Esc
Harden
Definition
The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.
Techniques
There are 45 techniques in this category, Harden.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Agent Authentication | D3-AA | Agent authentication is the process of verifying the identities of agents to ensure they are authorized and trustworthy participants within a system. | |
| - Token-based Authentication | D3-TBA | Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the website, application, or resource for the life of the token without having to re-enter their credentials. | |
| - Password Authentication | D3-PWA | Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the input of a secret string of characters, known as a password, that is associated with the user or entity. | |
| - Multi-factor Authentication | D3-MFA | Requiring proof of two or more pieces of evidence in order to authenticate a user. | |
| - Biometric Authentication | D3-BAN | Using biological measures in order to authenticate a user. | |
| - Certificate-based Authentication | D3-CBAN | Requiring a digital certificate in order to authenticate a user. | |
| Application Hardening | D3-AH | Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary. | Process Hardening |
| - Pointer Authentication | D3-PAN | Comparing the cryptographic hash or derivative of a pointer's value to an expected value. | |
| - Application Configuration Hardening | D3-ACH | Modifying an application's configuration to reduce its attack surface. | |
| - Dead Code Elimination | D3-DCE | Removing unreachable or "dead code" from compiled source code. | |
| - Exception Handler Pointer Validation | D3-EHPV | Validates that a referenced exception handler pointer is a valid exception handler. | Exception Handler Validation |
| - Process Segment Execution Prevention | D3-PSEP | Preventing execution of any address in a memory region other than the code segment. | Execute Disable , and No Execute |
| - Segment Address Offset Randomization | D3-SAOR | Randomizing the base (start) address of one or more segments of memory during the initialization of a process. | Address Space Layout Randomization , and ASLR |
| - Stack Frame Canary Validation | D3-SFCV | Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite. | |
| Credential Hardening | D3-CH | Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials. | |
| - Token Binding | D3-TB | Token binding is a security mechanism used to enhance the protection of tokens, such as cookies or OAuth tokens, by binding them to a specific connection. | |
| - Certificate Pinning | D3-CP | Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections. | |
| - Certificate Rotation | D3-CERO | Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise risks and ensuring continuous secure communications. | |
| - Password Rotation | D3-PR | Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromised credentials. | |
| - One-time Password | D3-OTP | A one-time password is valid for only one user authentication. | OTP |
| - Strong Password Policy | D3-SPP | Modifying system configuration to increase password strength. | |
| - Credential Rotation | D3-CRO | Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access. | |
| Message Hardening | D3-MH | Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages. | Email Or Messaging Hardening |
| - Message Authentication | D3-MAN | Authenticating the sender of a message and ensuring message integrity. | |
| - Message Encryption | D3-MENCR | Encrypting a message body using a cryptographic key. | |
| - Transfer Agent Authentication | D3-TAAN | Validating that server components of a messaging infrastructure are authorized to send a particular message. | |
| Platform Hardening | D3-PH | Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components | Endpoint Hardening , and System Hardening |
| - File Encryption | D3-FE | Encrypting a file using a cryptographic key. | |
| - Bootloader Authentication | D3-BA | Cryptographically authenticating the bootloader software before system boot. | Secure Boot |
| - Disk Encryption | D3-DENCR | Encrypting a hard disk partition to prevent cleartext access to a file system. | |
| - Driver Load Integrity Checking | D3-DLIC | Ensuring the integrity of drivers loaded during initialization of the operating system. | |
| - RF Shielding | D3-RFS | Adding physical barriers to a platform to prevent undesired radio interference. | |
| - Software Update | D3-SU | Replacing old software on a computer system component. | |
| - System Configuration Permissions | D3-SCP | Restricting system configuration modifications to a specific user or group of users. | |
| - TPM Boot Integrity | D3-TBI | Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM). | Static Root of Trust Measurement , and STRM |
| Source Code Hardening | D3-SCH | Hardening source code with the intention of making it more difficult to exploit and less error prone. | |
| - Integer Range Validation | D3-IRV | Ensuring that an integer is within a valid range. | |
| - Pointer Validation | D3-PV | Ensuring that a pointer variable has the required properties for use. | |
| - Reference Nullification | D3-RN | Invalidating all pointers that reference a specific memory block, ensuring that the block cannot be accessed or modified after deallocation. | |
| - Trusted Library | D3-TL | A trusted library is a collection of pre-verified and secure code modules or components that are used within software applications to perform specific functions. These libraries are considered reliable and have been vetted for security vulnerabilities, ensuring they do not introduce risks into the application. | |
| - Variable Initialization | D3-VI | Setting variables to a known value before use. | |
| - Variable Type Validation | D3-VTV | Ensuring that a variable has the correct type. | |
| - Credential Scrubbing | D3-CS | The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access. | |
| - Memory Block Start Validation | D3-MBSV | Ensuring that a pointer accurately references the beginning of a designated memory block. | |
| - Null Pointer Checking | D3-NPC | Checking if a pointer is NULL. | Nil Pointer Checking |
D3FEND™
A knowledge graph of cybersecurity countermeasures