SPARTA Mitigations

SPARTA countermeasures derived from the official STIX feed.

Authors

Authors and/or Contributors
The Aerospace Corporation

Countermeasure Not Identified

No Applicable Countermeasures

Internal MISP references

UUID 49b4a3b4-bef2-4ff2-8841-2398d5ba2c99 which can be used as unique global reference for Countermeasure Not Identified in MISP communities and other software using the MISP galaxy

External references

https://sparta.aerospace.org/countermeasures/CM-NA - webarchive

Associated metadata

Metadata key	Value
external_id	CM-NA

Protect Sensitive Information

Organizations should look to identify and properly classify mission sensitive design/operations information (e.g., fault management approach) and apply access control accordingly. Any location (ground system, contractor networks, etc.) storing design information needs to ensure design info is protected from exposure, exfiltration, etc. Space system sensitive information may be classified as Controlled Unclassified Information (CUI) or Company Proprietary. Space system sensitive information can typically include a wide range of candidate material: the functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of uplink protection including any disabling/bypass features, failure/anomaly resolution, and any other sensitive information related to architecture, software, and flight/ground /mission operations. This could all need protection at the appropriate level (e.g., unclassified, CUI, proprietary, classified, etc.) to mitigate levels of cyber intrusions that may be conducted against the project’s networks. Stand-alone systems and/or separate database encryption may be needed with controlled access and on-going Configuration Management to ensure changes in command procedures and critical database areas are tracked, controlled, and fully tested to avoid loss of science or the entire mission. Sensitive documentation should only be accessed by personnel with defined roles and a need to know. Well established access controls (roles, encryption at rest and transit, etc.) and data loss prevention (DLP) technology are key countermeasures. The DLP should be configured for the specific data types in question.

Internal MISP references

UUID bc0523eb-1144-4767-a40b-64eeca088974 which can be used as unique global reference for Protect Sensitive Information in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0001

COMSEC

A component of cybersecurity to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material. It is imperative to utilize secure communication protocols with strong cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission. Systems should also maintain the confidentiality and integrity of information during preparation for transmission and during reception. Spacecraft should not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode). The cryptographic mechanisms should identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.

Internal MISP references

UUID 75cd0a16-e3a6-4d32-b042-d86fc98a9734 which can be used as unique global reference for COMSEC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0002

TEMPEST

The spacecraft should protect system components, associated data communications, and communication buses in accordance with TEMPEST controls to prevent side channel / proximity attacks. Encompass the spacecraft critical components with a casing/shielding so as to prevent access to the individual critical components.

Internal MISP references

UUID 73b266f5-e156-4741-a8d4-d26da03e98cc which can be used as unique global reference for TEMPEST in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0003

Development Environment Security

In order to secure the development environment, the first step is understanding all the devices and people who interact with it. Maintain an accurate inventory of all people and assets that touch the development environment. Ensure strong multi-factor authentication is used across the development environment, especially for code repositories, as threat actors may attempt to sneak malicious code into software that's being built without being detected. Use zero-trust access controls to the code repositories where possible. For example, ensure the main branches in repositories are protected from injecting malicious code. A secure development environment requires change management, privilege management, auditing and in-depth monitoring across the environment.

Internal MISP references

UUID eb637dec-81db-4719-9265-ec109bfcc163 which can be used as unique global reference for Development Environment Security in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0004

Ground-based Countermeasures

This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://csrc.nist.gov/pubs/ir/8401/final). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks.

Internal MISP references

UUID 8b496e6b-dbe6-4437-b575-73dc2755ccc6 which can be used as unique global reference for Ground-based Countermeasures in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0005

Cloaking Safe-mode

Attempt to cloak when in safe-mode and ensure that when the system enters safe-mode it does not disable critical security features. Ensure basic protections like encryption are still being used on the uplink/downlink to prevent eavesdropping.

Internal MISP references

UUID 39aae7af-a791-4fca-8a03-d67463e9134d which can be used as unique global reference for Cloaking Safe-mode in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0006

Software Version Numbers

When using COTS or Open-Source, protect the version numbers being used as these numbers can be cross referenced against public repos to identify Common Vulnerability Exposures (CVEs) and exploits available.

Internal MISP references

UUID 4898dfc6-9e5c-4e55-881e-c3009c96d783 which can be used as unique global reference for Software Version Numbers in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0007

Security Testing Results

As penetration testing and vulnerability scanning is a best practice, protecting the results from these tests and scans is equally important. These reports and results typically outline detailed vulnerabilities and how to exploit them. As with countermeasure CM0001, protecting sensitive information from disclosure to threat actors is imperative.

Internal MISP references

UUID fdac10d0-4b2c-42d3-8980-ce2a237f0d1e which can be used as unique global reference for Security Testing Results in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0008

Threat Intelligence Program

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities and mitigate risk. Leverage all-source intelligence services or commercial satellite imagery to identify and track adversary infrastructure development/acquisition. Countermeasures for this attack fall outside the scope of the mission in the majority of cases.

Internal MISP references

UUID 722553c7-8ea0-48bf-9411-f89e3688ed54 which can be used as unique global reference for Threat Intelligence Program in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0009

Update Software

Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times. Release updated versions of the software/firmware systems incorporating security-relevant updates, after suitable regression testing, at a frequency no greater than mission-defined frequency [i.e., 30 days]. Ideally old versions of software are removed after upgrading but restoration states (i.e., gold images) are recommended to remain on the system.

Internal MISP references

UUID 1aa31e61-708e-4fc4-82bb-36783d5cca9c which can be used as unique global reference for Update Software in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0010

Vulnerability Scanning

Vulnerability scanning is used to identify known software vulnerabilities (excluding custom-developed software - ex: COTS and Open-Source). Utilize scanning tools to identify vulnerabilities in dependencies and outdated software (i.e., software composition analysis). Ensure that vulnerability scanning tools and techniques are employed that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (1) Enumerating platforms, custom software flaws, and improper configurations; (2) Formatting checklists and test procedures; and (3) Measuring vulnerability impact.

Internal MISP references

UUID c4cc4fbd-7c48-4dd1-bd94-9fdf49463b11 which can be used as unique global reference for Vulnerability Scanning in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0011

Software Bill of Materials

Generate Software Bill of Materials (SBOM) against the entire software supply chain and cross correlate with known vulnerabilities (e.g., Common Vulnerabilities and Exposures) to mitigate known vulnerabilities. Protect the SBOM according to countermeasures in CM0001.

Internal MISP references

UUID ac922647-8ffe-4b30-aaa8-2747d7ee7587 which can be used as unique global reference for Software Bill of Materials in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0012

Dependency Confusion

Ensure proper protections are in place for ensuring dependency confusion is mitigated like ensuring that internal dependencies be pulled from private repositories vice public repositories, ensuring that your CI/CD/development environment is secure as defined in CM0004 and validate dependency integrity by ensuring checksums match official packages.

Internal MISP references

UUID c1d865f5-aec8-4b70-a57e-8f12213e331c which can be used as unique global reference for Dependency Confusion in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0013

Secure boot

Software/Firmware must verify a trust chain that extends through the hardware root of trust, boot loader, boot configuration file, and operating system image, in that order. The trusted boot/RoT computing module should be implemented on radiation tolerant burn-in (non-programmable) equipment.

Internal MISP references

UUID 4ad79bd4-fcaf-4190-9dff-98464f778843 which can be used as unique global reference for Secure boot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0014

Software Source Control

Prohibit the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.

Internal MISP references

UUID bd5428eb-2bfc-448d-94ce-123375f5766f which can be used as unique global reference for Software Source Control in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0015

CWE List

Create prioritized list of software weakness classes (e.g., Common Weakness Enumerations), based on system-specific considerations, to be used during static code analysis for prioritization of static analysis results.

Internal MISP references

UUID 52cd9aa3-f2b2-40c4-84e6-2ef230306ccb which can be used as unique global reference for CWE List in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0016

Coding Standard

Define acceptable coding standards to be used by the software developer. The mission should have automated means to evaluate adherence to coding standards. The coding standard should include the acceptable software development language types as well. The language should consider the security requirements, scalability of the application, the complexity of the application, development budget, development time limit, application security, available resources, etc. The coding standard and language choice must ensure proper security constructs are in place.

Internal MISP references

UUID 41fa1943-0f0e-449c-8298-199234112274 which can be used as unique global reference for Coding Standard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0017

Dynamic Testing

Employ dynamic analysis (e.g., using simulation, penetration testing, fuzzing, etc.) to identify software/firmware weaknesses and vulnerabilities in developed and incorporated code (open source, commercial, or third-party developed code). Testing should occur (1) on potential system elements before acceptance; (2) as a realistic simulation of known adversary tactics, techniques, procedures (TTPs), and tools; and (3) throughout the lifecycle on physical and logical systems, elements, and processes. FLATSATs as well as digital twins can be used to perform the dynamic analysis depending on the TTPs being executed. Digital twins via instruction set simulation (i.e., emulation) can provide robust environment for dynamic analysis and TTP execution.

Internal MISP references

UUID 250703d5-f45e-4f5d-9416-720a0eec70dc which can be used as unique global reference for Dynamic Testing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0018

Static Analysis

Perform static source code analysis for all available source code looking for system-relevant weaknesses (see CM0016) using no less than two static code analysis tools.

Internal MISP references

UUID 7b1509ed-a17d-4abd-abe0-65ab961582d6 which can be used as unique global reference for Static Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0019

Threat modeling

Use threat modeling, attack surface analysis, and vulnerability analysis to inform the current development process using analysis from similar systems, components, or services where applicable. Reduce attack surface where possible based on threats.

Internal MISP references

UUID d4da789e-e218-4ee3-9863-1fe9ed9e9cf1 which can be used as unique global reference for Threat modeling in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0020

Software Digital Signature

Prevent the installation of Flight Software without verification that the component has been digitally signed using a certificate that is recognized and approved by the mission.

Internal MISP references

UUID e8f1d3f6-4289-466e-8673-45df4435bae7 which can be used as unique global reference for Software Digital Signature in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0021

Criticality Analysis

Conduct a criticality analysis to identify mission critical functions, critical components, and data flows and reduce the vulnerability of such functions and components through secure system design. Focus supply chain protection on the most critical components/functions. Leverage other countermeasures like segmentation and least privilege to protect the critical components.

Internal MISP references

UUID d783d6ed-0224-4559-9c3b-4a04ebc22693 which can be used as unique global reference for Criticality Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0022

Configuration Management

Use automated mechanisms to maintain and validate baseline configuration to ensure the spacecraft's is up-to-date, complete, accurate, and readily available.

Internal MISP references

UUID 1315a30a-3a1a-415a-b904-0673e59e6b33 which can be used as unique global reference for Configuration Management in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0023

Anti-counterfeit Hardware

Develop and implement anti-counterfeit policy and procedures designed to detect and prevent counterfeit components from entering the information system, including tamper resistance and protection against the introduction of malicious code or hardware.

