Querying RDF in Datomic to generate the D3FEND Matrix of Defensive Tactics

matrix.clj

;; rdfs:seeAlso https://github.com/aamedina/rdf

(let [results (d/q '[:find
                     (pull ?tactic [:db/ident])
                     (pull ?technique [:db/ident])
                     (pull ?subclass [:db/ident :d3f/definition])
                     :where
                     ;; Bind tactics with a direct slot of :d3f/enabled-by
                     [?tactic :mop/classDirectSlots :d3f/enabled-by]
                     ;; Bind only defensive tactics 
                     [?tactic :rdf/type :d3f/DefensiveTactic]
                     ;; The :owl/inverseOf is :d3f/enables
                     [?technique :d3f/enables ?tactic]
                     [?subclass :rdfs/subClassOf ?technique]]
                   (d/db (:db system)))]
  (doseq [[tactic techniques]
          (reduce (fn [m [tactic technique subclass]]
                    (assoc-in m [(:db/ident tactic)
                                 (:db/ident technique)
                                 (:db/ident subclass)]
                              (first (:d3f/definition subclass))))
                  {}
                  results)]
    (println "-------------------------")
    (println tactic)
    (println " " (rdf/get-doc (datafy tactic)))
    (doseq [[technique subclasses] techniques]
      (println "  -------------------------")
      (println "  "technique)
      (println "   " (rdf/get-doc (datafy technique)))
      (doseq [[subclass definition] subclasses]
        (println "    -------------------------")
        (println "    " subclass)
        (println "     " definition)))
    (newline)))

-------------------------
:d3f/Evict
  The eviction tactic is used to remove an adversary from a computer network.
  -------------------------
   :d3f/CredentialEviction
    Credential Eviction techniques disable or remove compromised credentials from a computer network.
    -------------------------
     :d3f/AccountLocking
      The process of temporarily disabling user accounts on a system or domain.
    -------------------------
     :d3f/AuthenticationCacheInvalidation
      Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.
    -------------------------
     :d3f/CredentialRevoking
      Deleting a set of credentials permanently to prevent them from being used to authenticate.
  -------------------------
   :d3f/FileEviction
    File eviction techniques evict files from system storage.
    -------------------------
     :d3f/EmailRemoval
      The email removal technique deletes email files from system storage.
    -------------------------
     :d3f/FileRemoval
      The file removal technique deletes malicious artifacts or programs from a computer system.
  -------------------------
   :d3f/ProcessEviction
    Process eviction techniques terminate or remove running process.
    -------------------------
     :d3f/ProcessSuspension
      Suspending a running process on a computer system.
    -------------------------
     :d3f/ProcessTermination
      Terminating a running application process on a computer system.

-------------------------
:d3f/Deceive
  The deceive tactic is used to advertise, entice, and allow potential attackers access to an observed or controlled environment.
  -------------------------
   :d3f/DecoyObject
    A Decoy Object is created and deployed for the purposes of deceiving attackers.
    -------------------------
     :d3f/DecoyPublicRelease
      Issuing publicly released media to deceive adversaries.
    -------------------------
     :d3f/DecoyPersona
      Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.
    -------------------------
     :d3f/DecoyFile
      A file created for the purposes of deceiving an adversary.
    -------------------------
     :d3f/DecoyNetworkResource
      Deploying a network resource for the purposes of deceiving an adversary.
    -------------------------
     :d3f/DecoyUserCredential
      A Credential created for the purpose of deceiving an adversary.
    -------------------------
     :d3f/DecoySessionToken
      An authentication token created for the purposes of deceiving an adversary.
  -------------------------
   :d3f/DecoyEnvironment
    A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.
    -------------------------
     :d3f/ConnectedHoneynet
      A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.
    -------------------------
     :d3f/StandaloneHoneynet
      An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.
    -------------------------
     :d3f/IntegratedHoneynet
      The practice of setting decoys in a production environment to entice interaction from attackers.

