MITRE D3FEND –

Question 1

What is MITRE D3FEND?

Answer 1

A framework that describes defensive techniques to counter known adversary behaviors documented in MITRE ATT&CK.

Question 2

What is the main goal of D3FEND?

Answer 2

To standardize and document cyber defense techniques against real-world threats.

Question 3

What type of model is D3FEND based on?

Answer 3

A knowledge graph model that shows relationships between defense techniques and threat behaviors.

Question 4

How does D3FEND complement MITRE ATT&CK?

Answer 4

D3FEND maps defensive capabilities directly to the offensive techniques in ATT&CK.

Question 5

Name a major category in D3FEND techniques.

Answer 5

Harden, Detect, Deceive, Evict, or Isolate.

Question 6

What category focuses on prevention measures like patching and configuration?

Answer 6

Harden

Question 7

What category includes methods like logging and monitoring?

Answer 7

Detect

Question 8

What does the “Deceive” category in D3FEND involve?

Answer 8

Using techniques like honeypots and decoy credentials to mislead attackers.

Question 9

Which category includes stopping or removing adversaries from systems?

Answer 9

Evict

Question 10

Which D3FEND category involves segmenting systems to prevent attacker movement?

Answer 10

Isolate

Question 11

What is “Credential Hash Storage Protection”?

Answer 11

A D3FEND hardening technique that protects against credential theft (e.g., LSASS memory dumps).

Question 12

What is “Process Argument Analysis”?

Answer 12

A detection technique analyzing command-line arguments for malicious patterns.

Question 13

What is “Network Traffic Analysis”?

Answer 13

A detection technique that monitors network data to detect anomalies or C2 traffic.

Question 14

What is “Executable Allowlisting”?

Answer 14

A hardening technique that allows only trusted applications to run on a system.

Question 15

What does “Decoy File” mean in D3FEND?

Answer 15

A file placed intentionally to detect or mislead attackers when accessed.

Question 16

What is “DNS Traffic Analysis”?

Answer 16

A detection technique that analyzes DNS queries to uncover potential command-and-control activity.

Question 17

What is “Host-Based Firewall Rules”?

Answer 17

A hardening technique involving custom firewall configurations at the host level.

Question 18

What is “Memory Access Pattern Analysis”?

Answer 18

Detecting malicious behavior by analyzing how memory is accessed.

Question 19

What is “Software Update”?

Answer 19

A hardening measure to prevent exploitation of known vulnerabilities.

Question 20

Which ATT&CK technique can be countered by D3FEND’s “Multi-Factor Authentication”?

Answer 20

Valid Accounts (T1078).

Question 21

What ATT&CK technique is countered by “Executable Allowlisting”?

Answer 21

Scripting / Command and Scripting Interpreter (T1059).

Question 22

Which D3FEND technique helps detect lateral movement using PsExec?

Answer 22

Process Creation Analysis and Network Connection Monitoring.

Question 23

What D3FEND technique counters LSASS dumping?

Answer 23

Credential Hash Storage Protection.

Question 24

What technique in D3FEND can help detect phishing payloads?

Answer 24

Attachment Inspection and Email Behavior Analysis.

Question 25

What defense technique can be used to identify brute-force login attempts?

Answer 25

Authentication Log Analysis.

Question 26

What technique helps in detecting beaconing activity?

Answer 26

Network Traffic Flow Analysis.

Question 27

What does “Deceptive Environment” refer to?

Answer 27

A controlled trap environment (e.g., honeynet) that lures attackers for analysis.

Question 28

How can “Session Termination” be used defensively?

Answer 28

To disconnect malicious sessions once detected (Evict category).

Question 29

How is D3FEND useful in building defense-in-depth strategies?

Answer 29

It offers layered defensive options mapped directly to known attack techniques for comprehensive security.

Question 30

What is Decoy Credentials in D3FEND used for?

Answer 30

To trick adversaries into using fake credentials, which can trigger alerts when used.

Question 31

What does Application Layer Filtering help defend against?

Answer 31

Malicious web traffic and application exploits by filtering content at the application layer.

Question 32

What is the goal of Filesystem Monitoring?

Answer 32

To detect unauthorized or abnormal changes to files or directories.

Question 33

What is Packet Inspection in a D3FEND context?

Answer 33

Examining packet contents for signatures of malicious behavior or policy violations.

Question 34

What is Process Chain Analysis used for?

Answer 34

To trace parent-child relationships between processes to spot unusual or malicious behavior.

Question 35

What is Decoy System in D3FEND?

Answer 35

A honeypot or sandbox system designed to attract attackers and observe their behavior.

Question 36

What is the purpose of Dynamic Analysis?

Answer 36

To observe the behavior of files, binaries, or scripts during execution in a controlled environment.

Question 37

What D3FEND technique involves tracking endpoint actions in real time?

Answer 37

Endpoint Telemetry.

Question 38

What is Log Aggregation?

Answer 38

Centralizing logs from multiple sources to simplify analysis and correlation.

Question 39

What technique analyzes the size, timing, and flow of network traffic?

Answer 39

Traffic Flow Analysis.

Question 40

What is Integrity Monitoring?

Answer 40

Checking for unauthorized or unexpected changes to system files, configurations, or software.

Question 41

What technique can detect abuse of remote access software?

Answer 41

Remote Access Monitoring.

Question 42

What D3FEND technique helps in detecting credential reuse or brute force attacks?

Answer 42

Credential Use Monitoring.

Question 43

What is DNS Sinkholing?

Answer 43

Redirecting malicious DNS requests to a non-routable address to prevent C2 communication.

Question 44

What D3FEND technique can alert when USB devices are connected to hosts?

Answer 44

Device Connection Monitoring.

Question 45

What is the goal of Patch Management in D3FEND?

Answer 45

To fix known vulnerabilities and reduce attack surface.

Question 46

What is System Call Monitoring used for?

Answer 46

Detecting low-level OS interactions that may indicate exploitation or malware activity.

Question 47

What is Executable Metadata Analysis?

Answer 47

Reviewing properties of executables (like hashes, names, certificates) for threat indicators.

Question 48

What does Decoy Network Artifact refer to?

Answer 48

Fictitious hostnames, IPs, or services created to lure and detect attacker scans.

Question 49

How does Protocol Decoding help defenders?

Answer 49

By translating raw network traffic into human-readable form to analyze for anomalies.

Question 50

What is Decoy User Account in D3FEND?

Answer 50

A fake user account used to attract and detect unauthorized login attempts.