Internal MISP references

UUID 3b2a3db2-9c0b-4533-b4a2-aedf48ea6f1b which can be used as unique global reference for Anti-counterfeit Hardware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0024

Supplier Review

Conduct a supplier review prior to entering into a contractual agreement with a contractor (or sub-contractor) to acquire systems, system components, or system services.

Internal MISP references

UUID afd03f22-7d65-4519-ba85-02784111b34d which can be used as unique global reference for Supplier Review in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0025

Original Component Manufacturer

Components/Software that cannot be procured from the original component manufacturer or their authorized franchised distribution network should be approved by the supply chain board or equivalent to prevent and detect counterfeit and fraudulent parts, materials, and software.

Internal MISP references

UUID ccbfe08e-8c76-41d1-ad89-10374cfcb650 which can be used as unique global reference for Original Component Manufacturer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0026

ASIC/FPGA Manufacturing

Application-Specific Integrated Circuit (ASIC) / Field Programmable Gate Arrays should be developed by accredited trusted foundries to limit potential hardware-based trojan injections.

Internal MISP references

UUID d4db913c-d871-4ed5-9948-059d55a488f5 which can be used as unique global reference for ASIC/FPGA Manufacturing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0027

Tamper Protection

Perform physical inspection of hardware to look for potential tampering. Leverage tamper proof protection where possible when shipping/receiving equipment. Anti-tamper mechanisms are also critical for protecting software from unauthorized alterations. Techniques for preventing software tampering include code obfuscation, integrity checks, runtime integrity monitoring (e.g. self-checking code, watchdog processes, etc.) and more.

Internal MISP references

UUID 0fa834d3-25aa-4d88-a384-db02f5374af9 which can be used as unique global reference for Tamper Protection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0028

TRANSEC

Utilize TRANSEC in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. For example, jam-resistant waveforms can be utilized to improve the resistance of radio frequency signals to jamming and spoofing. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.

Internal MISP references

UUID 0c12ea1e-e8ae-48d1-a69f-2f71e29fc47f which can be used as unique global reference for TRANSEC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0029

Crypto Key Management

Leverage best practices for crypto key management as defined by organization like NIST or the National Security Agency. Leverage only approved cryptographic algorithms, cryptographic key generation algorithms or key distribution techniques, authentication techniques, or evaluation criteria. Encryption key handling should be performed outside of the onboard software and protected using cryptography. Encryption keys should be restricted so that they cannot be read via any telecommands.

Internal MISP references

UUID ac44e3b6-f474-4a00-b37c-b75c834be55c which can be used as unique global reference for Crypto Key Management in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0030

Authentication

Authenticate all communication sessions (crosslink and ground stations) for all commands before establishing remote connections using bidirectional authentication that is cryptographically based. Adding authentication on the spacecraft bus and communications on-board the spacecraft is also recommended.

Internal MISP references

UUID 372f078b-7a38-4f82-9a73-f13d7447e645 which can be used as unique global reference for Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0031

On-board Intrusion Detection & Prevention

Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system.

Internal MISP references

UUID 5fae2dbf-3431-4f12-93c6-246adeb3441e which can be used as unique global reference for On-board Intrusion Detection & Prevention in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0032

Relay Protection

Implement relay and replay-resistant authentication mechanisms for establishing a remote connection or connections on the spacecraft bus.

Internal MISP references

UUID 3c7cdbaf-4711-48e4-a44d-3f25d59e74a8 which can be used as unique global reference for Relay Protection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0033

Monitor Critical Telemetry Points

Monitor defined telemetry points for malicious activities (i.e., jamming attempts, commanding attempts (e.g., command modes, counters, etc.)). This would include valid/processed commands as well as commands that were rejected. Telemetry monitoring should synchronize with ground-based Defensive Cyber Operations (i.e., SIEM/auditing) to create a full space system situation awareness from a cybersecurity perspective.

Internal MISP references

UUID 2dc48322-37d4-4f00-9bc8-5554dc033121 which can be used as unique global reference for Monitor Critical Telemetry Points in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0034

Protect Authenticators

Protect authenticator content from unauthorized disclosure and modification.

Internal MISP references

UUID e7b3f761-1776-44b6-8b13-eb54a5f771db which can be used as unique global reference for Protect Authenticators in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0035

Session Termination

Terminate the connection associated with a communications session at the end of the session or after an acceptable amount of inactivity which is established via the concept of operations.

Internal MISP references

UUID abe1d1fe-0c56-411f-839f-95ed1e1ba719 which can be used as unique global reference for Session Termination in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0036

Disable Physical Ports

Provide the capability for data connection ports or input/output devices (e.g., JTAG) to be disabled or removed prior to spacecraft operations.

Internal MISP references

UUID dbd9d60f-0265-4e0f-97bc-7bc852a420e0 which can be used as unique global reference for Disable Physical Ports in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0037

Segmentation

Identify the key system components or capabilities that require isolation through physical or logical means. Information should not be allowed to flow between partitioned applications unless explicitly permitted by security policy. Isolate mission critical functionality from non-mission critical functionality by means of an isolation boundary (implemented via partitions) that controls access to and protects the integrity of, the hardware, software, and firmware that provides that functionality. Enforce approved authorizations for controlling the flow of information within the spacecraft and between interconnected systems based on the defined security policy that information does not leave the spacecraft boundary unless it is encrypted. Implement boundary protections to separate bus, communications, and payload components supporting their respective functions.

Internal MISP references

UUID 375f702b-b379-461a-926f-e8c39d44a918 which can be used as unique global reference for Segmentation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0038

Least Privilege

Employ the principle of least privilege, allowing only authorized processes which are necessary to accomplish assigned tasks in accordance with system functions. Ideally maintain a separate execution domain for each executing process.

Internal MISP references

UUID 4a219018-545f-49e4-a5c6-113597374ad3 which can be used as unique global reference for Least Privilege in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0039

Shared Resource Leakage

Prevent unauthorized and unintended information transfer via shared system resources. Ensure that processes reusing a shared system resource (e.g., registers, main memory, secondary storage) do not have access to information (including encrypted representations of information) previously stored in that resource during a prior use by a process after formal release of that resource back to the system or reuse

Internal MISP references

UUID 67f9ef6a-e6b1-4706-84dc-791daff30504 which can be used as unique global reference for Shared Resource Leakage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0040

User Training

Train users to be aware of access or manipulation attempts by a threat actor to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction. Ensure that role-based security-related training is provided to personnel with assigned security roles and responsibilities: (i) before authorizing access to the information system or performing assigned duties; (ii) when required by information system changes; and (iii) at least annually if not otherwise defined.

Internal MISP references

UUID 4b501248-f263-446e-b555-9d8f370efe6b which can be used as unique global reference for User Training in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0041

Robust Fault Management

Ensure fault management system cannot be used against the spacecraft. Examples include: safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of telemetry to cause action from ground, or some sort of proximity operation to cause spacecraft to go into safe mode. Understanding the safing procedures and ensuring they do not put the spacecraft in a more vulnerable state is key to building a resilient spacecraft.

Internal MISP references

UUID 707c2fb6-7222-45d8-83f7-41b7a0f65430 which can be used as unique global reference for Robust Fault Management in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0042

Backdoor Commands

Ensure that all viable commands are known to the mission/spacecraft owner. Perform analysis of critical (backdoor/hardware) commands that could adversely affect mission success if used maliciously. Only use or include critical commands for the purpose of providing emergency access where commanding authority is appropriately restricted.

Internal MISP references

UUID 4c63a000-7630-4a28-aacc-ab7bd84df33a which can be used as unique global reference for Backdoor Commands in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0043

Cyber-safe Mode

Provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). Spacecraft should enter a cyber-safe mode when conditions that threaten the platform are detected. Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode, authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and software functions to pre-attack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on equipment still available after a cyber-attack. The goal is for the spacecraft to resume full mission operations. If not possible, a reduced level of mission capability should be achieved. Cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable.

Internal MISP references

UUID 327d614f-37ab-4a31-8dea-8be981dcb7dd which can be used as unique global reference for Cyber-safe Mode in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0044

Error Detection and Correcting Memory

Use Error Detection and Correcting (EDAC) memory and integrate EDAC scheme with fault management and cyber-protection mechanisms to respond to the detection of uncorrectable multi-bit errors, other than time-delayed monitoring of EDAC telemetry by the mission operators on the ground. The spacecraft should utilize the EDAC scheme to routinely check for bit errors in the stored data on board the spacecraft, correct the single-bit errors, and identify the memory addresses of data with uncorrectable multi-bit errors of at least order two, if not higher order in some cases.

Internal MISP references

UUID 653083e1-1ee3-40fb-92a7-e5d577e074a1 which can be used as unique global reference for Error Detection and Correcting Memory in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0045

Long Duration Testing

Perform testing using hardware or simulation/emulation where the test executes over a long period of time (30+ days). This testing will attempt to flesh out race conditions or time-based attacks.

Internal MISP references

UUID 87c644ac-9f50-4287-8c6a-c55d6caafb56 which can be used as unique global reference for Long Duration Testing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0046

Operating System Security

Ensure spacecraft's operating system is scrutinized/whitelisted and has received adequate software assurance previously. The operating system should be analyzed for its attack surface and non-utilized features should be stripped from the operating system. Many real-time operating systems contain features that are not necessary for spacecraft operations and only increase the attack surface.

Internal MISP references

UUID da6f70a6-82c0-4bfe-8d96-6d0f08bbac09 which can be used as unique global reference for Operating System Security in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0047

If available, use an authentication mechanism that allows GNSS receivers to verify the authenticity of the GNSS information and of the entity transmitting it, to ensure that it comes from a trusted source. Have fault-tolerant authoritative time sourcing for the spacecraft's clock. The spacecraft should synchronize the internal system clocks for each processor to the authoritative time source when the time difference is greater than the FSW-defined interval. If Spacewire is utilized, then the spacecraft should adhere to mission-defined time synchronization standard/protocol to synchronize time across a Spacewire network with an accuracy around 1 microsecond.

