Esc
Harden
Definition
The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.
Techniques
There are 33 techniques in this category, Harden.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Application Hardening | D3-AH | Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary. | Process Hardening |
| - Application Configuration Hardening | D3-ACH | Modifying an application's configuration to reduce its attack surface. | |
| - Dead Code Elimination | D3-DCE | Removing unreachable or "dead code" from compiled source code. | |
| - Exception Handler Pointer Validation | D3-EHPV | Validates that a referenced exception handler pointer is a valid exception handler. | Exception Handler Validation |
| - Segment Address Offset Randomization | D3-SAOR | Randomizing the base (start) address of one or more segments of memory during the initialization of a process. | Address Space Layout Randomization , and ASLR |
| - Stack Frame Canary Validation | D3-SFCV | Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite. | |
| - Pointer Authentication | D3-PAN | Comparing the cryptographic hash or derivative of a pointer's value to an expected value. | |
| - Process Segment Execution Prevention | D3-PSEP | Preventing execution of any address in a memory region other than the code segment. | Execute Disable , and No Execute |
| Credential Hardening | D3-CH | Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials. | |
| - Biometric Authentication | D3-BAN | Using biological measures in order to authenticate a user. | |
| - Certificate-based Authentication | D3-CBAN | Requiring a digital certificate in order to authenticate a user. | |
| - Certificate Pinning | D3-CP | Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections. | |
| - Credential Transmission Scoping | D3-CTS | Limiting the transmission of a credential to a scoped set of relying parties. | Phishing Resistant Authentication |
| - Domain Trust Policy | D3-DTP | Restricting inter-domain trust by modifying domain configuration. | |
| - Strong Password Policy | D3-SPP | Modifying system configuration to increase password strength. | |
| - User Account Permissions | D3-UAP | Restricting a user account's access to resources. | |
| - Credential Rotation | D3-CRO | Expiring an existing set of credentials and reissuing a new valid set | |
| - Multi-factor Authentication | D3-MFA | Requiring proof of two or more pieces of evidence in order to authenticate a user. | |
| - One-time Password | D3-OTP | A one-time password is valid for only one user authentication. | OTP |
| Message Hardening | D3-MH | Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages. | Email Or Messaging Hardening |
| - Transfer Agent Authentication | D3-TAAN | Validating that server components of a messaging infrastructure are authorized to send a particular message. | |
| - Message Authentication | D3-MAN | Authenticating the sender of a message and ensuring message integrity. | |
| - Message Encryption | D3-MENCR | Encrypting a message body using a cryptographic key. | |
| Platform Hardening | D3-PH | Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components | Endpoint Hardening , and System Hardening |
| - Bootloader Authentication | D3-BA | Cryptographically authenticating the bootloader software before system boot. | Secure Boot |
| - Disk Encryption | D3-DENCR | Encrypting a hard disk partition to prevent cleartext access to a file system. | |
| - Driver Load Integrity Checking | D3-DLIC | Ensuring the integrity of drivers loaded during initialization of the operating system. | |
| - File Encryption | D3-FE | Encrypting a file using a cryptographic key. | |
| - RF Shielding | D3-RFS | Adding physical barriers to a platform to prevent undesired radio interference. | |
| - Software Update | D3-SU | Replacing old software on a computer system component. | |
| - System Configuration Permissions | D3-SCP | Restricting system configuration modifications to a specific user or group of users. | |
| - TPM Boot Integrity | D3-TBI | Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM). | Static Root of Trust Measurement , and STRM |
| - Local File Permissions | D3-LFP | Restricting access to a local file by configuring operating system functionality. |
D3FEND™
A knowledge graph of cybersecurity countermeasures