forked from d3fend/d3fend
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
143 lines (129 loc) · 72.7 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1.0" />
<meta name="theme-color" content="#333333" />
<link rel="stylesheet" href="/global-d3fend.css" />
<link rel="icon" type="image/png" href="/favicon.ico" />
<!-- This contains the contents of the <svelte:head> component, if
the current page has one -->
<link href="../_app/immutable/assets/2.0496bb8e.css" rel="stylesheet">
<link href="../_app/immutable/assets/Notification.f3032b6b.css" rel="stylesheet">
<link href="../_app/immutable/assets/Nav-mobile.48a70d3b.css" rel="stylesheet">
<link href="../_app/immutable/assets/Hamburger.ab9add57.css" rel="stylesheet">
<link href="../_app/immutable/assets/getting-d3fend-to-1.0.dc6fdb1f.css" rel="stylesheet">
<link href="../_app/immutable/assets/41.a31569e7.css" rel="stylesheet">
<link href="../_app/immutable/assets/Button.82434732.css" rel="stylesheet">
<link rel="modulepreload" href="../_app/immutable/entry/start.7cda07fe.js">
<link rel="modulepreload" href="../_app/immutable/chunks/scheduler.50831561.js">
<link rel="modulepreload" href="../_app/immutable/chunks/singletons.67bb3745.js">
<link rel="modulepreload" href="../_app/immutable/chunks/index.227a97d3.js">
<link rel="modulepreload" href="../_app/immutable/chunks/paths.17b8a929.js">
<link rel="modulepreload" href="../_app/immutable/chunks/control.f5b05b5f.js">
<link rel="modulepreload" href="../_app/immutable/entry/app.7f96160f.js">
<link rel="modulepreload" href="../_app/immutable/chunks/preload-helper.a4192956.js">
<link rel="modulepreload" href="../_app/immutable/chunks/index.24431cc3.js">
<link rel="modulepreload" href="../_app/immutable/nodes/0.f4b3e5f5.js">
<link rel="modulepreload" href="../_app/immutable/nodes/2.6d736c42.js">
<link rel="modulepreload" href="../_app/immutable/chunks/mermaid.core.65f7eeba.js">
<link rel="modulepreload" href="../_app/immutable/chunks/_commonjsHelpers.de833af9.js">
<link rel="modulepreload" href="../_app/immutable/chunks/memoize.e19fc13a.js">
<link rel="modulepreload" href="../_app/immutable/chunks/isTypedArray.d780b3d2.js">
<link rel="modulepreload" href="../_app/immutable/chunks/isArray.43a48bdb.js">
<link rel="modulepreload" href="../_app/immutable/chunks/isEmpty.24b656b1.js">
<link rel="modulepreload" href="../_app/immutable/chunks/config.6235f7da.js">
<link rel="modulepreload" href="../_app/immutable/chunks/matrix.91be0855.js">
<link rel="modulepreload" href="../_app/immutable/chunks/Notification.a07f3b00.js">
<link rel="modulepreload" href="../_app/immutable/chunks/index.400c825c.js">
<link rel="modulepreload" href="../_app/immutable/chunks/stores.87b59478.js">
<link rel="modulepreload" href="../_app/immutable/chunks/Nav-mobile.2d9ef691.js">
<link rel="modulepreload" href="../_app/immutable/chunks/each.8d18d1a2.js">
<link rel="modulepreload" href="../_app/immutable/chunks/Hamburger.dffefca9.js">
<link rel="modulepreload" href="../_app/immutable/chunks/stores.9b0ea2d4.js">
<link rel="modulepreload" href="../_app/immutable/chunks/lib.9e57a3f1.js">
<link rel="modulepreload" href="../_app/immutable/chunks/marked.esm.76161808.js">
<link rel="modulepreload" href="../_app/immutable/chunks/updateDefendTree.c70a257c.js">
<link rel="modulepreload" href="../_app/immutable/nodes/41.befc481f.js">
<link rel="modulepreload" href="../_app/immutable/chunks/Title.28d88b77.js"><title>Search | MITRE D3FEND™</title><!-- HEAD_svelte-1b5eb8v_START --><!-- HEAD_svelte-1b5eb8v_END -->
</head>
<body>
<!-- The application will be rendered inside this element,
because `src/client.js` references it -->
<div> <nav class="svelte-anufko"> <nav id="desktop" class="svelte-posd1r"><ul class="text-1 svelte-posd1r"><li class="logo svelte-posd1r" data-svelte-h="svelte-4hq3qq"><a href="/" class="svelte-posd1r"><img alt="MITRE logo" src="/img/mitre.png" class="svelte-posd1r"></a></li> <li class="svelte-posd1r"><a href="/" class="svelte-posd1r">matrix</a></li> <li class="svelte-posd1r"><a href="/dao" class="svelte-posd1r">artifacts</a></li> <li class="svelte-posd1r"><a class="glow svelte-posd1r" href="/taxonomies">taxonomies</a></li> <li class="svelte-posd1r"><a href="/about" class="svelte-posd1r">about</a></li> <li class="svelte-posd1r"><a href="/resources" class=" svelte-posd1r">resources</a></li> <li class="svelte-posd1r"><a href="/contribute" class=" svelte-posd1r">contribute</a></li> <li class="svelte-posd1r"><a href="/faq" class="svelte-posd1r">faq</a></li> <li class="svelte-posd1r"><a href="/blog" class="svelte-posd1r">blog</a></li> <li class="logo logo-right svelte-posd1r" data-svelte-h="svelte-1ai8ee7"><a href="https://www.nsa.gov" class="svelte-posd1r"><img id="sponsor_logo" alt="NSA logo" src="/img/nsa.png" class="svelte-posd1r"></a></li></ul></nav> <nav id="mobile"><div><button aria-label="Close Mobile Menu" class="svelte-1k2hh9t"><svg width="32" height="28" class="svelte-1k2hh9t"><line id="top" x1="0" y1="4" x2="32" y2="4" class="svelte-1k2hh9t"></line><line id="middle" x1="0" y1="14" x2="24" y2="14" class="svelte-1k2hh9t"></line><line id="bottom" x1="0" y1="24" x2="32" y2="24" class="svelte-1k2hh9t"></line></svg> </button></div> </nav></nav> <main class="svelte-anufko"> <form><input class="searchbar svelte-1lgeke3" type="text" id="query" name="query" value=""> <button type="submit" class="svelte-1lgeke3" data-svelte-h="svelte-144da9z">Search</button></form> </main> <footer class="svelte-anufko"><div class="svelte-fefdvk" data-svelte-h="svelte-adirjo"><p class="text-small">Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the <a href="/tou">Terms of Use</a>. Use of the MITRE D3FEND website is subject to the
<a href="/privacy">MITRE D3FEND Privacy Policy</a>. MITRE D3FEND is funded
by the
<a target="_blank" rel="" href="https://www.nsa.gov/">National Security Agency</a>
(NSA)
<a target="_blank" href="https://www.nsa.gov/what-we-do/cybersecurity/">Cybersecurity Directorate</a>
and managed by the
<a href="https://www.mitre.org/centers/national-security-and-engineering-center/who-we-are" target="_blank" rel="noopener noreferrer">National Security Engineering Center</a>
(NSEC) which is operated by
<a target="_blank" rel="noopener noreferrer" href="http://www.mitre.org/">The MITRE Corporation</a>. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE
Corporation. MITRE ATT&CK® and ATT&CK® are registered trademarks of
The MITRE Corporation. MITRE ATT&CK content is subject to the MITRE ATT&CK
<a href="https://attack.mitre.org/resources/terms-of-use/">terms of use</a>.