Internal MISP references

UUID 02538387-475c-4ddc-85e7-fef26eab45c6 which can be used as unique global reference for Resilient Position, Navigation, and Timing in MISP communities and other software using the MISP galaxy

External references

https://sparta.aerospace.org/countermeasures/CM0048 - webarchive
https://www.gps.gov/resilience/ - webarchive
[https://gssc.esa.int/navipedia/index.php/Galileo_Open_Service_Navigation_Message_Authentication#:~:text=Galileo%20OS%2DNMA%20(Open%20Service,comes%20from%20a%20trusted%20source](https://gssc.esa.int/navipedia/index.php/Galileo_Open_Service_Navigation_Message_Authentication#:~:text=Galileo%20OS%2DNMA%20(Open%20Service,comes%20from%20a%20trusted%20source) - [webarchive](https://web.archive.org/web/*/https://gssc.esa.int/navipedia/index.php/Galileo_Open_Service_Navigation_Message_Authentication#:~:text=Galileo%20OS%2DNMA%20(Open%20Service,comes%20from%20a%20trusted%20source)
https://sparta.aerospace.org/countermeasures/references/CP-2 - webarchive
https://sparta.aerospace.org/countermeasures/references/PE-20 - webarchive
https://sparta.aerospace.org/countermeasures/references/PL-8 - webarchive
https://sparta.aerospace.org/countermeasures/references/PL-8/1 - webarchive
https://sparta.aerospace.org/countermeasures/references/SA-9 - webarchive
https://sparta.aerospace.org/countermeasures/references/SC-16/2 - webarchive
https://sparta.aerospace.org/countermeasures/references/SC-45 - webarchive
https://sparta.aerospace.org/countermeasures/references/SC-45/1 - webarchive
https://sparta.aerospace.org/countermeasures/references/SC-45/2 - webarchive
https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-ds/pr-ds-02 - webarchive
https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-ir/pr-ir-03 - webarchive
https://sparta.aerospace.org/countermeasures/iso/7.5.1 - webarchive
https://sparta.aerospace.org/countermeasures/iso/7.5.2 - webarchive
https://sparta.aerospace.org/countermeasures/iso/7.5.3 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.2 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.29 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.8.1 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.10 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.8 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.4 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.14 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.22 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.5.23 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.8.21 - webarchive

Associated metadata

Metadata key	Value
external_id	CM0048

Machine Learning Data Integrity

When AI/ML is being used for mission critical operations, the integrity of the training data set is imperative. Data poisoning against the training data set can have detrimental effects on the functionality of the AI/ML. Fixing poisoned models is very difficult so model developers need to focus on countermeasures that could either block attack attempts or detect malicious inputs before the training cycle occurs. Regression testing over time, validity checking on data sets, manual analysis, as well as using statistical analysis to find potential injects can help detect anomalies.

Internal MISP references

UUID cd8ec599-4149-45d3-9155-2bf818e91fb0 which can be used as unique global reference for Machine Learning Data Integrity in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0049

On-board Message Encryption

In addition to authentication on-board the spacecraft bus, encryption is also recommended to protect the confidentiality of the data traversing the bus.

Internal MISP references

UUID 92b31828-bd1c-46fd-a35c-6a2f29156acd which can be used as unique global reference for On-board Message Encryption in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0050

Fault Injection Redundancy

To counter fault analysis attacks, it is recommended to use redundancy to catch injected faults. For certain critical functions that need protected against fault-based side channel attacks, it is recommended to deploy multiple implementations of the same function. Given an input, the spacecraft can process it using the various implementations and compare the outputs. A selection module could be incorporated to decide the valid output. Although sensor nodes have limited resources, critical regions usually comprise the crypto functions, which must be secured.

Internal MISP references

UUID 5c01003a-3daa-4173-a49c-db0f54f0d435 which can be used as unique global reference for Fault Injection Redundancy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0051

Insider Threat Protection

Establish policy and procedures to prevent individuals (i.e., insiders) from masquerading as individuals with valid access to areas where commanding of the spacecraft is possible. Establish an Insider Threat Program to aid in the prevention of people with authorized access performing malicious activities.

Internal MISP references

UUID 65c29feb-7166-4901-9d17-7192d04209ef which can be used as unique global reference for Insider Threat Protection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0052

Physical Security Controls

Employ physical security controls (badge with pins, guards, gates, etc.) to prevent unauthorized access to the systems that have the ability to command the spacecraft.

Internal MISP references

UUID d662ddb6-c721-41b5-acb6-f9731d8cf1d0 which can be used as unique global reference for Physical Security Controls in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0053

Two-Person Rule

Utilize a two-person system to achieve a high level of security for systems with command level access to the spacecraft. Under this rule all access and actions require the presence of two authorized people at all times.

Internal MISP references

UUID dac4681c-d331-4aff-91c2-70eec14c83a2 which can be used as unique global reference for Two-Person Rule in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0054

Secure Command Mode(s)

Provide additional protection modes for commanding the spacecraft. These can be where the spacecraft will restrict command lock based on geographic location of ground stations, special operational modes within the flight software, or even temporal controls where the spacecraft will only accept commands during certain times.

Internal MISP references

UUID d26d89fa-badd-467a-84a7-64c8a4c58f6c which can be used as unique global reference for Secure Command Mode(s) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0055

Data Backup

Implement disaster recovery plans that contain procedures for taking regular data backups that can be used to restore critical data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Internal MISP references

UUID 77ce45c1-57f3-4598-92bf-7876755ce702 which can be used as unique global reference for Data Backup in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0056

Tamper Resistant Body

Using a tamper resistant body can increase the one-time cost of the sensor node but will allow the node to conserve the power usage when compared with other countermeasures.

Internal MISP references

UUID 8e0468cf-3b18-4986-9fb4-22a463f38b40 which can be used as unique global reference for Tamper Resistant Body in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0057

Power Randomization

Power randomization is a technique in which a hardware module is built into the chip that adds noise to the power consumption. This countermeasure is simple and easy to implement but is not energy efficient and could be impactful for size, weight, and power which is limited on spacecraft as it adds to the fabrication cost of the device.

Internal MISP references

UUID dea6a100-3aac-4c91-bd7c-126e0ad62e95 which can be used as unique global reference for Power Randomization in MISP communities and other software using the MISP galaxy

External references

https://sparta.aerospace.org/countermeasures/CM0058 - webarchive
J. Daemen and V. Rijmen. Resistance against implementation attacks: A comparative study of the ales proposals. In The Second AES Candidate Conference, pages 122–132, Gaithersburg, MD, 1999. National Institute of Standards and Technology.
https://sparta.aerospace.org/countermeasures/references/PE-19 - webarchive
https://sparta.aerospace.org/countermeasures/references/PE-19/1 - webarchive
https://emb3d.mitre.org/mitigations/MID-059.html - webarchive
https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-ds/pr-ds-10 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.5 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.8 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.8.12 - webarchive

Associated metadata

Metadata key	Value
external_id	CM0058

Power Consumption Obfuscation

Design hardware circuits or perform obfuscation in general that mask the changes in power consumption to increase the cost/difficulty of a power analysis attack. This will increase the cost of manufacturing sensor nodes.

Internal MISP references

UUID f3d12723-0925-4375-9827-7c880bbcc14c which can be used as unique global reference for Power Consumption Obfuscation in MISP communities and other software using the MISP galaxy

External references

https://sparta.aerospace.org/countermeasures/CM0059 - webarchive
Y. Ishai, M. Prabhakaran, A. Sahai, and D. Wagner. Private circuits 2: Keeping secrets in tamperable circuits. In Proceedings of Eurocrypt, pages 308– 327, May 2006.
Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against probing attacks. In Proceedings of CRYPTO, pages 463–481, 2003.
P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In CRYPTO, pages 388–397, 1999
https://sparta.aerospace.org/countermeasures/references/PE-19 - webarchive
https://sparta.aerospace.org/countermeasures/references/PE-19/1 - webarchive
https://emb3d.mitre.org/mitigations/MID-059.html - webarchive
https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-ds/pr-ds-10 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.5 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.8 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.8.12 - webarchive

Associated metadata

Metadata key	Value
external_id	CM0059

Secret Shares

Use of secret shares in which the original computation is divided probabilistically such that the power subset of shares is statistically independent. One of the major drawbacks of this solution is the increase in the power consumption due to the number of operations that are almost doubled.

Internal MISP references

UUID 34b64f62-032b-41db-92db-f73c94af0239 which can be used as unique global reference for Secret Shares in MISP communities and other software using the MISP galaxy

External references

https://sparta.aerospace.org/countermeasures/CM0060 - webarchive
L. Goubin and J. Patarin. DES and differential power analysis (the duplication method). In Cryptographic Hardware and Embedded Systems, pages 158–172, 1999.
https://sparta.aerospace.org/countermeasures/references/PE-19 - webarchive
https://sparta.aerospace.org/countermeasures/references/PE-19/1 - webarchive
https://emb3d.mitre.org/mitigations/MID-028.html - webarchive
https://emb3d.mitre.org/mitigations/MID-060.html - webarchive
https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-ds/pr-ds-10 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.5 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.8 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.8.12 - webarchive

Associated metadata

Metadata key	Value
external_id	CM0060

Power Masking

Masking is a scheme in which the intermediate variable is not dependent on an easily accessible subset of secret key. This results in making it impossible to deduce the secret key with partial information gathered through electromagnetic leakage.

Internal MISP references

UUID 6bc59539-c219-4c93-91ba-11f03c7ce2a2 which can be used as unique global reference for Power Masking in MISP communities and other software using the MISP galaxy

External references

https://sparta.aerospace.org/countermeasures/CM0061 - webarchive
M.-L. Akkar and C. Giraud. An implementation of des and aes, secure against some attacks. In CHES ’01: Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems, pages 309–318, London, UK, 2001. Springer-Verlag.
J.-S. Coron and L. Goubin. On boolean and arithmetic masking against differential power analysis. In CHES ’00: Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems, pages 231–237, London, UK, 2000. Springer-Verlag.
L. Goubin. A sound method for switching between boolean and arithmetic masking. In CHES ’01: Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems, pages 3–15, London, UK, 2001. Springer-Verlag.
https://sparta.aerospace.org/countermeasures/references/PE-19 - webarchive
https://sparta.aerospace.org/countermeasures/references/PE-19/1 - webarchive
https://emb3d.mitre.org/mitigations/MID-059.html - webarchive
https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-ds/pr-ds-10 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.5 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.7.8 - webarchive
https://sparta.aerospace.org/countermeasures/iso/A.8.12 - webarchive

Associated metadata

Metadata key	Value
external_id	CM0061

Dummy Process - Aggregator Node

According to Securing Sensor Nodes Against Side Channel Attacks, it is practically inefficient to prevent adversaries from identifying aggregator nodes in a network (i.e., constellation) because camouflaging traffic in sensor networks is power intensive. Consequently, focus on preventing adversaries from identifying valid aggregation cycles of aggregator nodes. One solution to counter such attacks is to have each aggregator node execute dummy operations that resemble the average power consumption curve observed during the normal operation of the aggregator node. Apart from simulating the power consumption of a genuine process execution, the two necessities that the execution of the dummy process must incorporate to be successful in thwarting the accumulation phase are to use a different dummy execution process each time or have a low repetition rate. This should help prevent the attacker from finding a pattern that would differentiate the execution of a dummy process from the normal execution of an aggregator node. The second requirement relates to the timing of the execution of the dummy process. Depending on whether there is a pattern to the timing of the execution of a dummy process, a threat actor may be able to identify and disregard the dummy process. For example, if a threat actor is capable of identifying the presence or absence of a radio frequency transmission, the attacker can disregard any power consumption curve computed during the absence of transmission signal. Similarly, if the dummy process is not executed every time the aggregator node receives a transmission, the attacker will be able to identify invalid transmission. Hence, to ensure the effectiveness of this scheme, the dummy process must be executed each time the aggregator receives a transmission as well as randomly during idle periods. The advantage of incorporating dummy processes in an aggregator is to minimize the ease of identifying transmission flow in a sensor network that can be used to identify the base station of the sensor network, which could be highly confidential in critical applications.

