | Cluster anonymous accessAbuse trust and privileges across accountsIAM privilege escalation | Execution Isolation (D3-EI) |
Virtual Private Network (VPN) | Secures connections over the Internet to a private network. | SSH propagationNetwork lateral movement | Network Isolation (D3-NI) |
Virtualization | Creates isolated virtual computing resources while sharing hardware. | LSASS dumping | Execution Isolation (D3-EI) |
Vulnerability Scanning | Identifies security weaknesses in systems and apps. | Vulnerability exploitationSSRFSQL injection | Application Hardening (D3-AH) |
Weak Password Detection | Alerts on passwords not meeting security standards. | Password bruteforcingPassword spraying | Credential Hardening (D3-CH) |
Web Application Firewall (WAF) | Protects web apps by filtering HTTP traffic. | SQL injection | Network Isolation (D3-NI) |
Workload Runtime Protection | Protects workloads in real-time during execution. | Vulnerability exploitationWebshell deploymentSSRFServerless executionSQL injectionRemotely execute commands or scripts on a VM Create new local userErase logsExecute Command on VM using Custom Script ExtensionLinux fileless malware | Platform Hardening (D3-PH) |