This software was produced for the U. S. Government under Basic Contract No.
W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer
Software and Noncommercial Computer Software Documentation Clause
252.227-7014 (FEB 2012)
<br>© 2023 The MITRE Corporation.
<br>Approved for Public Release; Distribution Unlimited #20-2338 and #23-1207.</p> </div> </footer>
<script type="application/json" data-sveltekit-fetched data-url="/api/matrix.json">{"status":200,"statusText":"","headers":{},"body":"[{\"@id\":\"d3f:Model\",\"children\":[{\"@id\":\"d3f:AssetInventory\",\"children\":[{\"@id\":\"d3f:ConfigurationInventory\",\"d3f:d3fend-id\":\"D3-CI\",\"d3f:definition\":\"Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Configuration Inventory\"},{\"@id\":\"d3f:DataInventory\",\"d3f:d3fend-id\":\"D3-DI\",\"d3f:definition\":\"Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Data Inventory\"},{\"@id\":\"d3f:SoftwareInventory\",\"d3f:d3fend-id\":\"D3-SWI\",\"d3f:definition\":\"Software inventorying identifies and records the software items in the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Software Inventory\"},{\"@id\":\"d3f:AssetVulnerabilityEnumeration\",\"d3f:d3fend-id\":\"D3-AVE\",\"d3f:definition\":\"Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Asset Vulnerability Enumeration\"},{\"@id\":\"d3f:NetworkNodeInventory\",\"d3f:d3fend-id\":\"D3-NNI\",\"d3f:definition\":\"Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Network Node Inventory\"},{\"@id\":\"d3f:HardwareComponentInventory\",\"d3f:d3fend-id\":\"D3-HCI\",\"d3f:definition\":\"Hardware component inventorying identifies and records the hardware items in the organization's architecture.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Hardware Component Inventory\"}],\"d3f:d3fend-id\":\"D3-AI\",\"d3f:definition\":\"Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.\",\"rdfs:label\":\"Asset Inventory\"},{\"@id\":\"d3f:NetworkMapping\",\"children\":[{\"@id\":\"d3f:LogicalLinkMapping\",\"children\":[{\"@id\":\"d3f:ActiveLogicalLinkMapping\",\"d3f:d3fend-id\":\"D3-ALLM\",\"d3f:definition\":\"Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Active Logical Link Mapping\"},{\"@id\":\"d3f:PassiveLogicalLinkMapping\",\"d3f:d3fend-id\":\"D3-PLLM\",\"d3f:definition\":\"Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Passive Logical Link Mapping\"}],\"d3f:d3fend-id\":\"D3-LLM\",\"d3f:definition\":\"Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Logical Link Mapping\"},{\"@id\":\"d3f:NetworkVulnerabilityAssessment\",\"d3f:d3fend-id\":\"D3-NVA\",\"d3f:definition\":\"Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.\",\"rdfs:label\":\"Network Vulnerability Assessment\"},{\"@id\":\"d3f:PhysicalLinkMapping\",\"children\":[{\"@id\":\"d3f:ActivePhysicalLinkMapping\",\"d3f:d3fend-id\":\"D3-APLM\",\"d3f:definition\":\"Active physical link mapping sends and receives network traffic as a means to map the physical layer.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Active Physical Link Mapping\"},{\"@id\":\"d3f:PassivePhysicalLinkMapping\",\"d3f:d3fend-id\":\"D3-PPLM\",\"d3f:definition\":\"Passive physical link mapping only listens to network traffic as a means to map the physical layer.\",\"rdfs:label\":\"Passive Physical Link Mapping\"}],\"d3f:d3fend-id\":\"D3-PLM\",\"d3f:definition\":\"Physical link mapping identifies and models the link connectivity of the network devices within a physical network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Physical Link Mapping\"},{\"@id\":\"d3f:NetworkTrafficPolicyMapping\",\"d3f:d3fend-id\":\"D3-NTPM\",\"d3f:definition\":\"Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Network Traffic Policy Mapping\"}],\"d3f:d3fend-id\":\"D3-NM\",\"d3f:definition\":\"Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.\",\"rdfs:label\":\"Network Mapping\"},{\"@id\":\"d3f:OperationalActivityMapping\",\"children\":[{\"@id\":\"d3f:AccessModeling\",\"d3f:d3fend-id\":\"D3-AM\",\"d3f:definition\":\"Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Access Modeling\"},{\"@id\":\"d3f:OperationalDependencyMapping\",\"d3f:d3fend-id\":\"D3-ODM\",\"d3f:definition\":\"Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Operational Dependency Mapping\"},{\"@id\":\"d3f:OperationalRiskAssessment\",\"d3f:d3fend-id\":\"D3-ORA\",\"d3f:definition\":\"Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Operational Risk Assessment\"},{\"@id\":\"d3f:OrganizationMapping\",\"d3f:d3fend-id\":\"D3-OM\",\"d3f:definition\":\"Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Organization Mapping\"}],\"d3f:d3fend-id\":\"D3-OAM\",\"d3f:definition\":\"Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Operational Activity Mapping\"},{\"@id\":\"d3f:SystemMapping\",\"children\":[{\"@id\":\"d3f:DataExchangeMapping\",\"d3f:d3fend-id\":\"D3-DEM\",\"d3f:definition\":\"Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Data Exchange Mapping\"},{\"@id\":\"d3f:ServiceDependencyMapping\",\"d3f:d3fend-id\":\"D3-SVCDM\",\"d3f:definition\":\"Service dependency mapping determines the services on which each given service relies.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Service Dependency Mapping\"},{\"@id\":\"d3f:SystemDependencyMapping\",\"d3f:d3fend-id\":\"D3-SYSDM\",\"d3f:definition\":\"System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"System Dependency Mapping\"},{\"@id\":\"d3f:SystemVulnerabilityAssessment\",\"d3f:d3fend-id\":\"D3-SYSVA\",\"d3f:definition\":\"System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"System Vulnerability Assessment\"}],\"d3f:d3fend-id\":\"D3-SYSM\",\"d3f:definition\":\"System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.\",\"rdfs:label\":\"System Mapping\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"-1\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Model\"},{\"@id\":\"d3f:Harden\",\"children\":[{\"@id\":\"d3f:CredentialHardening\",\"children\":[{\"@id\":\"d3f:BiometricAuthentication\",\"d3f:d3fend-id\":\"D3-BAN\",\"d3f:definition\":\"Using biological measures in order to authenticate a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Biometric Authentication\"},{\"@id\":\"d3f:Certificate-basedAuthentication\",\"d3f:d3fend-id\":\"D3-CBAN\",\"d3f:definition\":\"Requiring a digital certificate in order to authenticate a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Certificate-based Authentication\"},{\"@id\":\"d3f:CertificatePinning\",\"d3f:d3fend-id\":\"D3-CP\",\"d3f:definition\":\"Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Certificate Pinning\"},{\"@id\":\"d3f:CredentialTransmissionScoping\",\"d3f:d3fend-id\":\"D3-CTS\",\"d3f:definition\":\"Limiting the transmission of a credential to a scoped set of relying parties.