The MITRE Corporation released D3FEND™ (aka MITRE DEFEND™), a complementary framework to its industry acclaimed MITRE ATT&CK® matrix. MITRE D3FEND provides defense techniques that security teams can apply to protect their environments against cyber threats.
Intezer Protect provides real-time threat detection & response for cloud and data centers. Protecting Linux and Kubernetes data centers against the latest threats in runtime, both on-premise and in the cloud. Below we explain how Intezer Protect implements some of the key techniques described in D3FEND.
Technique: Remote Terminal Session Detection
Technique: Connection Attempt Analysis
Technique: Endpoint Health Beacon
Technique: File Access Pattern Analysis
Technique: Resource Access Pattern Analysis
Technique: Process Termination
Technique: Software Update
Technique: System Daemon Monitoring
Additional Techniques
Technique: Remote Terminal Session Detection
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect detects all running code on a server, including remote terminal sessions. The platform also detects potential reverse shells by analyzing running programs and the network activity associated with it.
Example: Below is a reverse shell alert generated by Intezer Protect. The platform detects when a reverse shell is spawned through a shell process with an open network connection.
Technique: Connection Attempt Analysis
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect detects connection and network scan attempts through a variety of methods. The product also alerts on the use of suspicious network tools and unsafe connections using tools such as SSH or SCP.
Example: Intezer Protect detects an nmap scan running on a compromised host.
Intezer Protect shows all running instances of connection tools and which containers they run in, along with the genetic analysis verdict.
Technique: Endpoint Health Beacon
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect users get a full overview of the health status of their environment. In addition, detailed information on the health of each server or endpoint is provided, including security status of all running code, installed packages, connectivity status, and configurations. The platform also shows when instances are not responding (Not Visible) as an indication that there could be a networking issue worth addressing.
Example: The dashboard shows the security status, code distribution by verdict, and vulnerability status of all hosts.
Diving deeper into the individual hosts users can see the health status for each endpoint, along with vital information about the operating system. Tabs show the vulnerability status of all installed packages and configurations. Vulnerable package detection helps organizations identify active vulnerable packages that should be prioritized for updates, along with CVE links to their dedicated NVD (National Vulnerability Database) page for additional information and remediation.
Technique: File Access Pattern Analysis
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect detects suspicious file access patterns and generates alerts for them. Any sensitive files accessed are flagged along with the program used to access them, including Living off the Land (LotL) binaries and Bash scripts.
Example: If an attacker wants to gain persistence on a Linux machine, they could try to edit the “.bashrc” file and insert malicious code. Below, Intezer Protect detected suspicious file access to this file and the VIM process used to edit it.
Technique: Resource Access Pattern Analysis
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect detects suspicious resource access detections, with a focus on Living off the Land (LotL) programs commonly used to perform this. Intezer Protect also detects suspicious activity searching for sensitive resources.
Example: Intezer Protect triggers an alert whenever suspicious activity is detected. For instance, if an attacker is searching for sensitive information such as passwords on a compromised system.
Technique: Process Termination
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect terminates malicious running processes. This can be performed both automatically or manually.
Example: Shown below is the manual termination of a cryptominer process. Users can also enable auto termination to stop ransomware and other destructive attacks immediately so that the processes won’t be able to run.
Technique: Software Update
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect scans all installed packages on the instance. It reveals outdated packages that have vulnerabilities, along with links to their documentation. These packages can then be prioritized for updates. This feature fulfils compliance benchmarks such as the CIS control for Continuous Vulnerability Management.
Example: A vulnerable package subject to a critical CVE. Intezer Protect detects this and links to the vulnerability details. Once the update is made by the user, Intezer Protect rescans and shows that the package is safe while also updating the vulnerability status of the instance.
Technique: System Daemon Monitoring
Definition: D3fend
How does Intezer Protect implement this technique? Intezer Protect monitors the configuration state of the Linux system compared to CIS benchmarks. Intezer Protect also monitors the configuration of containers and Kubernetes. If a misconfiguration is detected, remediation advice is presented.
Example: In the Linux system check below, permissions to access “sshd_config” are incorrectly defined and given a severity rating of Medium. Commands are provided to help users quickly remediate the issue.
Additional Techniques
Intezer Protect uses malware analysis platform, Intezer Analyze, as the foundation for genetic file analysis of all running code on your endpoints. As a result, all MITRE D3FEND™ techniques implemented by Intezer Analyze also apply to Intezer Protect. Intezer Protect also covers the following techniques.
- Dynamic Analysis
- Emulated File Analysis
- File Content Rules
- File Hashing
- Byte Sequence Emulation
- Memory Boundary Tracking
- Service Binary Verification
- Process Spawn Analysis
- Script Execution Analysis
- System Call Analysis
Read more in What MITRE D3FEND™ Techniques Does Intezer Analyze Implement?
Get Started for Free
Get started by covering a large portion of MITRE D3FEND techniques through real-time threat detection and response for workloads running on Linux and Kubernetes.
Born in the cloud, Intezer Protect is the fastest to detect Linux threats, without the overhead of installing an Antivirus or EDR. Protect up to 10 hosts, nodes or machines for free
Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work. Try it yourself for free: analyze.intezer.com
Recommended Articles
-
10
How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems
What is binary padding? How can you detect against threats using junk data in... 18 May 2023 -
10
Malware Reverse Engineering for Beginners – Part 2
In part 1 of this series, we warmed up and aligned with basic computing... 16 February 2023 -
7
How LNK Files Are Abused by Threat Actors
LNK files are based on the Shell Link Binary file format, also known as... 10 November 2022