Internal MISP references

UUID 53cf9707-ef80-4962-805e-6cd5b0e40a5a which can be used as unique global reference for Dummy Process - Aggregator Node in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0062

Increase Clock Cycles/Timing

Use more clock cycles such that branching does not affect the execution time. Also, the memory access times should be standardized to be the same over all accesses. If timing is not mission critical and time is in abundance, the access times can be reduced by adding sufficient delay to normalize the access times. These countermeasures will result in increased power consumption which may not be conducive for low size, weight, and power missions.

Internal MISP references

UUID 4f383606-6a86-4b5b-b65e-87e63df00da0 which can be used as unique global reference for Increase Clock Cycles/Timing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0063

Dual Layer Protection

Use a dual layered case with the inner layer a highly conducting surface and the outer layer made of a non-conducting material. When heat is generated from internal computing components, the inner, highly conducting surface will quickly dissipate the heat around. The outer layer prevents accesses to the temporary hot spots formed on the inner layer.

Internal MISP references

UUID 1241655d-da96-4db1-9dd7-ced057da5e9e which can be used as unique global reference for Dual Layer Protection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0064

OSAM Dual Authorization

Before engaging in an On-orbit Servicing, Assembly, and Manufacturing (OSAM) mission, verification of servicer should be multi-factor authenticated/authorized by both the serviced ground station and the serviced asset.

Internal MISP references

UUID 1d9db9e2-41cc-40d8-9f53-d0dd068efc18 which can be used as unique global reference for OSAM Dual Authorization in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0065

Model-based System Verification

Real-time physics model-based system verification of state could help to verify data input and control sequence changes

Internal MISP references

UUID 77d4cfee-af2c-4168-9bf0-7a3f7bb3f3de which can be used as unique global reference for Model-based System Verification in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0066

Smart Contracts

Smart contracts can be used to mitigate harm when an attacker is attempting to compromise a hosted payload. Smart contracts will stipulate security protocol required across a bus and should it be violated, the violator will be barred from exchanges across the system after consensus achieved across the network.

Internal MISP references

UUID f6f06815-c6c9-4b70-82ae-1a747acfbaea which can be used as unique global reference for Smart Contracts in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0067

Reinforcement Learning

Institute a reinforcement learning agent that will detect anomalous events and redirect processes to proceed by ignoring malicious data/input.

Internal MISP references

UUID 06bfc138-6b38-40b8-b531-ae1c5d179e91 which can be used as unique global reference for Reinforcement Learning in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0068

Process White Listing

Simple process ID whitelisting on the firmware level could impede attackers from instigating unnecessary processes which could impact the spacecraft

Internal MISP references

UUID bdc68991-ba98-44af-85b4-33df4b761c2f which can be used as unique global reference for Process White Listing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0069

Alternate Communications Paths

Establish alternate communications paths to reduce the risk of all communications paths being affected by the same incident.

Internal MISP references

UUID 9a728e01-1a2e-49ba-8347-d3f7ba907325 which can be used as unique global reference for Alternate Communications Paths in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0070

Communication Physical Medium

Establish alternate physical medium for networking based on threat model/environment. For example, fiber optic cabling is commonly perceived as a better choice in lieu of copper for mitigating network security concerns (i.e., eavesdropping / traffic flow analysis) and this is because optical connections transmit data using light, they don’t radiate signals that can be intercepted.

Internal MISP references

UUID 3b5bc03e-5366-4069-ad81-d4297a430748 which can be used as unique global reference for Communication Physical Medium in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0071

Protocol Update / Refactoring

A protocol is a set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems. Protocols can have vulnerabilities within their specification and may require updating or refactoring based on vulnerabilities or emerging threats (i.e., quantum computing).

Internal MISP references

UUID e5a31c1b-9296-4205-8b93-10aa21a8a014 which can be used as unique global reference for Protocol Update / Refactoring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0072

Traffic Flow Analysis Defense

Utilizing techniques to assure traffic flow security and confidentiality to mitigate or defeat traffic analysis attacks or reduce the value of any indicators or adversary inferences. This may be a subset of COMSEC protections, but the techniques would be applied where required to links that carry TT&C and/or data transmissions (to include on-board the spacecraft) where applicable given value and attacker capability. Techniques may include but are not limited to methods to pad or otherwise obfuscate traffic volumes/duration and/or periodicity, concealment of routing information and/or endpoints, or methods to frustrate statistical analysis.

Internal MISP references

UUID 854ce680-44f2-4df4-b880-9fbdacc08b30 which can be used as unique global reference for Traffic Flow Analysis Defense in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0073

Distributed Constellations

A distributed system uses a number of nodes, working together, to perform the same mission or functions as a single node. In a distributed constellation, the end user is not dependent on any single satellite but rather uses multiple satellites to derive a capability. A distributed constellation can complicate an adversary’s counterspace planning by presenting a larger number of targets that must be successfully attacked to achieve the same effects as targeting just one or two satellites in a less-distributed architecture. GPS is an example of a distributed constellation because the functioning of the system is not dependent on any single satellite or ground station; a user can use any four satellites within view to get a time and position fix.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 6070c566-4bac-4857-9488-a150a208e6ed which can be used as unique global reference for Distributed Constellations in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0074

Proliferated Constellations

Proliferated satellite constellations deploy a larger number of the same types of satellites to similar orbits to perform the same missions. While distribution relies on placing more satellites or payloads on orbit that work together to provide a complete capability, proliferation is simply building more systems (or maintaining more on-orbit spares) to increase the constellation size and overall capacity. Proliferation can be an expensive option if the systems being proliferated are individually expensive, although highly proliferated systems may reduce unit costs in production from the learning curve effect and economies of scale.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID a333fd5a-f34b-40dc-8b76-6cb25c9661ff which can be used as unique global reference for Proliferated Constellations in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0075

Diversified Architectures

In a diversified architecture, multiple systems contribute to the same mission using platforms and payloads that may be operating in different orbits or in different domains. For example, wideband communications to fixed and mobile users can be provided by the military’s WGS system, commercial SATCOM systems, airborne communication nodes, or terrestrial networks. The Chinese BeiDou system for positioning, navigation, and timing uses a diverse set of orbits, with satellites in geostationary orbit (GEO), highly inclined GEO, and medium Earth orbit (MEO). Diversification reduces the incentive for an adversary to attack any one of these systems because the impact on the overall mission will be muted since systems in other orbits or domains can be used to compensate for losses. Moreover, attacking space systems in diversified orbits may require different capabilities for each orbital regime, and the collateral damage from such attacks, such as orbital debris, could have a much broader impact politically and economically.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 02c581f8-9d72-470a-943f-3c57081ac61e which can be used as unique global reference for Diversified Architectures in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0076

Space Domain Awareness

The credibility and effectiveness of many other types of defenses are enabled or enhanced by the ability to quickly detect, characterize, and attribute attacks against space systems. Space domain awareness (SDA) includes identifying and tracking space objects, predicting where objects will be in the future, monitoring the space environment and space weather, and characterizing the capabilities of space objects and how they are being used. Exquisite SDA—information that is more timely, precise, and comprehensive than what is publicly available—can help distinguish between accidental and intentional actions in space. SDA systems include terrestrial-based optical, infrared, and radar systems as well as space-based sensors, such as the U.S. military’s Geosynchronous Space Situational Awareness Program (GSSAP) inspector satellites. Many nations have SDA systems with various levels of capability, and an increasing number of private companies (and amateur space trackers) are developing their own space surveillance systems, making the space environment more transparent to all users.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 3f9c0d08-caab-4dae-be74-f99e5d2b3991 which can be used as unique global reference for Space Domain Awareness in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0077

Space-Based Radio Frequency Mapping

Space-based RF mapping is the ability to monitor and analyze the RF environment that affects space systems both in space and on Earth. Similar to exquisite SDA, space-based RF mapping provides space operators with a more complete picture of the space environment, the ability to quickly distinguish between intentional and unintentional interference, and the ability to detect and geolocate electronic attacks. RF mapping can allow operators to better characterize jamming and spoofing attacks from Earth or from other satellites so that other defenses can be more effectively employed.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 4d1c647c-c64c-4e68-9987-ae44df68b71b which can be used as unique global reference for Space-Based Radio Frequency Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0078

Maneuverability

Satellite maneuver is an operational tactic that can be used by satellites fitted with chemical thrusters to avoid kinetic and some directed energy ASAT weapons. For unguided projectiles, a satellite can be commanded to move out of their trajectory to avoid impact. If the threat is a guided projectile, like most direct-ascent ASAT and co-orbital ASAT weapons, maneuver becomes more difficult and is only likely to be effective if the satellite can move beyond the view of the onboard sensors on the guided warhead.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID edb47969-3c1e-4156-9449-0cff09524a87 which can be used as unique global reference for Maneuverability in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0079

Stealth Technology

Space systems can be operated and designed in ways that make them difficult to detect and track. Similar to platforms in other domains, stealthy satellites can use a smaller size, radar-absorbing coatings, radar-deflecting shapes, radar jamming and spoofing, unexpected or optimized maneuvers, and careful control of reflected radar, optical, and infrared energy to make themselves more difficult to detect and track. For example, academic research has shown that routine spacecraft maneuvers can be optimized to avoid detection by known sensors.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID a4774159-83c5-4d72-8b0b-6fb091328ea5 which can be used as unique global reference for Stealth Technology in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0080

Defensive Jamming and Spoofing

A jammer or spoofer can be used to disrupt sensors on an incoming kinetic ASAT weapon so that it cannot steer itself effectively in the terminal phase of flight. When used in conjunction with maneuver, this could allow a satellite to effectively “dodge” a kinetic attack. Similar systems could also be used to deceive SDA sensors by altering the reflected radar signal to change the location, velocity, and number of satellites detected, much like digital radio frequency memory (DRFM) jammers used on many military aircraft today. A spacebased jammer can also be used to disrupt an adversary’s ability to communicate.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQGate with an ASAT weapon.