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Credential Transmission Scoping\"},{\"@id\":\"d3f:DomainTrustPolicy\",\"d3f:d3fend-id\":\"D3-DTP\",\"d3f:definition\":\"Restricting inter-domain trust by modifying domain configuration.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Domain Trust Policy\"},{\"@id\":\"d3f:Multi-factorAuthentication\",\"d3f:d3fend-id\":\"D3-MFA\",\"d3f:definition\":\"Requiring proof of two or more pieces of evidence in order to authenticate a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Multi-factor Authentication\"},{\"@id\":\"d3f:One-timePassword\",\"d3f:d3fend-id\":\"D3-OTP\",\"d3f:definition\":\"A one-time password is valid for only one user authentication.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"One-time Password\"},{\"@id\":\"d3f:StrongPasswordPolicy\",\"d3f:d3fend-id\":\"D3-SPP\",\"d3f:definition\":\"Modifying system configuration to increase password strength.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Strong Password Policy\"},{\"@id\":\"d3f:UserAccountPermissions\",\"d3f:d3fend-id\":\"D3-UAP\",\"d3f:definition\":\"Restricting a user account's access to resources.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"User Account Permissions\"},{\"@id\":\"d3f:CredentialRotation\",\"d3f:d3fend-id\":\"D3-CRO\",\"d3f:definition\":\"Expiring an existing set of credentials and reissuing a new valid set\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Credential Rotation\"}],\"d3f:d3fend-id\":\"D3-CH\",\"d3f:definition\":\"Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.\",\"rdfs:label\":\"Credential Hardening\"},{\"@id\":\"d3f:PlatformHardening\",\"children\":[{\"@id\":\"d3f:BootloaderAuthentication\",\"d3f:d3fend-id\":\"D3-BA\",\"d3f:definition\":\"Cryptographically authenticating the bootloader software before system boot.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Bootloader Authentication\"},{\"@id\":\"d3f:DiskEncryption\",\"d3f:d3fend-id\":\"D3-DENCR\",\"d3f:definition\":\"Encrypting a hard disk partition to prevent cleartext access to a file system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Disk Encryption\"},{\"@id\":\"d3f:DriverLoadIntegrityChecking\",\"d3f:d3fend-id\":\"D3-DLIC\",\"d3f:definition\":\"Ensuring the integrity of drivers loaded during initialization of the operating system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Driver Load Integrity Checking\"},{\"@id\":\"d3f:FileEncryption\",\"d3f:d3fend-id\":\"D3-FE\",\"d3f:definition\":\"Encrypting a file using a cryptographic key.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Encryption\"},{\"@id\":\"d3f:LocalFilePermissions\",\"d3f:d3fend-id\":\"D3-LFP\",\"d3f:definition\":\"Restricting access to a local file by configuring operating system functionality.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Local File Permissions\"},{\"@id\":\"d3f:RFShielding\",\"d3f:d3fend-id\":\"D3-RFS\",\"d3f:definition\":\"Adding physical barriers to a platform to prevent undesired radio interference.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"RF Shielding\"},{\"@id\":\"d3f:SoftwareUpdate\",\"d3f:d3fend-id\":\"D3-SU\",\"d3f:definition\":\"Replacing old software on a computer system component.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Software Update\"},{\"@id\":\"d3f:SystemConfigurationPermissions\",\"d3f:d3fend-id\":\"D3-SCP\",\"d3f:definition\":\"Restricting system configuration modifications to a specific user or group of users.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"System Configuration Permissions\"},{\"@id\":\"d3f:TPMBootIntegrity\",\"d3f:d3fend-id\":\"D3-TBI\",\"d3f:definition\":\"Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"TPM Boot Integrity\"}],\"d3f:d3fend-id\":\"D3-PH\",\"d3f:definition\":\"Hardening components of a Platform with the intention of making them more difficult to exploit.\\n\\nPlatforms includes components such as:\\n* BIOS UEFI Subsystems\\n* Hardware security devices such as Trusted Platform Modules\\n* Boot process logic or code\\n* Kernel software components\",\"rdfs:label\":\"Platform Hardening\"},{\"@id\":\"d3f:ApplicationHardening\",\"children\":[{\"@id\":\"d3f:ApplicationConfigurationHardening\",\"d3f:d3fend-id\":\"D3-ACH\",\"d3f:definition\":\"Modifying an application's configuration to reduce its attack surface.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Application Configuration Hardening\"},{\"@id\":\"d3f:DeadCodeElimination\",\"d3f:d3fend-id\":\"D3-DCE\",\"d3f:definition\":\"Removing unreachable or \\\"dead code\\\" from compiled source code.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Dead Code Elimination\"},{\"@id\":\"d3f:ExceptionHandlerPointerValidation\",\"d3f:d3fend-id\":\"D3-EHPV\",\"d3f:definition\":\"Validates that a referenced exception handler pointer is a valid exception handler.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Exception Handler Pointer Validation\"},{\"@id\":\"d3f:PointerAuthentication\",\"d3f:d3fend-id\":\"D3-PAN\",\"d3f:definition\":\"Comparing the cryptographic hash or derivative of a pointer's value to an expected value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Pointer Authentication\"},{\"@id\":\"d3f:ProcessSegmentExecutionPrevention\",\"d3f:d3fend-id\":\"D3-PSEP\",\"d3f:definition\":\"Preventing execution of any address in a memory region other than the code segment.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Process Segment Execution Prevention\"},{\"@id\":\"d3f:SegmentAddressOffsetRandomization\",\"d3f:d3fend-id\":\"D3-SAOR\",\"d3f:definition\":\"Randomizing the base (start) address of one or more segments of memory during the initialization of a process.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Segment Address Offset Randomization\"},{\"@id\":\"d3f:StackFrameCanaryValidation\",\"d3f:d3fend-id\":\"D3-SFCV\",\"d3f:definition\":\"Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Stack Frame Canary Validation\"}],\"d3f:d3fend-id\":\"D3-AH\",\"d3f:definition\":\"Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.\",\"rdfs:label\":\"Application Hardening\"},{\"@id\":\"d3f:MessageHardening\",\"children\":[{\"@id\":\"d3f:MessageAuthentication\",\"d3f:d3fend-id\":\"D3-MAN\",\"d3f:definition\":\"Authenticating the sender of a message and ensuring message integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Message Authentication\"},{\"@id\":\"d3f:MessageEncryption\",\"d3f:d3fend-id\":\"D3-MENCR\",\"d3f:definition\":\"Encrypting a message body using a cryptographic key.