-------------------------
:d3f/Isolate
  The isolate tactic creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses.
  -------------------------
   :d3f/ExecutionIsolation
    Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.
    -------------------------
     :d3f/Hardware-basedProcessIsolation
      Preventing one process from writing to the memory space of another process through hardware based address manager implementations.
    -------------------------
     :d3f/MandatoryAccessControl
      Controlling access to local computer system resources with kernel-level capabilities.
    -------------------------
     :d3f/IOPortRestriction
      Limiting access to computer input/output (IO) ports to restrict unauthorized devices.
    -------------------------
     :d3f/ExecutableAllowlisting
      Using a digital signature to authenticate a file before opening.
    -------------------------
     :d3f/Kernel-basedProcessIsolation
      Using kernel-level capabilities to isolate processes.
    -------------------------
     :d3f/SystemCallFiltering
      Configuring a kernel to use an allow or deny list to filter kernel api calls.
    -------------------------
     :d3f/ExecutableDenylisting
      Blocking the execution of files on a host in accordance with defined application policy rules.
  -------------------------
   :d3f/NetworkIsolation
    Network Isolation techniques prevent network hosts from accessing non-essential system network resources.
    -------------------------
     :d3f/ForwardResolutionIPDenylisting
      Blocking a DNS lookup's answer's IP address value.
    -------------------------
     :d3f/DNSDenylisting
      Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.
    -------------------------
     :d3f/OutboundTrafficFiltering
      Restricting network traffic originating from a private host or enclave destined towards untrusted networks.
    -------------------------
     :d3f/ForwardResolutionDomainDenylisting
      Blocking a lookup based on the query's domain name value.
    -------------------------
     :d3f/BroadcastDomainIsolation
      Broadcast isolation restricts the number of computers a host can contact on their LAN.
    -------------------------
     :d3f/HomoglyphDenylisting
      Blocking DNS queries that are deceptively similar to legitimate domain names.
    -------------------------
     :d3f/NetworkTrafficFiltering
      Restricting network traffic originating from any location.
    -------------------------
     :d3f/InboundTrafficFiltering
      Restricting network traffic originating from untrusted networks destined towards a private host or enclave.
    -------------------------
     :d3f/HierarchicalDomainDenylisting
      Blocking the resolution of any subdomain of a specified domain name.
    -------------------------
     :d3f/ReverseResolutionDomainDenylisting
      Blocking a reverse DNS lookup's answer's domain name value.
    -------------------------
     :d3f/DNSAllowlisting
      Permitting only approved domains and their subdomains to be resolved.
    -------------------------
     :d3f/ReverseResolutionIPDenylisting
      Blocking a reverse lookup based on the query's IP address value.
    -------------------------
     :d3f/EmailFiltering
      Filtering incoming email traffic based on specific criteria.
    -------------------------
     :d3f/EncryptedTunnels
      Encrypted encapsulation of routable network traffic.