Internal MISP references

UUID 305dbc97-df0d-48d4-9e6b-8338c66b7993 which can be used as unique global reference for Defensive Jamming and Spoofing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0081

Deception and Decoys

Deception can be used to conceal or mislead others on the “location, capability, operational status, mission type, and/or robustness” of a satellite. Public messaging, such as launch announcements, can limit information or actively spread disinformation about the capabilities of a satellite, and satellites can be operated in ways that conceal some of their capabilities. Another form of deception could be changing the capabilities or payloads on satellites while in orbit. Satellites with swappable payload modules could have on-orbit servicing vehicles that periodically move payloads from one satellite to another, further complicating the targeting calculus for an adversary because they may not be sure which type of payload is currently on which satellite. Satellites can also use tactical decoys to confuse the sensors on ASAT weapons and SDA systems. A satellite decoy can consist of an inflatable device designed to mimic the size and radar signature of a satellite, and multiple decoys can be stored on the satellite for deployment when needed. Electromagnetic decoys can also be used in space that mimic the RF signature of a satellite, similar to aircraft that use airborne decoys, such as the ADM-160 Miniature Air-launched Decoy (MALD).*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 7032881a-2939-4530-8a2c-47d443462fa7 which can be used as unique global reference for Deception and Decoys in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0082

Antenna Nulling and Adaptive Filtering

Satellites can be designed with antennas that “null” or minimize signals from a particular geographic region on the surface of the Earth or locations in space where jamming is detected. Nulling is useful when jamming is from a limited number of detectable locations, but one of the downsides is that it can also block transmissions from friendly users that fall within the nulled area. If a jammer is sufficiently close to friendly forces, the nulling antenna may not be able to block the jammer without also blocking legitimate users. Adaptive filtering, in contrast, is used to block specific frequency bands regardless of where these transmissions originate. Adaptive filtering is useful when jamming is consistently within a particular range of frequencies because these frequencies can be filtered out of the signal received on the satellite while transmissions can continue around them. However, a wideband jammer could interfere with a large enough portion of the spectrum being used that filtering out the jammed frequencies would degrade overall system performance. *

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 4bf76314-28b7-43e8-8101-acc3368a1b1a which can be used as unique global reference for Antenna Nulling and Adaptive Filtering in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0083

Physical Seizure

A spacecraft capable of docking with, manipulating, or maneuvering other satellites or pieces of debris can be used to thwart spacebased attacks or mitigate the effects after an attack has occurred. Such a system could be used to physically seize a threatening satellite that is being used to attack or endanger other satellites or to capture a satellite that has been disabled or hijacked for nefarious purposes. Such a system could also be used to collect and dispose of harmful orbital debris resulting from an attack. A key limitation of a physical seizure system is that each satellite would be time- and propellant-limited depending on the orbit in which it is stored. A system stored in GEO, for example, would not be well positioned to capture an object in LEO because of the amount of propellant required to maneuver into position. Physical seizure satellites may need to be stored on Earth and deployed once they are needed to a specific orbit to counter a specific threat.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 8b88fee1-8913-4cea-8c7e-9aa9f16ac2cd which can be used as unique global reference for Physical Seizure in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0084

Electromagnetic Shielding

Satellite components can be vulnerable to the effects of background radiation in the space environment and deliberate attacks from HPM and electromagnetic pulse weapons. The effects can include data corruption on memory chips, processor resets, and short circuits that permanently damage components.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 7cd0220e-3318-48cd-821b-c5fa0a40aa7c which can be used as unique global reference for Electromagnetic Shielding in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0085

Filtering and Shuttering

Filters and shutters can be used on remote sensing satellites to protect sensors from laser dazzling and blinding. Filters can protect sensors by only allowing light of certain wavelengths to reach the sensors. Filters are not very effective against lasers operating at the same wavelengths of light the sensors are designed to detect because a filter that blocks these wavelengths would also block the sensor from its intended mission. A shutter acts by quickly blocking or diverting all light to a sensor once an anomaly is detected or a threshold is reached, which can limit damage but also temporarily interrupts the collection of data.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 4d12ecb4-b31d-47ca-b4f7-df49c42d948f which can be used as unique global reference for Filtering and Shuttering in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0086

Defensive Dazzling/Blinding

Laser systems can be used to dazzle or blind the optical or infrared sensors on an incoming ASAT weapon in the terminal phase of flight. This is similar to the laser infrared countermeasures used on aircraft to defeat heat-seeking missiles. Blinding an ASAT weapon’s guidance system and then maneuvering to a new position (if necessary) could allow a satellite to effectively “dodge” a kinetic attack. It could also be used to dazzle or blind the optical sensors on inspector satellites to prevent them from imaging a satellite that wants to keep its capabilities concealed or to frustrate adversary SDA efforts.*

*https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG

Internal MISP references

UUID 9f1998b5-9c76-4f0a-b676-b8c8bfbe225c which can be used as unique global reference for Defensive Dazzling/Blinding in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0087

Organizational Policy

Documenting cyber security policies is crucial for several reasons, paramount among them being the establishment of a clear, consistent framework for managing and protecting an organization's information assets. Such documentation serves as a foundational guideline that outlines the principles, procedures, and responsibilities that govern the security of information.

Having well-documented security policies ensures that everyone in the organization, from the top management to the newest employee, is on the same page regarding security expectations and behaviors. It provides a reference point for all staff, helping them understand their roles and responsibilities in safeguarding sensitive data. By clearly defining what is expected, employees are better equipped to follow best practices and avoid actions that could compromise security.

These policies act as a guide for implementing technical controls and security measures. They inform the selection, development, and maintenance of security tools and protocols, ensuring that there is a methodical approach to securing the organization's digital assets. In the event of a security incident, having a documented policy in place provides a roadmap for response and recovery, reducing the time and resources spent in mitigating the issue.

As cybersecurity in space is an area where regulatory compliance is becoming increasingly stringent, having documented information security policies is often a legal or regulatory requirement, and not simply a best practice.

Internal MISP references

UUID c1fbcf75-7134-4925-8e27-f2b2cd1b7ec1 which can be used as unique global reference for Organizational Policy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0088

Assessment & Authorization

The A&A process establishes the extent to which a particular design and implementation, meet a set of specified security requirements defined by the organization, government guidelines, and federal mandates into a formal authorization package.

Internal MISP references

UUID 85f38d99-7c32-44a3-b8d1-72cd298ed2c0 which can be used as unique global reference for Assessment & Authorization in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0089

Continuous Monitoring

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

Internal MISP references

UUID 7b261225-2d47-4b96-b409-b9f4d207fdf0 which can be used as unique global reference for Continuous Monitoring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	CM0090

Active Certificate Analysis

Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.

Internal MISP references

UUID 3a7f011f-7b01-4931-885a-04378d995935 which can be used as unique global reference for Active Certificate Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ACA

Application Configuration Hardening

Modifying an application's configuration to reduce its attack surface.

Internal MISP references

UUID b0a9021e-1d07-4640-adce-e33fc37cb143 which can be used as unique global reference for Application Configuration Hardening in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ACH

Application Hardening

Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.

Internal MISP references

UUID ecc52324-b4e4-4266-bcbb-85847de705d8 which can be used as unique global reference for Application Hardening in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-AH

Asset Inventory

Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.

Internal MISP references

UUID f0e49418-028e-44a6-b6aa-6d6b05a317f3 which can be used as unique global reference for Asset Inventory in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-AI

Account Locking

The process of temporarily disabling user accounts on a system or domain.

Internal MISP references

UUID 3f328f23-4d77-4ff9-80a1-b7ae56dd88a3 which can be used as unique global reference for Account Locking in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-AL

Active Logical Link Mapping

Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection

Internal MISP references

UUID d0cb431d-d50b-4b63-aabf-746d716965a3 which can be used as unique global reference for Active Logical Link Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ALLM

Access Modeling

Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.

Internal MISP references

UUID 8f253898-ec26-4fe0-abe9-c096446cb15e which can be used as unique global reference for Access Modeling in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-AM

Administrative Network Activity Analysis

Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.

Internal MISP references

UUID 0d9337c8-c0dd-405c-a336-18be7a300083 which can be used as unique global reference for Administrative Network Activity Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ANAA

Authentication Cache Invalidation

Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.

Internal MISP references

UUID 4549ba8a-12e3-4400-8531-6555c7bffe36 which can be used as unique global reference for Authentication Cache Invalidation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ANCI

Authentication Event Thresholding

Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.

Internal MISP references

UUID f2ddeb7f-109d-4b90-9846-8a7846bcfdaa which can be used as unique global reference for Authentication Event Thresholding in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ANET

Active Physical Link Mapping

Active physical link mapping sends and receives network traffic as a means to map the physical layer.

Internal MISP references

UUID f75a973a-b395-4263-8170-a773d16b446b which can be used as unique global reference for Active Physical Link Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-APLM

Asset Vulnerability Enumeration

Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.

Internal MISP references

UUID ae62ae05-ff90-4e8e-bbe3-ab4d6b6222f5 which can be used as unique global reference for Asset Vulnerability Enumeration in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-AVE

Authorization Event Thresholding

Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.

Internal MISP references

UUID 4abe5249-95d6-4b44-a904-23c9bdaa4e89 which can be used as unique global reference for Authorization Event Thresholding in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-AZET

Bootloader Authentication

Cryptographically authenticating the bootloader software before system boot.

Internal MISP references

UUID 8ca553dd-011b-4421-afad-b4bb9f1c5fa9 which can be used as unique global reference for Bootloader Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-BA

Biometric Authentication

Using biological measures in order to authenticate a user.

Internal MISP references

UUID 4c79bf80-80be-4639-8830-262aea28ae4f which can be used as unique global reference for Biometric Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-BAN

Broadcast Domain Isolation

Broadcast isolation restricts the number of computers a host can contact on their LAN.

Internal MISP references

UUID 357c1a03-75c3-49b3-b414-232842e13b85 which can be used as unique global reference for Broadcast Domain Isolation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-BDI

Byte Sequence Emulation

Analyzing sequences of bytes and determining if they likely represent malicious shellcode.

Internal MISP references

UUID a143dfd1-2441-41c7-b6fc-a4c503b3f63b which can be used as unique global reference for Byte Sequence Emulation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-BSE

Certificate Analysis

Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.

Internal MISP references

UUID 9f1fd0ec-84ac-4e41-92a0-bc29651af296 which can be used as unique global reference for Certificate Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CA

Connection Attempt Analysis

Analyzing failed connections in a network to detect unauthorized activity.

Internal MISP references

UUID 65052d13-9c7c-4138-b8ad-92160e5d579d which can be used as unique global reference for Connection Attempt Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CAA

Certificate-based Authentication

Requiring a digital certificate in order to authenticate a user.

Internal MISP references

UUID 23060e7e-596e-4748-9358-39f9b1e76b5b which can be used as unique global reference for Certificate-based Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CBAN

Credential Compromise Scope Analysis

Determining which credentials may have been compromised by analyzing the user logon history of a particular system.

Internal MISP references

UUID a49d77dd-c29d-42d0-aecb-8ac1691d14b1 which can be used as unique global reference for Credential Compromise Scope Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CCSA

Credential Eviction

Credential Eviction techniques disable or remove compromised credentials from a computer network.

Internal MISP references

UUID 0e38e264-c15d-4e3a-9aa8-4df658c91816 which can be used as unique global reference for Credential Eviction in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CE

Credential Hardening

Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.

Internal MISP references

UUID 934a97fd-4fd1-4685-8a3c-14b475677ad9 which can be used as unique global reference for Credential Hardening in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CH

Connected Honeynet

A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.

Internal MISP references

UUID 971977ef-2f2c-4e3e-b44d-2f65a288f242 which can be used as unique global reference for Connected Honeynet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CHN

Configuration Inventory

Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.

Internal MISP references

UUID 13e6520a-a7dd-4d72-9b17-adf7e20573f6 which can be used as unique global reference for Configuration Inventory in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CI

Certificate Pinning

Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.

Internal MISP references

UUID 8c71797a-308c-4d98-b1f5-ca33c84fc818 which can be used as unique global reference for Certificate Pinning in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CP

Credential Revoking

Deleting a set of credentials permanently to prevent them from being used to authenticate.

Internal MISP references

UUID 80ceae24-20a1-448d-88c4-91dddd812dd4 which can be used as unique global reference for Credential Revoking in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CR

Credential Rotation

Expiring an existing set of credentials and reissuing a new valid set

Internal MISP references

UUID e656aa35-e4d0-4443-aca6-3aa491c11f1d which can be used as unique global reference for Credential Rotation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CRO

Client-server Payload Profiling

Comparing client-server request and response payloads to a baseline profile to identify outliers.