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Message Encryption\"},{\"@id\":\"d3f:TransferAgentAuthentication\",\"d3f:d3fend-id\":\"D3-TAAN\",\"d3f:definition\":\"Validating that server components of a messaging infrastructure are authorized to send a particular message.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Transfer Agent Authentication\"}],\"d3f:d3fend-id\":\"D3-MH\",\"d3f:definition\":\"Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.\",\"rdfs:label\":\"Message Hardening\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Harden\"},{\"@id\":\"d3f:Detect\",\"children\":[{\"@id\":\"d3f:IdentifierAnalysis\",\"children\":[{\"@id\":\"d3f:HomoglyphDetection\",\"d3f:d3fend-id\":\"D3-HD\",\"d3f:definition\":\"Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Homoglyph Detection\"},{\"@id\":\"d3f:URLAnalysis\",\"d3f:d3fend-id\":\"D3-UA\",\"d3f:definition\":\"Determining if a URL is benign or malicious by analyzing the URL or its components.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"URL Analysis\"},{\"@id\":\"d3f:IdentifierReputationAnalysis\",\"children\":[{\"@id\":\"d3f:IPReputationAnalysis\",\"d3f:d3fend-id\":\"D3-IPRA\",\"d3f:definition\":\"Analyzing the reputation of an IP address.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"IP Reputation Analysis\"},{\"@id\":\"d3f:URLReputationAnalysis\",\"d3f:d3fend-id\":\"D3-URA\",\"d3f:definition\":\"Analyzing the reputation of a URL.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"URL Reputation Analysis\"},{\"@id\":\"d3f:DomainNameReputationAnalysis\",\"d3f:d3fend-id\":\"D3-DNRA\",\"d3f:definition\":\"Analyzing the reputation of a domain name.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Domain Name Reputation Analysis\"},{\"@id\":\"d3f:FileHashReputationAnalysis\",\"d3f:d3fend-id\":\"D3-FHRA\",\"d3f:definition\":\"Analyzing the reputation of a file hash.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Hash Reputation Analysis\"}],\"d3f:d3fend-id\":\"D3-IRA\",\"d3f:definition\":\"Analyzing the reputation of an identifier.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Identifier Reputation Analysis\"},{\"@id\":\"d3f:IdentifierActivityAnalysis\",\"d3f:d3fend-id\":\"D3-IAA\",\"d3f:definition\":\"Taking known malicious identifiers and determining if they are present in a system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Identifier Activity Analysis\"}],\"d3f:d3fend-id\":\"D3-ID\",\"d3f:definition\":\"Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.\",\"rdfs:label\":\"Identifier Analysis\"},{\"@id\":\"d3f:FileAnalysis\",\"children\":[{\"@id\":\"d3f:DynamicAnalysis\",\"d3f:d3fend-id\":\"D3-DA\",\"d3f:definition\":\"Executing or opening a file in a synthetic \\\"sandbox\\\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Dynamic Analysis\"},{\"@id\":\"d3f:EmulatedFileAnalysis\",\"d3f:d3fend-id\":\"D3-EFA\",\"d3f:definition\":\"Emulating instructions in a file looking for specific patterns.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Emulated File Analysis\"},{\"@id\":\"d3f:FileHashing\",\"d3f:d3fend-id\":\"D3-FH\",\"d3f:definition\":\"Employing file hash comparisons to detect known malware.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Hashing\"},{\"@id\":\"d3f:FileContentAnalysis\",\"children\":[{\"@id\":\"d3f:FileContentRules\",\"d3f:d3fend-id\":\"D3-FCR\",\"d3f:definition\":\"Employing a pattern matching rule language to analyze the content of files.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"File Content Rules\"}],\"d3f:d3fend-id\":\"D3-FCOA\",\"d3f:definition\":\"Employing a pattern matching algorithm to statically analyze the content of files.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Content Analysis\"}],\"d3f:d3fend-id\":\"D3-FA\",\"d3f:definition\":\"File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.\",\"rdfs:label\":\"File Analysis\"},{\"@id\":\"d3f:NetworkTrafficAnalysis\",\"children\":[{\"@id\":\"d3f:AdministrativeNetworkActivityAnalysis\",\"d3f:d3fend-id\":\"D3-ANAA\",\"d3f:definition\":\"Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Administrative Network Activity Analysis\"},{\"@id\":\"d3f:ByteSequenceEmulation\",\"d3f:d3fend-id\":\"D3-BSE\",\"d3f:definition\":\"Analyzing sequences of bytes and determining if they likely represent malicious shellcode.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Byte Sequence Emulation\"},{\"@id\":\"d3f:CertificateAnalysis\",\"children\":[{\"@id\":\"d3f:ActiveCertificateAnalysis\",\"d3f:d3fend-id\":\"D3-ACA\",\"d3f:definition\":\"Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Active Certificate Analysis\"},{\"@id\":\"d3f:PassiveCertificateAnalysis\",\"d3f:d3fend-id\":\"D3-PCA\",\"d3f:definition\":[\"Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.\",\"Passively collecting certificates and analyzing them.\"],\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Passive Certificate Analysis\"}],\"d3f:d3fend-id\":\"D3-CA\",\"d3f:definition\":\"Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Certificate Analysis\"},{\"@id\":\"d3f:Client-serverPayloadProfiling\",\"d3f:d3fend-id\":\"D3-CSPP\",\"d3f:definition\":\"Comparing client-server request and response payloads to a baseline profile to identify outliers.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Client-server Payload Profiling\"},{\"@id\":\"d3f:ConnectionAttemptAnalysis\",\"d3f:d3fend-id\":\"D3-CAA\",\"d3f:definition\":\"Analyzing failed connections in a network to detect unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Connection Attempt Analysis\"},{\"@id\":\"d3f:DNSTrafficAnalysis\",\"d3f:d3fend-id\":\"D3-DNSTA\",\"d3f:definition\":\"Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"DNS Traffic Analysis\"},{\"@id\":\"d3f:FileCarving\",\"d3f:d3fend-id\":\"D3-FC\",\"d3f:definition\":\"Identifying and extracting files from network application protocols through the use of network stream reassembly software.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Carving\"},{\"@id\":\"d3f:InboundSessionVolumeAnalysis\",\"d3f:d3fend-id\":\"D3-ISVA\",\"d3f:definition\":\"Analyzing inbound network session or connection attempt volume.