-------------------------
:d3f/Detect
  The detect tactic is used to identify adversary access to or unauthorized activity on computer networks.
  -------------------------
   :d3f/FileAnalysis
    File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.
    -------------------------
     :d3f/EmulatedFileAnalysis
      Emulating instructions in a file looking for specific patterns.
    -------------------------
     :d3f/FileContentRules
      Employing a pattern matching rule language to analyze files.
    -------------------------
     :d3f/DynamicAnalysis
      Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.
    -------------------------
     :d3f/FileHashing
      Employing file hash comparisons to detect known malware.
  -------------------------
   :d3f/ProcessAnalysis
    Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.
    -------------------------
     :d3f/FileCreationAnalysis
      Analyzing the properties of file create system call invocations.
    -------------------------
     :d3f/ProcessSelf-ModificationDetection
      Detects processes that modify, change, or replace their own code at runtime.
    -------------------------
     :d3f/ShadowStackComparisons
      Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.
    -------------------------
     :d3f/ProcessCodeSegmentVerification
      Comparing the "text" or "code" memory segments to a source of truth.
    -------------------------
     :d3f/SystemCallAnalysis
      Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.
    -------------------------
     :d3f/ProcessSpawnAnalysis
      Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.
    -------------------------
     :d3f/IndirectBranchCallAnalysis
      Analyzing vendor specific branch call recording in order to detect ROP style attacks.
    -------------------------
     :d3f/ProcessLineageAnalysis
      Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.
    -------------------------
     :d3f/ScriptExecutionAnalysis
      Analyzing the execution of a script to detect unauthorized user activity.
    -------------------------
     :d3f/FileAccessPatternAnalysis
      Analyzing the files accessed by a process to identify unauthorized activity.
    -------------------------
     :d3f/DatabaseQueryStringAnalysis
      Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).
  -------------------------
   :d3f/UserBehaviorAnalysis
    User behavior analytics ("UBA") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.
    -------------------------
     :d3f/UserGeolocationLogonPatternAnalysis
      Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.
    -------------------------
     :d3f/LocalAccountMonitoring
      Analyzing local user accounts to detect unauthorized activity.
    -------------------------
     :d3f/AuthenticationEventThresholding
      Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.
    -------------------------
     :d3f/SessionDurationAnalysis
      Analyzing the duration of user sessions in order to detect unauthorized  activity.
    -------------------------
     :d3f/ResourceAccessPatternAnalysis
      Analyzing the resources accessed by a user to identify unauthorized activity.
    -------------------------
     :d3f/WebSessionActivityAnalysis
      Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.
    -------------------------
     :d3f/UserDataTransferAnalysis
      Analyzing the amount of data transferred by a user.
    -------------------------
     :d3f/AuthorizationEventThresholding
      Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.
    -------------------------
     :d3f/JobFunctionAccessPatternAnalysis
      Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.
    -------------------------
     :d3f/DomainAccountMonitoring
      Monitoring the existence of or changes to Domain User Accounts.
    -------------------------
     :d3f/CredentialCompromiseScopeAnalysis
      Determining which credentials may have been compromised by analyzing the user logon history of a particular system.
  -------------------------
   :d3f/NetworkTrafficAnalysis
    Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.
    -------------------------
     :d3f/InboundSessionVolumeAnalysis
      Analyzing inbound network session or connection attempt volume.
    -------------------------
     :d3f/ProtocolMetadataAnomalyDetection
      Collecting network communication protocol metadata and identifying statistical outliers.
    -------------------------
     :d3f/FileCarving
      Identifying and extracting files from network application protocols through the use of network stream reassembly software.
    -------------------------
     :d3f/ActiveCertificateAnalysis
      Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.
    -------------------------
     :d3f/ConnectionAttemptAnalysis
      Analyzing failed connections in a network to detect unauthorized activity.
    -------------------------
     :d3f/AdministrativeNetworkActivityAnalysis
      Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.
    -------------------------
     :d3f/RPCTrafficAnalysis
      Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.
    -------------------------
     :d3f/ByteSequenceEmulation
      Analyzing sequences of bytes and determining if they likely represent malicious shellcode.
    -------------------------
     :d3f/RelayPatternAnalysis
      The detection of an internal host relaying traffic between the internal network and the external network.
    -------------------------
     :d3f/PerHostDownload-UploadRatioAnalysis
      Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.
    -------------------------
     :d3f/NetworkTrafficCommunityDeviation
      Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.
    -------------------------
     :d3f/PassiveCertificateAnalysis
      Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.
    -------------------------
     :d3f/DNSTrafficAnalysis
      Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.
    -------------------------
     :d3f/Client-serverPayloadProfiling
      Comparing client-server request and response payloads to a baseline profile to identify outliers.
    -------------------------
     :d3f/CertificateAnalysis
      Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.
    -------------------------
     :d3f/RemoteTerminalSessionDetection
      Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.
    -------------------------
     :d3f/IPCTrafficAnalysis
      Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.
  -------------------------
   :d3f/PlatformMonitoring
    Monitoring platform components such as operating systems software, hardware devices, or firmware.
    -------------------------
     :d3f/SystemInitConfigAnalysis
      Analysis of any system process startup configuration.
    -------------------------
     :d3f/SystemDaemonMonitoring
      Tracking changes to the state or configuration of critical system level processes.
    -------------------------
     :d3f/ScheduledJobAnalysis
      Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.
    -------------------------
     :d3f/FirmwareBehaviorAnalysis
      Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.
    -------------------------
     :d3f/EndpointHealthBeacon
      Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
    -------------------------
     :d3f/UserSessionInitConfigAnalysis
      Analyzing modifications to user session config files such as .bashrc or .bash_profile.
    -------------------------
     :d3f/SystemFileAnalysis
      Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
    -------------------------
     :d3f/FirmwareEmbeddedMonitoringCode
      Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.
    -------------------------
     :d3f/InputDeviceAnalysis
      Operating system level mechanisms to prevent abusive input device exploitation.
    -------------------------
     :d3f/FirmwareVerification
      Cryptographically verifying firmware integrity.
    -------------------------
     :d3f/PeripheralFirmwareVerification
      Cryptographically verifying peripheral firmware integrity.
    -------------------------
     :d3f/FileIntegrityMonitoring
      Detecting any suspicious changes to files in a computer system.
    -------------------------
     :d3f/MemoryBoundaryTracking
      Analyzing a call stack for return addresses which point to unexpected  memory locations.
    -------------------------
     :d3f/ServiceBinaryVerification
      Analyzing changes in service binary files by comparing to a source of truth.
    -------------------------
     :d3f/OperatingSystemMonitoring
      The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.
    -------------------------
     :d3f/SystemFirmwareVerification
      Cryptographically verifying installed system firmware integrity.
  -------------------------
   :d3f/OperatingSystemMonitoring
    The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.
    -------------------------
     :d3f/SystemInitConfigAnalysis
      Analysis of any system process startup configuration.
    -------------------------
     :d3f/SystemDaemonMonitoring
      Tracking changes to the state or configuration of critical system level processes.
    -------------------------
     :d3f/ScheduledJobAnalysis
      Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.
    -------------------------
     :d3f/EndpointHealthBeacon
      Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
    -------------------------
     :d3f/UserSessionInitConfigAnalysis
      Analyzing modifications to user session config files such as .bashrc or .bash_profile.
    -------------------------
     :d3f/SystemFileAnalysis
      Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
    -------------------------
     :d3f/InputDeviceAnalysis
      Operating system level mechanisms to prevent abusive input device exploitation.
    -------------------------
     :d3f/MemoryBoundaryTracking
      Analyzing a call stack for return addresses which point to unexpected  memory locations.
    -------------------------
     :d3f/ServiceBinaryVerification
      Analyzing changes in service binary files by comparing to a source of truth.
  -------------------------
   :d3f/IdentifierAnalysis
    Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.
    -------------------------
     :d3f/HomoglyphDetection
      Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.
    -------------------------
     :d3f/FileHashReputationAnalysis
      Analyzing the reputation of a file hash.
    -------------------------
     :d3f/DomainNameReputationAnalysis
      Analyzing the reputation of a domain name.
    -------------------------
     :d3f/IdentifierReputationAnalysis
      Analyzing the reputation of an identifier.
    -------------------------
     :d3f/IdentifierActivityAnalysis
      Taking known malicious identifiers and determining if they are present in a system.
    -------------------------
     :d3f/URLReputationAnalysis
      Analyzing the reputation of a URL.
    -------------------------
     :d3f/IPReputationAnalysis
      Analyzing the reputation of an IP address.
    -------------------------
     :d3f/URLAnalysis
      Determining if a URL is benign or malicious by analyzing the URL or its components.
  -------------------------
   :d3f/MessageAnalysis
    Analyzing email or instant message content to detect unauthorized activity.
    -------------------------
     :d3f/SenderReputationAnalysis
      Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).
    -------------------------
     :d3f/SenderMTAReputationAnalysis
      Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.

