BTLO: D3FEND
Disclaimer: this post is for learning purposes. I hope you already done with all official sources of the platform and learn it.
I will start this post by explaining a little about the D3FEND framework. If you already search this, you’ll be directed to https://d3fend.mitre.org/. d3fend is a new schema that launched by Mitre. It contains about blue teams or defender prevention and mitigation methodologies according the assault that occurs. D3fend is a knowledge graph that not only answers your question, but also explains how it came to be, and gives another perspective, it give possible ATT&CK techniques.
With this framework, “defenders” can get information on how to secure their system and others associated with it as a way to be able to deal with such incidents.
So lets go for the challenge
Scenario
Scenario: D3FEND -a catalog of defensive cybersecurity techniques and their relationships to offensive/ad-versary techniques has been released. Let’s see what it holds.
- What is the corresponding name for the ID ‘D3-SDM’? (2 points)
System Daemon Monitoring. Daemon or disk and execution monitor, is a background process run in multitasking computer to perform administrative change. It could happen in system level(operating system process) - What are the five general tactics used to classify each defensive method? (Alphabetical Order) (2 points)
The five tactics shown in main page from d3fend site, it contains harden, detect, isolate, deceive, evict(non alphabetical order) - What open-source project retrieves Azure Sentinel rules that are mapped to MITRE ATT&CK Framework and generates the related MITRE D3FEND defenses? (2 points)
I use this dork for find the answer “d3fend” azure sentinel rule. And it direct me to this github page https://github.com/Intellisec-Solutions/Sentinel2D3FEND, it also the answer for this question. - What does ‘File Access Pattern Analysis’ mean? (2 points)
We can find this answer on the d3fend page. File Access Pattern Analysis have ID: D3-FAPA. The main task is Analyzing the files accessed by a process to identify unauthorized activity, you can learn more from the d3fend main page. - What does ‘Local Resource Access’ artifact mean? (2 points)
Same as question number 4, Local Resource Access. You may need more time on this question because the answer you are looking for does not appear suddenly after you search for it. You can use exact word or google dork to get started. Actually if you read the question clearly, it gives a hint, that we should find the answer in the artifact section. Local resource access is an ephemeral digital artifact consisting of a request for a local resource and any response from that resource equals an endpoint resource access.
Summary
This challenge is really full of knowledge, specially for entry level like me. The D3FEND schema is very helpful for learning how to counter and mitigate an attack or incident, and it gives us more knowledge as to how it happened and what other things can be affected from it.
Thanks for reading