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"Inbound Session Volume Analysis\"},{\"@id\":\"d3f:IPCTrafficAnalysis\",\"d3f:d3fend-id\":\"D3-IPCTA\",\"d3f:definition\":\"Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"7\"},\"rdfs:label\":\"IPC Traffic Analysis\"},{\"@id\":\"d3f:NetworkTrafficCommunityDeviation\",\"d3f:d3fend-id\":\"D3-NTCD\",\"d3f:definition\":\"Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Network Traffic Community Deviation\"},{\"@id\":\"d3f:PerHostDownload-UploadRatioAnalysis\",\"d3f:d3fend-id\":\"D3-PHDURA\",\"d3f:definition\":\"Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Per Host Download-Upload Ratio Analysis\"},{\"@id\":\"d3f:ProtocolMetadataAnomalyDetection\",\"d3f:d3fend-id\":\"D3-PMAD\",\"d3f:definition\":\"Collecting network communication protocol metadata and identifying statistical outliers.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Protocol Metadata Anomaly Detection\"},{\"@id\":\"d3f:RelayPatternAnalysis\",\"d3f:d3fend-id\":\"D3-RPA\",\"d3f:definition\":\"The detection of an internal host relaying traffic between the internal network and the external network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Relay Pattern Analysis\"},{\"@id\":\"d3f:RemoteTerminalSessionDetection\",\"d3f:d3fend-id\":\"D3-RTSD\",\"d3f:definition\":\"Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Remote Terminal Session Detection\"},{\"@id\":\"d3f:RPCTrafficAnalysis\",\"d3f:d3fend-id\":\"D3-RTA\",\"d3f:definition\":\"Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"8\"},\"rdfs:label\":\"RPC Traffic Analysis\"}],\"d3f:d3fend-id\":\"D3-NTA\",\"d3f:definition\":\"Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.\",\"rdfs:label\":\"Network Traffic Analysis\"},{\"@id\":\"d3f:PlatformMonitoring\",\"children\":[{\"@id\":\"d3f:FirmwareBehaviorAnalysis\",\"d3f:d3fend-id\":\"D3-FBA\",\"d3f:definition\":\"Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Firmware Behavior Analysis\"},{\"@id\":\"d3f:FirmwareEmbeddedMonitoringCode\",\"d3f:d3fend-id\":\"D3-FEMC\",\"d3f:definition\":\"Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Firmware Embedded Monitoring Code\"},{\"@id\":\"d3f:FirmwareVerification\",\"children\":[{\"@id\":\"d3f:PeripheralFirmwareVerification\",\"d3f:d3fend-id\":\"D3-PFV\",\"d3f:definition\":\"Cryptographically verifying peripheral firmware integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Peripheral Firmware Verification\"},{\"@id\":\"d3f:SystemFirmwareVerification\",\"d3f:d3fend-id\":\"D3-SFV\",\"d3f:definition\":\"Cryptographically verifying installed system firmware integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"System Firmware Verification\"}],\"d3f:d3fend-id\":\"D3-FV\",\"d3f:definition\":\"Cryptographically verifying firmware integrity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Firmware Verification\"},{\"@id\":\"d3f:OperatingSystemMonitoring\",\"children\":[{\"@id\":\"d3f:EndpointHealthBeacon\",\"d3f:d3fend-id\":\"D3-EHB\",\"d3f:definition\":\"Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Endpoint Health Beacon\"},{\"@id\":\"d3f:InputDeviceAnalysis\",\"d3f:d3fend-id\":\"D3-IDA\",\"d3f:definition\":\"Operating system level mechanisms to prevent abusive input device exploitation.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Input Device Analysis\"},{\"@id\":\"d3f:MemoryBoundaryTracking\",\"d3f:d3fend-id\":\"D3-MBT\",\"d3f:definition\":\"Analyzing a call stack for return addresses which point to unexpected memory locations.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Memory Boundary Tracking\"},{\"@id\":\"d3f:ScheduledJobAnalysis\",\"d3f:d3fend-id\":\"D3-SJA\",\"d3f:definition\":\"Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Scheduled Job Analysis\"},{\"@id\":\"d3f:SystemDaemonMonitoring\",\"d3f:d3fend-id\":\"D3-SDM\",\"d3f:definition\":\"Tracking changes to the state or configuration of critical system level processes.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"System Daemon Monitoring\"},{\"@id\":\"d3f:SystemFileAnalysis\",\"children\":[{\"@id\":\"d3f:ServiceBinaryVerification\",\"d3f:d3fend-id\":\"D3-SBV\",\"d3f:definition\":\"Analyzing changes in service binary files by comparing to a source of truth.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Service Binary Verification\"}],\"d3f:d3fend-id\":\"D3-SFA\",\"d3f:definition\":\"Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"System File Analysis\"},{\"@id\":\"d3f:SystemInitConfigAnalysis\",\"d3f:d3fend-id\":\"D3-SICA\",\"d3f:definition\":\"Analysis of any system process startup configuration.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"System Init Config Analysis\"},{\"@id\":\"d3f:UserSessionInitConfigAnalysis\",\"d3f:d3fend-id\":\"D3-USICA\",\"d3f:definition\":\"Analyzing modifications to user session config files such as .bashrc or .bash_profile.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"User Session Init Config Analysis\"}],\"d3f:d3fend-id\":\"D3-OSM\",\"d3f:definition\":\"The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Operating System Monitoring\"},{\"@id\":\"d3f:FileIntegrityMonitoring\",\"d3f:d3fend-id\":\"D3-FIM\",\"d3f:definition\":\"Detecting any suspicious changes to files in a computer system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"File Integrity Monitoring\"}],\"d3f:d3fend-id\":\"D3-PM\",\"d3f:definition\":\"Monitoring platform components such as operating systems software, hardware devices, or firmware.\",\"rdfs:label\":\"Platform Monitoring\"},{\"@id\":\"d3f:ProcessAnalysis\",\"children\":[{\"@id\":\"d3f:DatabaseQueryStringAnalysis\",\"d3f:d3fend-id\":\"D3-DQSA\",\"d3f:definition\":\"Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Database Query String Analysis\"},{\"@id\":\"d3f:FileAccessPatternAnalysis\",\"d3f:d3fend-id\":\"D3-FAPA\",\"d3f:definition\":\"Analyzing the files accessed by a process to identify unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Access Pattern Analysis\"},{\"@id\":\"d3f:IndirectBranchCallAnalysis\",\"d3f:d3fend-id\":\"D3-IBCA\",\"d3f:definition\":\"Analyzing vendor specific branch call recording in order to detect ROP style attacks.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Indirect Branch Call Analysis\"},{\"@id\":\"d3f:ProcessCodeSegmentVerification\",\"d3f:d3fend-id\":\"D3-PCSV\",\"d3f:definition\":\"Comparing the \\\"text\\\" or \\\"code\\\" memory segments to a source of truth.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"6\"},\"rdfs:label\":\"Process Code Segment Verification\"},{\"@id\":\"d3f:ProcessSelf-ModificationDetection\",\"d3f:d3fend-id\":\"D3-PSMD\",\"d3f:definition\":\"Detects processes that modify, change, or replace their own code at runtime.