-------------------------
:d3f/Harden
  The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.
  -------------------------
   :d3f/PlatformHardening
    Hardening components of a Platform with the intention of making them more difficult to exploit.

Platforms includes components such as:
* BIOS UEFI Subsystems
* Hardware security devices such as Trusted Platform Modules
* Boot process logic or code
* Kernel software components
    -------------------------
     :d3f/RFShielding
      Adding physical barriers to a platform to prevent undesired radio interference.
    -------------------------
     :d3f/SystemConfigurationPermissions
      Restricting system configuration modifications to a specific user or group of users.
    -------------------------
     :d3f/DriverLoadIntegrityChecking
      Ensuring the integrity of drivers loaded during initialization of the operating system.
    -------------------------
     :d3f/LocalFilePermissions
      Restricting access to a local file by configuring operating system functionality.
    -------------------------
     :d3f/TPMBootIntegrity
      Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running.  Sometimes called Static Root of Trust Measurement (STRM).
    -------------------------
     :d3f/DiskEncryption
      Encrypting a hard disk partition to prevent cleartext access to a file system.
    -------------------------
     :d3f/SoftwareUpdate
      Replacing old software on a computer system component.
    -------------------------
     :d3f/BootloaderAuthentication
      Cryptographically authenticating the bootloader software before system boot.
    -------------------------
     :d3f/FileEncryption
      Encrypting a file using a cryptographic key.
  -------------------------
   :d3f/ApplicationHardening
    Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.
    -------------------------
     :d3f/DeadCodeElimination
      Removing unreachable or "dead code" from compiled source code.
    -------------------------
     :d3f/SegmentAddressOffsetRandomization
      Randomizing the base (start) address of one or more segments of memory during the initialization of a process.
    -------------------------
     :d3f/ApplicationConfigurationHardening
      Modifying an application's configuration to reduce its attack surface.
    -------------------------
     :d3f/ExceptionHandlerPointerValidation
      Validates that a referenced exception handler pointer is a valid exception handler.
    -------------------------
     :d3f/ProcessSegmentExecutionPrevention
      Preventing execution of any address in a memory region other than the code segment.
    -------------------------
     :d3f/StackFrameCanaryValidation
      Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.
    -------------------------
     :d3f/PointerAuthentication
      Comparing the cryptographic hash or derivative of a pointer's value to an expected value.
  -------------------------
   :d3f/CredentialHardening
    Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.
    -------------------------
     :d3f/CredentialRotation
      Expiring an existing set of credentials and reissuing a new valid set
    -------------------------
     :d3f/StrongPasswordPolicy
      Modifying system configuration to increase password strength.
    -------------------------
     :d3f/Certificate-basedAuthentication
      Requiring a digital certificate in order to authenticate a user.
    -------------------------
     :d3f/Multi-factorAuthentication
      Requiring proof of two or more pieces of evidence in order to authenticate a user.
    -------------------------
     :d3f/CredentialTransmissionScoping
      Limiting the transmission of a credential to a scoped set of relying parties.
    -------------------------
     :d3f/CertificatePinning
      Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.
    -------------------------
     :d3f/UserAccountPermissions
      Restricting a user account's access to resources.
    -------------------------
     :d3f/One-timePassword
      A one-time password is valid for only one user authentication.
    -------------------------
     :d3f/BiometricAuthentication
      Using biological measures in order to authenticate a user.
    -------------------------
     :d3f/DomainTrustPolicy
      Restricting inter-domain trust by modifying domain configuration.
  -------------------------
   :d3f/MessageHardening
    Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages.
    -------------------------
     :d3f/MessageEncryption
      Encrypting a message body using a cryptographic key.
    -------------------------
     :d3f/TransferAgentAuthentication
      Validating that server components of a messaging infrastructure are authorized to send a particular message.
    -------------------------
     :d3f/MessageAuthentication
      Authenticating the sender of a message and ensuring message integrity.

-------------------------
:d3f/Model
  The model tactic is used to apply security engineering, vulnerability, threat, and risk analyses to digital systems. This is accomplished by creating and maintaining a common understanding of the systems being defended, the operations on those systems, actors using the systems, and the relationships and interactions between these elements.
  -------------------------
   :d3f/SystemMapping
    System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.
    -------------------------
     :d3f/SystemDependencyMapping
      System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.
    -------------------------
     :d3f/ServiceDependencyMapping
      Service dependency mapping determines the services on which each given service relies.
    -------------------------
     :d3f/DataExchangeMapping
      Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.
    -------------------------
     :d3f/SystemVulnerabilityAssessment
      System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.
  -------------------------
   :d3f/NetworkMapping
    Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.
    -------------------------
     :d3f/PassiveLogicalLinkMapping
      Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.
    -------------------------
     :d3f/ActivePhysicalLinkMapping
      Active physical link mapping sends and receives network traffic as a means to map the physical layer.
    -------------------------
     :d3f/NetworkTrafficPolicyMapping
      Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels.
    -------------------------
     :d3f/LogicalLinkMapping
      Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.
    -------------------------
     :d3f/PhysicalLinkMapping
      Physical link mapping identifies and models the link connectivity of the network devices within a physical network.
    -------------------------
     :d3f/ActiveLogicalLinkMapping
      Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection
    -------------------------
     :d3f/PassivePhysicalLinkMapping
      Passive physical link mapping only listens to network traffic as a means to map the physical layer.
    -------------------------
     :d3f/NetworkVulnerabilityAssessment
      Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.
  -------------------------
   :d3f/AssetInventory
    Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.
    -------------------------
     :d3f/SoftwareInventory
      Software inventorying identifies and records the software items in the organization's architecture.
    -------------------------
     :d3f/NetworkNodeInventory
      Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.
    -------------------------
     :d3f/HardwareComponentInventory
      Hardware component inventorying identifies and records the hardware items in the organization's architecture.
    -------------------------
     :d3f/ConfigurationInventory
      Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.
    -------------------------
     :d3f/AssetVulnerabilityEnumeration
      Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.
    -------------------------
     :d3f/DataInventory
      Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.
  -------------------------
   :d3f/OperationalActivityMapping
    Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.
    -------------------------
     :d3f/OperationalDependencyMapping
      Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.)  This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.
    -------------------------
     :d3f/OperationalRiskAssessment
      Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.
    -------------------------
     :d3f/AccessModeling
      Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems.
    -------------------------
     :d3f/OrganizationMapping
      Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.