Internal MISP references

UUID f0dfdea7-2cfd-4b68-9dcf-cf219a900a59 which can be used as unique global reference for Client-server Payload Profiling in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CSPP

Credential Transmission Scoping

Limiting the transmission of a credential to a scoped set of relying parties.

Internal MISP references

UUID cbd7c0de-69c7-41e7-a243-a4537117d750 which can be used as unique global reference for Credential Transmission Scoping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-CTS

Dynamic Analysis

Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.

Internal MISP references

UUID ddc10467-2732-4733-a1c5-1ca0f58f3219 which can be used as unique global reference for Dynamic Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DA

Domain Account Monitoring

Monitoring the existence of or changes to Domain User Accounts.

Internal MISP references

UUID d3ce9dfa-ebef-4e43-b15a-706d352ed930 which can be used as unique global reference for Domain Account Monitoring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DAM

Dead Code Elimination

Removing unreachable or "dead code" from compiled source code.

Internal MISP references

UUID 3f7a7a58-9b06-4d68-a09c-d14c1c524aa2 which can be used as unique global reference for Dead Code Elimination in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DCE

Decoy Environment

A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.

Internal MISP references

UUID 4ba131a6-fec8-48ca-bf25-075142a39074 which can be used as unique global reference for Decoy Environment in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DE

Data Exchange Mapping

Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.

Internal MISP references

UUID bb77e2f8-ea05-43a9-ac6b-09a531b3103a which can be used as unique global reference for Data Exchange Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DEM

Disk Encryption

Encrypting a hard disk partition to prevent cleartext access to a file system.

Internal MISP references

UUID 151a5b8a-0673-4867-b923-7f2ad1c3e23d which can be used as unique global reference for Disk Encryption in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DENCR

Decoy File

A file created for the purposes of deceiving an adversary.

Internal MISP references

UUID 7c6b11fd-a923-4af3-aad1-e9b2d1a4b2d5 which can be used as unique global reference for Decoy File in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DF

Data Inventory

Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.

Internal MISP references

UUID aa19e8f9-423e-41cc-b217-51279f44dad4 which can be used as unique global reference for Data Inventory in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DI

Driver Load Integrity Checking

Ensuring the integrity of drivers loaded during initialization of the operating system.

Internal MISP references

UUID dec20226-130a-4af3-95cc-6eb0f6a7d177 which can be used as unique global reference for Driver Load Integrity Checking in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DLIC

Decoy Network Resource

Deploying a network resource for the purposes of deceiving an adversary.

Internal MISP references

UUID e81504fe-4cd5-4faf-a0c3-a5e8ee0622a8 which can be used as unique global reference for Decoy Network Resource in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DNR

Domain Name Reputation Analysis

Analyzing the reputation of a domain name.

Internal MISP references

UUID 7eda1025-d53d-4238-8de7-d962e7959da2 which can be used as unique global reference for Domain Name Reputation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DNRA

DNS Allowlisting

Permitting only approved domains and their subdomains to be resolved.

Internal MISP references

UUID 6de13f75-ac37-4595-a601-37d5e12fb886 which can be used as unique global reference for DNS Allowlisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DNSAL

DNS Denylisting

Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.

Internal MISP references

UUID 32ee7bab-250a-493b-b48d-28ab3e253b0f which can be used as unique global reference for DNS Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DNSDL

DNS Traffic Analysis

Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.

Internal MISP references

UUID e9ee751e-024d-4283-ac87-8417529948cf which can be used as unique global reference for DNS Traffic Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DNSTA

Decoy Object

A Decoy Object is created and deployed for the purposes of deceiving attackers.

Internal MISP references

UUID caa94afa-ccb2-45ca-ab85-d8023616bf3a which can be used as unique global reference for Decoy Object in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DO

Decoy Persona

Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.

Internal MISP references

UUID d06e8b57-8df2-43f0-aacf-7f5e28599274 which can be used as unique global reference for Decoy Persona in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DP

Decoy Public Release

Issuing publicly released media to deceive adversaries.

Internal MISP references

UUID a854dfc4-6787-4f3d-9e41-ece6f39b00f0 which can be used as unique global reference for Decoy Public Release in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DPR

Database Query String Analysis

Analyzing database queries to detect SQL Injection.

Internal MISP references

UUID 7b8468ec-5fb1-44fd-ba17-ef0f19e5924f which can be used as unique global reference for Database Query String Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DQSA

Decoy Session Token

An authentication token created for the purposes of deceiving an adversary.

Internal MISP references

UUID 3b41f97b-8937-413d-978a-8fad6fd0d8f1 which can be used as unique global reference for Decoy Session Token in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DST

Domain Trust Policy

Restricting inter-domain trust by modifying domain configuration.

Internal MISP references

UUID 99911127-add6-4dea-b1e5-c222f535a8aa which can be used as unique global reference for Domain Trust Policy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DTP

Decoy User Credential

A Credential created for the purpose of deceiving an adversary.

Internal MISP references

UUID 8eaf5397-ac21-4fb5-8346-32c8e8fd60b9 which can be used as unique global reference for Decoy User Credential in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-DUC

Executable Allowlisting

Using a digital signature to authenticate a file before opening.

Internal MISP references

UUID 308f17cb-855b-41ff-bce6-1eb00a21277b which can be used as unique global reference for Executable Allowlisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-EAL

Executable Denylisting

Blocking the execution of files on a host in accordance with defined application policy rules.

Internal MISP references

UUID 83a17b1e-f93c-4fe9-af81-6fa014cced90 which can be used as unique global reference for Executable Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-EDL

Emulated File Analysis

Emulating instructions in a file looking for specific patterns.

Internal MISP references

UUID 69d75de0-2776-4835-ad58-3ece8afa8d7e which can be used as unique global reference for Emulated File Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-EFA

Endpoint Health Beacon

Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.

Internal MISP references

UUID b30f14e8-c485-4840-811e-a41f4a3b0f9f which can be used as unique global reference for Endpoint Health Beacon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-EHB

Exception Handler Pointer Validation

Validates that a referenced exception handler pointer is a valid exception handler.

Internal MISP references

UUID caf0ad36-bb1b-4bf3-a6f9-907aa3a9cf2a which can be used as unique global reference for Exception Handler Pointer Validation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-EHPV

Execution Isolation

Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.

Internal MISP references

UUID 329bba7f-21df-4492-b69d-0bb512f90dc8 which can be used as unique global reference for Execution Isolation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-EI

Email Removal

The email removal technique deletes email files from system storage.

Internal MISP references

UUID 4e80843c-54e6-4295-a9b4-5a2759fe0744 which can be used as unique global reference for Email Removal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ER

Encrypted Tunnels

Encrypted encapsulation of routable network traffic.

Internal MISP references

UUID 89124cd3-81f0-4449-a3d6-d39d51be5a5a which can be used as unique global reference for Encrypted Tunnels in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ET

File Analysis

File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.

Internal MISP references

UUID 41f8207b-4b47-4802-8b76-06d5d7e86e29 which can be used as unique global reference for File Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FA

File Access Pattern Analysis

Analyzing the files accessed by a process to identify unauthorized activity.

Internal MISP references

UUID 1e65cc21-611a-4d7a-ae23-53d1d580f9ea which can be used as unique global reference for File Access Pattern Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FAPA

Firmware Behavior Analysis

Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.

Internal MISP references

UUID ee1ca508-dd1b-4eba-a611-e25e629424b5 which can be used as unique global reference for Firmware Behavior Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FBA

File Carving

Identifying and extracting files from network application protocols through the use of network stream reassembly software.

Internal MISP references

UUID fd0a9088-940c-4383-8aba-91108c8c3bf1 which can be used as unique global reference for File Carving in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FC

File Creation Analysis

Analyzing the properties of file create system call invocations.

Internal MISP references

UUID b57d499a-8edf-4e08-9fb1-66cb9e4ec4c1 which can be used as unique global reference for File Creation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FCA

File Content Rules

Employing a pattern matching rule language to analyze files.

Internal MISP references

UUID 287dfb2c-6fdd-46a7-86fb-e21f2aa33ba6 which can be used as unique global reference for File Content Rules in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FCR

File Encryption

Encrypting a file using a cryptographic key.

Internal MISP references

UUID 5eb3a804-70ab-43ac-aa8e-8e428e009d34 which can be used as unique global reference for File Encryption in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FE

Firmware Embedded Monitoring Code

Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.

Internal MISP references

UUID 3b534942-2cb7-4ee8-a60f-f9b8b2e3c2a9 which can be used as unique global reference for Firmware Embedded Monitoring Code in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FEMC

File Eviction

File eviction techniques evict files from system storage.

Internal MISP references

UUID a0efff4b-f79f-4d92-a723-40a08d57b632 which can be used as unique global reference for File Eviction in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FEV

File Hashing

Employing file hash comparisons to detect known malware.

Internal MISP references

UUID dcf5ba00-5ec5-42ab-978e-360963f4ae9a which can be used as unique global reference for File Hashing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FH

File Hash Reputation Analysis

Analyzing the reputation of a file hash.

Internal MISP references

UUID f41cd353-420f-4c03-8acf-8e676e36c021 which can be used as unique global reference for File Hash Reputation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FHRA

File Removal

The file removal technique deletes malicious artifacts or programs from a computer system.

Internal MISP references

UUID c623ab32-1f13-4934-8444-5513d35227d3 which can be used as unique global reference for File Removal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FR

Forward Resolution Domain Denylisting

Blocking a lookup based on the query's domain name value.

Internal MISP references

UUID 8908689d-ce49-4cc7-8d7a-d0b8741aebdc which can be used as unique global reference for Forward Resolution Domain Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FRDDL

Forward Resolution IP Denylisting

Blocking a DNS lookup's answer's IP address value.

Internal MISP references

UUID 748a48a9-ecf2-4357-b2ff-e1715b6f3e20 which can be used as unique global reference for Forward Resolution IP Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FRIDL

Firmware Verification

Cryptographically verifying firmware integrity.

Internal MISP references

UUID 54e3cb13-a80a-4250-913e-4a88398c5052 which can be used as unique global reference for Firmware Verification in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-FV

Hardware-based Process Isolation

Preventing one process from writing to the memory space of another process through hardware based address manager implementations.

Internal MISP references

UUID b5cc4308-e963-4b5d-84b8-220fd3746467 which can be used as unique global reference for Hardware-based Process Isolation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-HBPI

Hardware Component Inventory

Hardware component inventorying identifies and records the hardware items in the organization's architecture.

Internal MISP references

UUID 4ccfe671-aa5e-4607-8a7e-974d4c31e301 which can be used as unique global reference for Hardware Component Inventory in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-HCI

Homoglyph Detection

Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.

Internal MISP references

UUID 89cdf82c-0f1d-4007-ae62-32db7cc1011c which can be used as unique global reference for Homoglyph Detection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-HD

Hierarchical Domain Denylisting

Blocking the resolution of any subdomain of a specified domain name.