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Process Self-Modification Detection\"},{\"@id\":\"d3f:ProcessSpawnAnalysis\",\"children\":[{\"@id\":\"d3f:ProcessLineageAnalysis\",\"d3f:d3fend-id\":\"D3-PLA\",\"d3f:definition\":\"Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"18\"},\"rdfs:label\":\"Process Lineage Analysis\"}],\"d3f:d3fend-id\":\"D3-PSA\",\"d3f:definition\":\"Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"42\"},\"rdfs:label\":\"Process Spawn Analysis\"},{\"@id\":\"d3f:ScriptExecutionAnalysis\",\"d3f:d3fend-id\":\"D3-SEA\",\"d3f:definition\":\"Analyzing the execution of a script to detect unauthorized user activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Script Execution Analysis\"},{\"@id\":\"d3f:ShadowStackComparisons\",\"d3f:d3fend-id\":\"D3-SSC\",\"d3f:definition\":\"Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Shadow Stack Comparisons\"},{\"@id\":\"d3f:SystemCallAnalysis\",\"children\":[{\"@id\":\"d3f:FileCreationAnalysis\",\"d3f:d3fend-id\":\"D3-FCA\",\"d3f:definition\":\"Analyzing the properties of file create system call invocations.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"File Creation Analysis\"}],\"d3f:d3fend-id\":\"D3-SCA\",\"d3f:definition\":\"Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"8\"},\"rdfs:label\":\"System Call Analysis\"}],\"d3f:d3fend-id\":\"D3-PA\",\"d3f:definition\":\"Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.\",\"rdfs:label\":\"Process Analysis\"},{\"@id\":\"d3f:MessageAnalysis\",\"children\":[{\"@id\":\"d3f:SenderMTAReputationAnalysis\",\"d3f:d3fend-id\":\"D3-SMRA\",\"d3f:definition\":\"Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Sender MTA Reputation Analysis\"},{\"@id\":\"d3f:SenderReputationAnalysis\",\"d3f:d3fend-id\":\"D3-SRA\",\"d3f:definition\":\"Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Sender Reputation Analysis\"}],\"d3f:d3fend-id\":\"D3-MA\",\"d3f:definition\":\"Analyzing email or instant message content to detect unauthorized activity.\",\"rdfs:label\":\"Message Analysis\"},{\"@id\":\"d3f:UserBehaviorAnalysis\",\"children\":[{\"@id\":\"d3f:AuthenticationEventThresholding\",\"d3f:d3fend-id\":\"D3-ANET\",\"d3f:definition\":\"Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"Authentication Event Thresholding\"},{\"@id\":\"d3f:AuthorizationEventThresholding\",\"d3f:d3fend-id\":\"D3-AZET\",\"d3f:definition\":\"Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Authorization Event Thresholding\"},{\"@id\":\"d3f:CredentialCompromiseScopeAnalysis\",\"d3f:d3fend-id\":\"D3-CCSA\",\"d3f:definition\":\"Determining which credentials may have been compromised by analyzing the user logon history of a particular system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Credential Compromise Scope Analysis\"},{\"@id\":\"d3f:DomainAccountMonitoring\",\"d3f:d3fend-id\":\"D3-DAM\",\"d3f:definition\":\"Monitoring the existence of or changes to Domain User Accounts.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Domain Account Monitoring\"},{\"@id\":\"d3f:JobFunctionAccessPatternAnalysis\",\"d3f:d3fend-id\":\"D3-JFAPA\",\"d3f:definition\":\"Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Job Function Access Pattern Analysis\"},{\"@id\":\"d3f:LocalAccountMonitoring\",\"d3f:d3fend-id\":\"D3-LAM\",\"d3f:definition\":\"Analyzing local user accounts to detect unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Local Account Monitoring\"},{\"@id\":\"d3f:ResourceAccessPatternAnalysis\",\"d3f:d3fend-id\":\"D3-RAPA\",\"d3f:definition\":\"Analyzing the resources accessed by a user to identify unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"rdfs:label\":\"Resource Access Pattern Analysis\"},{\"@id\":\"d3f:SessionDurationAnalysis\",\"d3f:d3fend-id\":\"D3-SDA\",\"d3f:definition\":\"Analyzing the duration of user sessions in order to detect unauthorized activity.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Session Duration Analysis\"},{\"@id\":\"d3f:UserDataTransferAnalysis\",\"d3f:d3fend-id\":\"D3-UDTA\",\"d3f:definition\":\"Analyzing the amount of data transferred by a user.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"User Data Transfer Analysis\"},{\"@id\":\"d3f:UserGeolocationLogonPatternAnalysis\",\"d3f:d3fend-id\":\"D3-UGLPA\",\"d3f:definition\":\"Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"User Geolocation Logon Pattern Analysis\"},{\"@id\":\"d3f:WebSessionActivityAnalysis\",\"d3f:d3fend-id\":\"D3-WSAA\",\"d3f:definition\":\"Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Web Session Activity Analysis\"}],\"d3f:d3fend-id\":\"D3-UBA\",\"d3f:definition\":\"User behavior analytics (\\\"UBA\\\") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.\",\"rdfs:label\":\"User Behavior Analysis\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Detect\"},{\"@id\":\"d3f:Isolate\",\"children\":[{\"@id\":\"d3f:NetworkIsolation\",\"children\":[{\"@id\":\"d3f:BroadcastDomainIsolation\",\"d3f:d3fend-id\":\"D3-BDI\",\"d3f:definition\":\"Broadcast isolation restricts the number of computers a host can contact on their LAN.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Broadcast Domain Isolation\"},{\"@id\":\"d3f:DNSAllowlisting\",\"d3f:d3fend-id\":\"D3-DNSAL\",\"d3f:definition\":\"Permitting only approved domains and their subdomains to be resolved.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"DNS Allowlisting\"},{\"@id\":\"d3f:DNSDenylisting\",\"children\":[{\"@id\":\"d3f:ForwardResolutionDomainDenylisting\",\"children\":[{\"@id\":\"d3f:HierarchicalDomainDenylisting\",\"d3f:d3fend-id\":\"D3-HDDL\",\"d3f:definition\":\"Blocking the resolution of any subdomain of a specified domain name.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Hierarchical Domain Denylisting\"},{\"@id\":\"d3f:HomoglyphDenylisting\",\"d3f:d3fend-id\":\"D3-HDL\",\"d3f:definition\":\"Blocking DNS queries that are deceptively similar to legitimate domain names.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Homoglyph Denylisting\"}],\"d3f:d3fend-id\":\"D3-FRDDL\",\"d3f:definition\":\"Blocking a lookup based on the query's domain name value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Forward Resolution Domain Denylisting\"},{\"@id\":\"d3f:ForwardResolutionIPDenylisting\",\"d3f:d3fend-id\":\"D3-FRIDL\",\"d3f:definition\":\"Blocking a DNS lookup's answer's IP address value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Forward Resolution IP Denylisting\"},{\"@id\":\"d3f:ReverseResolutionDomainDenylisting\",\"d3f:d3fend-id\":\"D3-RRDD\",\"d3f:definition\":\"Blocking a reverse DNS lookup's answer's domain name value.\",\"rdfs:label\":\"Reverse Resolution Domain Denylisting\"},{\"@id\":\"d3f:ReverseResolutionIPDenylisting\",\"d3f:d3fend-id\":\"D3-RRID\",\"d3f:definition\":\"Blocking a reverse lookup based on the query's IP address value.