SOAR renewal? Migrate to D3 for free

Learn More
Get a Demo

MITRE D3FEND

MITRE D3FEND Automation and Incident Response

Execute MITRE’s Recommended Defensive Techniques

Leverage the valuable insights of the MITRE D3FEND framework in your security operations through Smart SOAR. Deploy automated playbooks that fill the gaps between your security tools in order to execute defensive techniques against the most prevalent incident types.

What is MITRE D3FEND?

MITRE D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense) is an ongoing project by MITRE Corporation, the same organization responsible for MITRE ATT&CK. D3FEND is designed to complement ATT&CK by focusing on defensive techniques and strategies, whereas ATT&CK primarily focuses on describing offensive techniques used by adversaries. It includes guidance on how organizations can defend against known attack techniques described in MITRE ATT&CK.

D3FEND is broken into six stages, or tactics, that represent what an organization is trying to achieve in their fight against adversaries

The six tactics are Model, Harden, Detect, Isolate, Deceive, and Evict

Each tactic includes several techniques that represent how the security team might try to achieve the goal

How MITRE D3FEND Is Used in Security Operations

Because D3FEND is much newer than ATT&CK, fewer security teams have found ways to put it into practice, which is a missed opportunity. D3FEND can be used to inform detection and response workflows across its six stages, ensuring that each one is addressed. At D3, we use D3FEND when designing our integrations, ensuring that each integration has the functionality needed to perform the D3FEND techniques associated with common incident types.

D3FEND can be used to measure and visualize coverage provided by security tools

MSSPs use D3FEND to set benchmarks for coverage and demonstrate quantifiable improvements to clients 

Most toolsets can’t perfectly execute D3FEND’s recommendations, so Smart SOAR’s integrations are designed to fill in the gaps and improve coverage

MITRE D3FEND SOAR Playbooks

MITRE’s recommendations are an excellent basis for effective SecOps playbooks. That’s why Smart SOAR comes with playbooks based on D3FEND for common ATT&CK techniques. To learn more about how you can operationalize D3FEND through Smart SOAR, read one of our playbook breakdowns.

Screenshot of a calendar interface, representing the implementation of the MITRE D3FEND technique T1053: Scheduled Task/Job for operationalizing D3FEND

Scheduled Task/Job

Implementing MITRE D3FEND for ATT&CK Technique T1053: Scheduled Task/Job

Image of a laptop with code on the screen, depicting the implementation of the MITRE D3FEND technique T1059: Command and Scripting Interpreter

Command and Scripting Interpreter

Implementing MITRE D3FEND for ATT&CK Technique T1059: Command and Scripting Interpreter

Graphic of a lock icon and a key, representing the implementation of the MITRE D3FEND technique T1110: Brute Force for the MITRE ATT&CK technique

Brute Force

Implementing MITRE D3FEND for ATT&CK Technique T1110: Brute Force

Get Started with D3

One platform to stop alert overwhelm. Transform how your security team works, by focusing its resources on real threats.

Get Started