Internal MISP references

UUID d175053b-eb4d-4d86-9372-b2d6b3751c8e which can be used as unique global reference for Hierarchical Domain Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-HDDL

Homoglyph Denylisting

Blocking DNS queries that are deceptively similar to legitimate domain names.

Internal MISP references

UUID e6777bbe-9dc0-40b2-aad6-e7319bef0c19 which can be used as unique global reference for Homoglyph Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-HDL

Identifier Activity Analysis

Taking known malicious identifiers and determining if they are present in a system.

Internal MISP references

UUID 7dd12318-962e-4b29-8911-74311b3a410f which can be used as unique global reference for Identifier Activity Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IAA

Indirect Branch Call Analysis

Analyzing vendor specific branch call recording in order to detect ROP style attacks.

Internal MISP references

UUID 24d6833c-75c6-4ee9-944e-be64081d11e6 which can be used as unique global reference for Indirect Branch Call Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IBCA

Identifier Analysis

Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.

Internal MISP references

UUID 010b6040-e3db-40d3-b370-62b263f413d2 which can be used as unique global reference for Identifier Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ID

Input Device Analysis

Operating system level mechanisms to prevent abusive input device exploitation.

Internal MISP references

UUID 7fa21507-0a61-4c81-a430-53d8aa8d09fc which can be used as unique global reference for Input Device Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IDA

Integrated Honeynet

The practice of setting decoys in a production environment to entice interaction from attackers.

Internal MISP references

UUID 12c0af00-b665-4e80-9661-c057f0a334c8 which can be used as unique global reference for Integrated Honeynet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IHN

IO Port Restriction

Limiting access to computer input/output (IO) ports to restrict unauthorized devices.

Internal MISP references

UUID a5f3d290-4640-4ac6-bcfe-167ea67b3902 which can be used as unique global reference for IO Port Restriction in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IOPR

IPC Traffic Analysis

Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.

Internal MISP references

UUID 2d8bfd6e-6e32-4562-803b-d45813f6531e which can be used as unique global reference for IPC Traffic Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IPCTA

IP Reputation Analysis

Analyzing the reputation of an IP address.

Internal MISP references

UUID 1c03bd42-cb32-430c-9dd9-eb246931a191 which can be used as unique global reference for IP Reputation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IPRA

Identifier Reputation Analysis

Analyzing the reputation of an identifier.

Internal MISP references

UUID 52038ba1-eb82-4eef-a613-40a1857dd961 which can be used as unique global reference for Identifier Reputation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-IRA

Inbound Session Volume Analysis

Analyzing inbound network session or connection attempt volume.

Internal MISP references

UUID b8ef50b2-02f7-4698-ab75-7658d652ffe1 which can be used as unique global reference for Inbound Session Volume Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ISVA

Inbound Traffic Filtering

Restricting network traffic originating from untrusted networks destined towards a private host or enclave.

Internal MISP references

UUID fda9107c-a5c8-41ba-8a36-42a8777b4f12 which can be used as unique global reference for Inbound Traffic Filtering in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ITF

Job Function Access Pattern Analysis

Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.

Internal MISP references

UUID eb7ed222-aa68-470f-8ce0-2ee30baa947a which can be used as unique global reference for Job Function Access Pattern Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-JFAPA

Kernel-based Process Isolation

Using kernel-level capabilities to isolate processes.

Internal MISP references

UUID 2ef44954-0f55-4b04-8b34-236649fa8648 which can be used as unique global reference for Kernel-based Process Isolation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-KBPI

Local Account Monitoring

Analyzing local user accounts to detect unauthorized activity.

Internal MISP references

UUID 82c491d2-952f-4e8b-b753-8ccba0d910ff which can be used as unique global reference for Local Account Monitoring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-LAM

Local File Permissions

Restricting access to a local file by configuring operating system functionality.

Internal MISP references

UUID 69636191-6e68-4df7-a7e8-fa0bbf55eb3f which can be used as unique global reference for Local File Permissions in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-LFP

Logical Link Mapping

Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.

Internal MISP references

UUID 57eb9098-0a2d-4f21-89f0-47c55011123a which can be used as unique global reference for Logical Link Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-LLM

Message Analysis

Analyzing email or instant message content to detect unauthorized activity.

Internal MISP references

UUID 6bc43841-e7da-4c7d-8d21-dee052e4a971 which can be used as unique global reference for Message Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-MA

Mandatory Access Control

Controlling access to local computer system resources with kernel-level capabilities.

Internal MISP references

UUID 5d725298-91c8-46fe-b7d5-cf2487512243 which can be used as unique global reference for Mandatory Access Control in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-MAC

Message Authentication

Authenticating the sender of a message and ensuring message integrity.

Internal MISP references

UUID e09fbdee-28e0-40b8-b2f2-22c7041832d2 which can be used as unique global reference for Message Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-MAN

Memory Boundary Tracking

Analyzing a call stack for return addresses which point to unexpected memory locations.

Internal MISP references

UUID e625d9b0-98ad-4aa9-945b-3f9788c72d51 which can be used as unique global reference for Memory Boundary Tracking in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-MBT

Message Encryption

Encrypting a message body using a cryptographic key.

Internal MISP references

UUID 4ba62c4d-4b3e-4aa3-bf18-cd2560203208 which can be used as unique global reference for Message Encryption in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-MENCR

Multi-factor Authentication

Requiring proof of two or more pieces of evidence in order to authenticate a user.

Internal MISP references

UUID 43991551-1ae2-4b51-9552-fb3d19de095d which can be used as unique global reference for Multi-factor Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-MFA

Message Hardening

Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.

Internal MISP references

UUID fdd2c115-9b33-4435-b168-b7dfb90d8b83 which can be used as unique global reference for Message Hardening in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-MH

Network Isolation

Network Isolation techniques prevent network hosts from accessing non-essential system network resources.

Internal MISP references

UUID 64c85711-92d5-4074-aef6-0ae3711fecf9 which can be used as unique global reference for Network Isolation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NI

Network Mapping

Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.

Internal MISP references

UUID fede37c9-d469-425c-96c9-366f30726fa9 which can be used as unique global reference for Network Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NM

Network Node Inventory

Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.

Internal MISP references

UUID 8bed7f9c-0497-49ba-aa4b-043207ddc64b which can be used as unique global reference for Network Node Inventory in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NNI

Network Traffic Analysis

Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.

Internal MISP references

UUID a700e4e9-42c6-4e25-b6b3-c9bf9f5a697b which can be used as unique global reference for Network Traffic Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NTA

Network Traffic Community Deviation

Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.

Internal MISP references

UUID d7eccdb8-34cf-4926-9d24-8eb794821ea2 which can be used as unique global reference for Network Traffic Community Deviation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NTCD

Network Traffic Filtering

Restricting network traffic originating from any location.

Internal MISP references

UUID bdd2089a-ec91-4790-aee4-ece79b6d340b which can be used as unique global reference for Network Traffic Filtering in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NTF

Network Traffic Policy Mapping

Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.

Internal MISP references

UUID 4e7a5fbf-5b8c-4688-a304-3b6238bdfc3b which can be used as unique global reference for Network Traffic Policy Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NTPM

Network Vulnerability Assessment

Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.

Internal MISP references

UUID 88a6a153-318d-4cf0-b161-d6146f9301c9 which can be used as unique global reference for Network Vulnerability Assessment in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-NVA

Operational Activity Mapping

Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.,Identifying staff and organizational structure is part of operational activity mapping. One inventories assets; people are not assets, but are resources. Grasping operations and activities (missions) and mapping them to people is (notionally) last phase of modeling architecture.

Internal MISP references

UUID 36afaf65-9617-451a-ac00-aa4594661e31 which can be used as unique global reference for Operational Activity Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-OAM

Operational Dependency Mapping

Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.

Internal MISP references

UUID 15807395-1e6e-4fdb-b9c4-8c3ddc44c03d which can be used as unique global reference for Operational Dependency Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ODM

Organization Mapping

Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.

Internal MISP references

UUID a7a8ed05-544a-4a11-a900-282f7b906b1f which can be used as unique global reference for Organization Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-OM

Operational Risk Assessment

Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.

Internal MISP references

UUID 909ed8dd-ecd4-48d2-8e7b-338c77d15f95 which can be used as unique global reference for Operational Risk Assessment in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-ORA

Operating System Monitoring

The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute Operating System Monitoring.

Internal MISP references

UUID 4d3395a5-e1b1-4864-adc2-1358c4225238 which can be used as unique global reference for Operating System Monitoring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-OSM

Outbound Traffic Filtering

Restricting network traffic originating from a private host or enclave destined towards untrusted networks.

Internal MISP references

UUID f6888626-6d3b-4f59-8d4d-c700ec7c7c32 which can be used as unique global reference for Outbound Traffic Filtering in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-OTF

One-time Password

A one-time password is valid for only one user authentication.

Internal MISP references

UUID 42292a63-1f16-4478-bedd-1097cfe9150c which can be used as unique global reference for One-time Password in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-OTP

Process Analysis

Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.

Internal MISP references

UUID 7dc61967-f059-46fe-81ad-d13daab75005 which can be used as unique global reference for Process Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PA

Pointer Authentication

Comparing the cryptographic hash or derivative of a pointer's value to an expected value.

Internal MISP references

UUID d8fb2da6-7c5d-47e3-be5d-820fe74df0f0 which can be used as unique global reference for Pointer Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PAN

Passive Certificate Analysis

['Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.', 'Passively collecting certificates and analyzing them.']

Internal MISP references

UUID 0c96ac67-e4b7-4d46-996b-f49eecf13b15 which can be used as unique global reference for Passive Certificate Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PCA

Process Code Segment Verification

Comparing the "text" or "code" memory segments to a source of truth.

Internal MISP references

UUID e7f3ad06-a597-4c01-b9e2-c9c8b3b4bcae which can be used as unique global reference for Process Code Segment Verification in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PCSV

Process Eviction

Process eviction techniques terminate or remove running process.

Internal MISP references

UUID 3a28387b-636c-4a0e-8c5c-885bf301826e which can be used as unique global reference for Process Eviction in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PE

Peripheral Firmware Verification

Cryptographically verifying peripheral firmware integrity.

Internal MISP references

UUID 94598a34-aff6-44a7-be01-795f71a33a2b which can be used as unique global reference for Peripheral Firmware Verification in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PFV

Platform Hardening

Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components

Internal MISP references

UUID 1a7bd975-47d7-4a8c-8063-59daddd1dd47 which can be used as unique global reference for Platform Hardening in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PH

Per Host Download-Upload Ratio Analysis

Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.

Internal MISP references

UUID 2167d85d-0abc-4a10-abd9-2929c66d5d90 which can be used as unique global reference for Per Host Download-Upload Ratio Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PHDURA

Process Lineage Analysis

Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.

Internal MISP references

UUID 23671960-0002-4795-bd30-33773f384fe5 which can be used as unique global reference for Process Lineage Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PLA

Passive Logical Link Mapping

Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.

Internal MISP references

UUID 1c4cb961-adb7-454c-9720-e489948775ea which can be used as unique global reference for Passive Logical Link Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PLLM

Physical Link Mapping

Physical link mapping identifies and models the link connectivity of the network devices within a physical network.