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Reverse Resolution IP Denylisting\"}],\"d3f:d3fend-id\":\"D3-DNSDL\",\"d3f:definition\":\"Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"DNS Denylisting\"},{\"@id\":\"d3f:EncryptedTunnels\",\"d3f:d3fend-id\":\"D3-ET\",\"d3f:definition\":\"Encrypted encapsulation of routable network traffic.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Encrypted Tunnels\"},{\"@id\":\"d3f:NetworkTrafficFiltering\",\"children\":[{\"@id\":\"d3f:InboundTrafficFiltering\",\"children\":[{\"@id\":\"d3f:EmailFiltering\",\"d3f:d3fend-id\":\"D3-EF\",\"d3f:definition\":\"Filtering incoming email traffic based on specific criteria.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Email Filtering\"}],\"d3f:d3fend-id\":\"D3-ITF\",\"d3f:definition\":\"Restricting network traffic originating from untrusted networks destined towards a private host or enclave.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"9\"},\"rdfs:label\":\"Inbound Traffic Filtering\"},{\"@id\":\"d3f:OutboundTrafficFiltering\",\"d3f:d3fend-id\":\"D3-OTF\",\"d3f:definition\":\"Restricting network traffic originating from a private host or enclave destined towards untrusted networks.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Outbound Traffic Filtering\"}],\"d3f:d3fend-id\":\"D3-NTF\",\"d3f:definition\":\"Restricting network traffic originating from any location.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"9\"},\"rdfs:label\":\"Network Traffic Filtering\"}],\"d3f:d3fend-id\":\"D3-NI\",\"d3f:definition\":\"Network Isolation techniques prevent network hosts from accessing non-essential system network resources.\",\"rdfs:label\":\"Network Isolation\"},{\"@id\":\"d3f:ExecutionIsolation\",\"children\":[{\"@id\":\"d3f:ExecutableAllowlisting\",\"d3f:d3fend-id\":\"D3-EAL\",\"d3f:definition\":\"Using a digital signature to authenticate a file before opening.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Executable Allowlisting\"},{\"@id\":\"d3f:ExecutableDenylisting\",\"d3f:d3fend-id\":\"D3-EDL\",\"d3f:definition\":\"Blocking the execution of files on a host in accordance with defined application policy rules.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Executable Denylisting\"},{\"@id\":\"d3f:Hardware-basedProcessIsolation\",\"d3f:d3fend-id\":\"D3-HBPI\",\"d3f:definition\":\"Preventing one process from writing to the memory space of another process through hardware based address manager implementations.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Hardware-based Process Isolation\"},{\"@id\":\"d3f:IOPortRestriction\",\"d3f:d3fend-id\":\"D3-IOPR\",\"d3f:definition\":\"Limiting access to computer input/output (IO) ports to restrict unauthorized devices.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"IO Port Restriction\"},{\"@id\":\"d3f:Kernel-basedProcessIsolation\",\"children\":[{\"@id\":\"d3f:MandatoryAccessControl\",\"d3f:d3fend-id\":\"D3-MAC\",\"d3f:definition\":\"Controlling access to local computer system resources with kernel-level capabilities.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Mandatory Access Control\"},{\"@id\":\"d3f:SystemCallFiltering\",\"d3f:d3fend-id\":\"D3-SCF\",\"d3f:definition\":\"Configuring a kernel to use an allow or deny list to filter kernel api calls.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"System Call Filtering\"}],\"d3f:d3fend-id\":\"D3-KBPI\",\"d3f:definition\":\"Using kernel-level capabilities to isolate processes.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Kernel-based Process Isolation\"}],\"d3f:d3fend-id\":\"D3-EI\",\"d3f:definition\":\"Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.\",\"rdfs:label\":\"Execution Isolation\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Isolate\"},{\"@id\":\"d3f:Deceive\",\"children\":[{\"@id\":\"d3f:DecoyEnvironment\",\"children\":[{\"@id\":\"d3f:ConnectedHoneynet\",\"d3f:d3fend-id\":\"D3-CHN\",\"d3f:definition\":\"A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Connected Honeynet\"},{\"@id\":\"d3f:IntegratedHoneynet\",\"d3f:d3fend-id\":\"D3-IHN\",\"d3f:definition\":\"The practice of setting decoys in a production environment to entice interaction from attackers.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Integrated Honeynet\"},{\"@id\":\"d3f:StandaloneHoneynet\",\"d3f:d3fend-id\":\"D3-SHN\",\"d3f:definition\":\"An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Standalone Honeynet\"}],\"d3f:d3fend-id\":\"D3-DE\",\"d3f:definition\":\"A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.\",\"rdfs:label\":\"Decoy Environment\"},{\"@id\":\"d3f:DecoyObject\",\"children\":[{\"@id\":\"d3f:DecoyFile\",\"d3f:d3fend-id\":\"D3-DF\",\"d3f:definition\":\"A file created for the purposes of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Decoy File\"},{\"@id\":\"d3f:DecoyNetworkResource\",\"d3f:d3fend-id\":\"D3-DNR\",\"d3f:definition\":\"Deploying a network resource for the purposes of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"rdfs:label\":\"Decoy Network Resource\"},{\"@id\":\"d3f:DecoyPersona\",\"d3f:d3fend-id\":\"D3-DP\",\"d3f:definition\":\"Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Decoy Persona\"},{\"@id\":\"d3f:DecoyPublicRelease\",\"d3f:d3fend-id\":\"D3-DPR\",\"d3f:definition\":\"Issuing publicly released media to deceive adversaries.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Decoy Public Release\"},{\"@id\":\"d3f:DecoySessionToken\",\"d3f:d3fend-id\":\"D3-DST\",\"d3f:definition\":\"An authentication token created for the purposes of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Decoy Session Token\"},{\"@id\":\"d3f:DecoyUserCredential\",\"d3f:d3fend-id\":\"D3-DUC\",\"d3f:definition\":\"A Credential created for the purpose of deceiving an adversary.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"rdfs:label\":\"Decoy User Credential\"}],\"d3f:d3fend-id\":\"D3-DO\",\"d3f:definition\":\"A Decoy Object is created and deployed for the purposes of deceiving attackers.\",\"rdfs:label\":\"Decoy Object\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"3\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Deceive\"},{\"@id\":\"d3f:Evict\",\"children\":[{\"@id\":\"d3f:FileEviction\",\"children\":[{\"@id\":\"d3f:FileRemoval\",\"children\":[{\"@id\":\"d3f:EmailRemoval\",\"d3f:d3fend-id\":\"D3-ER\",\"d3f:definition\":\"The email removal technique deletes email files from system storage.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Email Removal\"}],\"d3f:d3fend-id\":\"D3-FR\",\"d3f:definition\":\"The file removal technique deletes malicious artifacts or programs from a computer system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"File Removal\"}],\"d3f:d3fend-id\":\"D3-FEV\",\"d3f:definition\":\"File eviction techniques evict files from system storage.\",\"rdfs:label\":\"File Eviction\"},{\"@id\":\"d3f:CredentialEviction\",\"children\":[{\"@id\":\"d3f:AccountLocking\",\"d3f:d3fend-id\":\"D3-AL\",\"d3f:definition\":\"The process of temporarily disabling user accounts on a system or domain.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Account Locking\"},{\"@id\":\"d3f:AuthenticationCacheInvalidation\",\"d3f:d3fend-id\":\"D3-ANCI\",\"d3f:definition\":\"Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Authentication Cache Invalidation\"},{\"@id\":\"d3f:CredentialRevoking\",\"d3f:d3fend-id\":\"D3-CR\",\"d3f:definition\":\"Deleting a set of credentials permanently to prevent them from being used to authenticate.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Credential Revoking\"}],\"d3f:d3fend-id\":\"D3-CE\",\"d3f:definition\":\"Credential Eviction techniques disable or remove compromised credentials from a computer network.\",\"rdfs:label\":\"Credential Eviction\"},{\"@id\":\"d3f:ProcessEviction\",\"children\":[{\"@id\":\"d3f:ProcessTermination\",\"d3f:d3fend-id\":\"D3-PT\",\"d3f:definition\":\"Terminating a running application process on a computer system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"2\"},\"rdfs:label\":\"Process Termination\"},{\"@id\":\"d3f:ProcessSuspension\",\"d3f:d3fend-id\":\"D3-PS\",\"d3f:definition\":\"Suspending a running process on a computer system.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Process Suspension\"}],\"d3f:d3fend-id\":\"D3-PE\",\"d3f:definition\":\"Process eviction techniques terminate or remove running process.\",\"rdfs:label\":\"Process Eviction\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"4\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Evict\"},{\"@id\":\"d3f:Restore\",\"children\":[{\"@id\":\"d3f:RestoreAccess\",\"children\":[{\"@id\":\"d3f:RestoreNetworkAccess\",\"d3f:d3fend-id\":\"D3-RNA\",\"d3f:definition\":\"Restoring a entity's access to a computer network.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Network Access\"},{\"@id\":\"d3f:RestoreUserAccountAccess\",\"children\":[{\"@id\":\"d3f:UnlockAccount\",\"d3f:d3fend-id\":\"D3-ULA\",\"d3f:definition\":\"Restoring a user account's access to resources by unlocking a locked User Account.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Unlock Account\"}],\"d3f:d3fend-id\":\"D3-RUAA\",\"d3f:definition\":\"Restoring a user account's access to resources.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore User Account Access\"}],\"d3f:d3fend-id\":\"D3-RA\",\"d3f:definition\":\"Restoring an entity's access to resources.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Access\"},{\"@id\":\"d3f:RestoreObject\",\"children\":[{\"@id\":\"d3f:RestoreConfiguration\",\"d3f:d3fend-id\":\"D3-RC\",\"d3f:definition\":\"Restoring an software configuration.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Configuration\"},{\"@id\":\"d3f:RestoreDatabase\",\"d3f:d3fend-id\":\"D3-RD\",\"d3f:definition\":\"Restoring the data in a database.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Database\"},{\"@id\":\"d3f:RestoreDiskImage\",\"d3f:d3fend-id\":\"D3-RDI\",\"d3f:definition\":\"Restoring a previously captured disk image a hard drive.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Disk Image\"},{\"@id\":\"d3f:RestoreFile\",\"children\":[{\"@id\":\"d3f:RestoreEmail\",\"d3f:d3fend-id\":\"D3-RE\",\"d3f:definition\":\"Restoring an email for an entity to access.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Email\"}],\"d3f:d3fend-id\":\"D3-RF\",\"d3f:definition\":\"Restoring a file for an entity to access.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore File\"},{\"@id\":\"d3f:RestoreSoftware\",\"d3f:d3fend-id\":\"D3-RS\",\"d3f:definition\":\"Restoring software to a host.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Restore Software\"},{\"@id\":\"d3f:ReissueCredential\",\"d3f:d3fend-id\":\"D3-RC\",\"d3f:definition\":\"Issue a new credential to a user which supercedes their old credential.\",\"d3f:ref-count\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"1\"},\"rdfs:label\":\"Reissue Credential\"}],\"d3f:d3fend-id\":\"D3-RO\",\"d3f:definition\":\"Restoring an object for an entity to access. This is the broadest class for object restoral.\",\"rdfs:label\":\"Restore Object\"}],\"d3f:display-order\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"5\"},\"d3f:display-priority\":{\"@type\":\"http://www.w3.org/2001/XMLSchema#integer\",\"@value\":\"0\"},\"d3f:type\":\"toplevel\",\"rdfs:label\":\"Restore\"}]"}</script>
<script type="application/json" data-sveltekit-fetched data-url="/api/version.json">{"status":200,"statusText":"","headers":{},"body":"{\"version\":\"0.13.0-BETA-1\",\"release_date\":\"2023-10-30T00:00:00.000Z\"}"}</script>
<script>
{
__sveltekit_1u3yu3c = {
base: new URL("..", location).pathname.slice(0, -1),
env: {}
};
const element = document.currentScript.parentElement;
const data = [null,null,null];
Promise.all([
import("../_app/immutable/entry/start.7cda07fe.js"),
import("../_app/immutable/entry/app.7f96160f.js")
]).then(([kit, app]) => {
kit.start(app, element, {
node_ids: [0, 2, 41],
data,
form: null,
error: null
});
});
if ('serviceWorker' in navigator) {
addEventListener('load', function () {
navigator.serviceWorker.register('../service-worker.js');
});
}
}
</script>
</div>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script id="atarget" async >
</script>
<script>
if (window.location.hostname != "localhost" &&
window.location.hostname != "127.0.0.1") {
// target = document.getElementById("atarget");
// target.onload = function(){};
// target.src="https://www.googletagmanager.com/gtag/js?id=UA-200005342-1"
// window.dataLayer = window.dataLayer || [];
// function gtag() {
// dataLayer.push(arguments);
// }
// gtag("js", new Date());
// gtag("config", "UA-200005342-1");
let gaID = "UA-200005342-1";
window.dataLayer = window.dataLayer || []
function gtag() { dataLayer.push(arguments) }
gtag('js', new Date())
gtag('config', gaID)
const script = document.createElement('script')
script.src = `https://www.googletagmanager.com/gtag/js?id=${gaID}`
document.body.appendChild(script)
} else {
console.info("Analytics disabled in development mode")
}
</script>
</body>
</html>