Internal MISP references

UUID cf8e3998-f0f5-4536-abd5-a34569c3c793 which can be used as unique global reference for Physical Link Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PLM

Platform Monitoring

Monitoring platform components such as operating systems software, hardware devices, or firmware.

Internal MISP references

UUID 98e05e33-eafb-41c4-9979-fe3cc0498443 which can be used as unique global reference for Platform Monitoring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PM

Protocol Metadata Anomaly Detection

Collecting network communication protocol metadata and identifying statistical outliers.

Internal MISP references

UUID 00238f18-aa4a-4267-8651-c13a44d9af84 which can be used as unique global reference for Protocol Metadata Anomaly Detection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PMAD

Passive Physical Link Mapping

Passive physical link mapping only listens to network traffic as a means to map the physical layer.

Internal MISP references

UUID f9c066f6-72ed-4bb3-8565-eb2113874007 which can be used as unique global reference for Passive Physical Link Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PPLM

Process Suspension

Suspending a running process on a computer system.

Internal MISP references

UUID 7358fc25-af5d-4c9e-af33-876d2241a10e which can be used as unique global reference for Process Suspension in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PS

Process Spawn Analysis

Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.

Internal MISP references

UUID dbd79639-b0f8-4e2d-81ca-644498f30c0a which can be used as unique global reference for Process Spawn Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PSA

Process Segment Execution Prevention

Preventing execution of any address in a memory region other than the code segment.

Internal MISP references

UUID 32ef4ee4-56a7-4dc1-89c5-84c0a12f7e5a which can be used as unique global reference for Process Segment Execution Prevention in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PSEP

Process Self-Modification Detection

Detects processes that modify, change, or replace their own code at runtime.

Internal MISP references

UUID 395da252-4893-47ce-83ca-f9e834df1bae which can be used as unique global reference for Process Self-Modification Detection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PSMD

Process Termination

Terminating a running application process on a computer system.

Internal MISP references

UUID 470ba631-b817-4bb5-8391-6574b8bda6c1 which can be used as unique global reference for Process Termination in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-PT

Resource Access Pattern Analysis

Analyzing the resources accessed by a user to identify unauthorized activity.

Internal MISP references

UUID 1e9d8190-de11-43cf-a77a-d47d9e6da471 which can be used as unique global reference for Resource Access Pattern Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-RAPA

RF Shielding

Adding physical barriers to a platform to prevent undesired radio interference.

Internal MISP references

UUID dc595c06-a52e-4461-b8cc-692559a8b486 which can be used as unique global reference for RF Shielding in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-RFS

Relay Pattern Analysis

The detection of an internal host relaying traffic between the internal network and the external network.

Internal MISP references

UUID 37ddc6e8-9f47-462e-a25d-02c2ac6e8ac1 which can be used as unique global reference for Relay Pattern Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-RPA

Reverse Resolution Domain Denylisting

Blocking a reverse DNS lookup's answer's domain name value.

Internal MISP references

UUID 47deb757-9d89-4083-816f-8501b7939922 which can be used as unique global reference for Reverse Resolution Domain Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-RRDD

Reverse Resolution IP Denylisting

Blocking a reverse lookup based on the query's IP address value.

Internal MISP references

UUID 3877abb8-ea91-4ea8-8a1a-bcaac608aed8 which can be used as unique global reference for Reverse Resolution IP Denylisting in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-RRID

RPC Traffic Analysis

Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.

Internal MISP references

UUID 871087df-4230-4d71-bc5f-af04e07005cf which can be used as unique global reference for RPC Traffic Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-RTA

Remote Terminal Session Detection

Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.

Internal MISP references

UUID 144e807c-7bc2-4a42-b3d4-29fd34964242 which can be used as unique global reference for Remote Terminal Session Detection in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-RTSD

Segment Address Offset Randomization

Randomizing the base (start) address of one or more segments of memory during the initialization of a process.

Internal MISP references

UUID dff7762a-e325-4efb-b9ee-1dca0cb70ef3 which can be used as unique global reference for Segment Address Offset Randomization in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SAOR

Service Binary Verification

Analyzing changes in service binary files by comparing to a source of truth.

Internal MISP references

UUID 86dd4ff0-cc55-440d-90b8-c2c461327b56 which can be used as unique global reference for Service Binary Verification in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SBV

System Call Analysis

Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.

Internal MISP references

UUID 305df1b2-a538-4e13-b53c-69f288d32888 which can be used as unique global reference for System Call Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SCA

System Call Filtering

Configuring a kernel to use an allow or deny list to filter kernel api calls.

Internal MISP references

UUID 807982ff-14b2-4790-b40a-c6e45d3e329f which can be used as unique global reference for System Call Filtering in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SCF

System Configuration Permissions

Restricting system configuration modifications to a specific user or group of users.

Internal MISP references

UUID ff75c739-d8eb-4e93-8685-dfb4c04f14e6 which can be used as unique global reference for System Configuration Permissions in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SCP

Session Duration Analysis

Analyzing the duration of user sessions in order to detect unauthorized activity.

Internal MISP references

UUID aa01a5a7-7378-48f3-81eb-ee59e7d9d9b5 which can be used as unique global reference for Session Duration Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SDA

System Daemon Monitoring

Tracking changes to the state or configuration of critical system level processes.

Internal MISP references

UUID cd2dfe1c-0031-4fd4-9c1a-42e29468d4d2 which can be used as unique global reference for System Daemon Monitoring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SDM

Script Execution Analysis

Analyzing the execution of a script to detect unauthorized user activity.

Internal MISP references

UUID 3d2f5731-5b67-4713-869b-a0a5860c98d6 which can be used as unique global reference for Script Execution Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SEA

System File Analysis

Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.

Internal MISP references

UUID 4f973798-4f47-4605-bc08-fb55fde50af8 which can be used as unique global reference for System File Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SFA

Stack Frame Canary Validation

Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.

Internal MISP references

UUID 6fe255e5-dc7d-4345-a08c-544d45aea74a which can be used as unique global reference for Stack Frame Canary Validation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SFCV

System Firmware Verification

Cryptographically verifying installed system firmware integrity.

Internal MISP references

UUID a18b770d-8ff8-45e0-ad1b-37baa0bfcc6a which can be used as unique global reference for System Firmware Verification in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SFV

Standalone Honeynet

An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.

Internal MISP references

UUID b0c95b8c-95cd-4017-b8a2-bdf9d521ebe2 which can be used as unique global reference for Standalone Honeynet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SHN

System Init Config Analysis

Analysis of any system process startup configuration.

Internal MISP references

UUID b681ecb5-75b3-4e28-890a-d872092e37ac which can be used as unique global reference for System Init Config Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SICA

Scheduled Job Analysis

Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.

Internal MISP references

UUID 40aade5e-ec8a-40e5-be4e-91e8b1c50e2e which can be used as unique global reference for Scheduled Job Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SJA

Sender MTA Reputation Analysis

Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.

Internal MISP references

UUID d59371b6-a07e-4067-a486-98ea681b628e which can be used as unique global reference for Sender MTA Reputation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SMRA

Strong Password Policy

Modifying system configuration to increase password strength.

Internal MISP references

UUID d646aca3-1b94-4055-8c7f-d35a540fc352 which can be used as unique global reference for Strong Password Policy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SPP

Sender Reputation Analysis

Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).

Internal MISP references

UUID aa2082b6-f121-4a93-a927-c3802afdaa15 which can be used as unique global reference for Sender Reputation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SRA

Shadow Stack Comparisons

Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.

Internal MISP references

UUID 85ad8cb4-7878-4423-943d-97ec01b3e6db which can be used as unique global reference for Shadow Stack Comparisons in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SSC

Software Update

Replacing old software on a computer system component.

Internal MISP references

UUID da9a1083-7197-46a6-ba8c-a15736542ed5 which can be used as unique global reference for Software Update in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SU

Service Dependency Mapping

Service dependency mapping determines the services on which each given service relies.

Internal MISP references

UUID 8aff1f84-85dc-4280-8ef2-9ea729308a38 which can be used as unique global reference for Service Dependency Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SVCDM

Software Inventory

Software inventorying identifies and records the software items in the organization's architecture.

Internal MISP references

UUID f5c8acec-85d9-4443-8363-44b753e290bf which can be used as unique global reference for Software Inventory in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SWI

System Dependency Mapping

System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.

Internal MISP references

UUID e3dd0f0a-2788-45c9-a9a2-449addf9e329 which can be used as unique global reference for System Dependency Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SYSDM

System Mapping

System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.

Internal MISP references

UUID 3a4cd9e7-b4eb-439e-a7b2-83e38fb68475 which can be used as unique global reference for System Mapping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SYSM

System Vulnerability Assessment

System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.

Internal MISP references

UUID 6934a9e8-1df8-4189-af16-b8f500072f03 which can be used as unique global reference for System Vulnerability Assessment in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-SYSVA

Transfer Agent Authentication

Validating that server components of a messaging infrastructure are authorized to send a particular message.

Internal MISP references

UUID 81c2fad4-0a2f-4058-9206-67049c2b828e which can be used as unique global reference for Transfer Agent Authentication in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-TAAN

TPM Boot Integrity

Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).

Internal MISP references

UUID 6a3fb783-0475-431d-85fd-9e9ebcd33ecb which can be used as unique global reference for TPM Boot Integrity in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-TBI

URL Analysis

Determining if a URL is benign or malicious by analyzing the URL or its components.

Internal MISP references

UUID 577775c8-64b6-4941-b03d-e3f2ec6a057a which can be used as unique global reference for URL Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-UA

User Account Permissions

Restricting a user account's access to resources.

Internal MISP references

UUID 7f057852-58e0-436d-bbd0-0f3779c78816 which can be used as unique global reference for User Account Permissions in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-UAP

User Behavior Analysis

Analysis of user behavior and patterns for the purpose of detecting unauthorized user activity.,User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.

Internal MISP references

UUID 15b3cdd4-6880-4b92-af3f-fa5cf0940a83 which can be used as unique global reference for User Behavior Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-UBA

User Data Transfer Analysis

Analyzing the amount of data transferred by a user.

Internal MISP references

UUID 808e6290-359b-457a-9922-32c25efd0c26 which can be used as unique global reference for User Data Transfer Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-UDTA

User Geolocation Logon Pattern Analysis

Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.

Internal MISP references

UUID bfdac0df-f0b9-4e80-a9f2-6d8a42a081a3 which can be used as unique global reference for User Geolocation Logon Pattern Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-UGLPA

URL Reputation Analysis

Analyzing the reputation of a URL.

Internal MISP references

UUID 3d156572-a75d-4ef6-89d6-0d8da9bf885b which can be used as unique global reference for URL Reputation Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-URA

User Session Init Config Analysis

Analyzing modifications to user session config files such as .bashrc or .bash_profile.

Internal MISP references

UUID 7699290a-e38d-4ba2-aacf-4c093338788a which can be used as unique global reference for User Session Init Config Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-USICA

Web Session Activity Analysis

Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.

Internal MISP references

UUID aba0c932-214a-41c6-8264-c6ef27f05689 which can be used as unique global reference for Web Session Activity Analysis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
external_id	D3-WSAA