Esc
Harden
Definition
The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.
Techniques
There are 55 techniques in this category, Harden.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Agent Authentication | D3-AA | Agent authentication is the process of verifying the identities of agents to ensure they are authorized and trustworthy participants within a system. | |
| - Token-based Authentication | D3-TBA | Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the website, application, or resource for the life of the token without having to re-enter their credentials. | |
| - Biometric Authentication | D3-BAN | Using biological measures in order to authenticate a user. | |
| - Password Authentication | D3-PWA | Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the input of a secret string of characters, known as a password, that is associated with the user or entity. | |
| - Certificate-based Authentication | D3-CBAN | Requiring a digital certificate in order to authenticate a user. | |
| - Multi-factor Authentication | D3-MFA | Requiring proof of two or more pieces of evidence in order to authenticate a user. | |
| Application Hardening | D3-AH | Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary. | Process Hardening |
| - Dead Code Elimination | D3-DCE | Removing unreachable or "dead code" from compiled source code. | |
| - Disable Remote Access | D3-DRA | Limiting access to a computing device which is not required through or from a non-organization-controlled network. | |
| - Process Segment Execution Prevention | D3-PSEP | Preventing execution of any address in a memory region other than the code segment. | Execute Disable , and No Execute |
| - Segment Address Offset Randomization | D3-SAOR | Randomizing the base (start) address of one or more segments of memory during the initialization of a process. | ASLR , and Address Space Layout Randomization |
| - Stack Frame Canary Validation | D3-SFCV | Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite. | |
| - Control Flow Integrity | D3-CFI | Enforcing legal control flow transfers during application process execution. | |
| - Application Configuration Hardening | D3-ACH | Modifying an application's configuration to reduce its attack surface. | |
| - Pointer Authentication | D3-PAN | Comparing the cryptographic hash or derivative of a pointer's value to an expected value. | |
| - Exception Handler Pointer Validation | D3-EHPV | Validates that a referenced exception handler pointer is a valid exception handler. | Exception Handler Validation |
| Credential Hardening | D3-CH | Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials. | |
| - Certificate Pinning | D3-CP | Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections. | |
| - Certificate Rotation | D3-CERO | Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise risks and ensuring continuous secure communications. | |
| - Token Binding | D3-TB | Token binding is a security mechanism used to enhance the protection of tokens, such as cookies or OAuth tokens, by binding them to a specific connection. | |
| - Password Rotation | D3-PR | Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromised credentials. | |
| - Change Default Password | D3-CDP | Changing the default password means replacing the factory-set credentials with a strong, unique password before the device is deployed, preventing unauthorized access. | |
| - Strong Password Policy | D3-SPP | Modifying system configuration to increase password strength. | |
| - Credential Rotation | D3-CRO | Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access. | |
| - One-time Password | D3-OTP | A one-time password is valid for only one user authentication. | OTP |
| Message Hardening | D3-MH | The application of security controls to user-to-user and system-to-system communications so messages remain confidential, unaltered, and verifiable while resisting injection, replay, and tampering. | |
| - Transfer Agent Authentication | D3-TAAN | Validating that server components of a messaging infrastructure are authorized to send a particular message. | |
| - Message Encryption | D3-MENCR | Encrypting a message body using a cryptographic key. | |
| - Bus Message Authentication | D3-BMA | Applies cryptographic primitives to individual bus frames to verify the sender's identity and ensure the integrity of the data payload. | |
| - Message Authentication | D3-MAN | Authenticating the sender of a message and ensuring message integrity. | |
| Platform Hardening | D3-PH | Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components | System Hardening , and Endpoint Hardening |
| - Software Update | D3-SU | Replacing old software on a computer system component. | |
| - Hardware-based Write Protection | D3-HBWP | Physical methods of preventing data from being written to computer storage. | |
| - RF Shielding | D3-RFS | Adding physical barriers to a platform to prevent undesired radio interference. | |
| - Physical Enclosure Hardening | D3-PEH | Physical changes to a computer enclosure which reduce the ability for agents or the environment to affect the contained computer system. | |
| - System Configuration Permissions | D3-SCP | Restricting system configuration modifications to a specific user or group of users. | |
| - Radiation Hardening | D3-RH | Radiation hardening is the process of making electronic components and circuits resistant to damage or malfunction caused by high levels of ionizing radiation. | |
| - File Encryption | D3-FE | Encrypting a file using a cryptographic key. | |
| - Disk Encryption | D3-DENCR | Encrypting a hard disk partition to prevent cleartext access to a file system. | |
| - Bootloader Authentication | D3-BA | Cryptographically authenticating the bootloader software before system boot. | Secure Boot |
| - TPM Boot Integrity | D3-TBI | Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM). | STRM , and Static Root of Trust Measurement |
| - Electromagnetic Radiation Hardening | D3-EMH | The application of physical and material-level design measures to electronic systems, components, or facilities to reduce their susceptibility to damage or disruption from electromagnetic threats. | EM Hardening |
| - Driver Load Integrity Checking | D3-DLIC | Ensuring the integrity of drivers loaded during initialization of the operating system. | |
| Source Code Hardening | D3-SCH | Hardening source code with the intention of making it more difficult to exploit and less error prone. | |
| - Memory Block Start Validation | D3-MBSV | Ensuring that a pointer accurately references the beginning of a designated memory block. | |
| - Pointer Validation | D3-PV | Ensuring that a pointer variable has the required properties for use. | |
| - Domain Logic Validation | D3-DLV | Validation of variable state in the context of the domain application. | |
| - Operational Logic Validation | D3-OLV | Validation of variable state in the context of the control logic of the operational application. | |
| - Null Pointer Checking | D3-NPC | Checking if a pointer is NULL. | Nil Pointer Checking |
| - Variable Type Validation | D3-VTV | Ensuring that a variable has the correct type. | |
| - Variable Initialization | D3-VI | Setting variables to a known value before use. | |
| - Integer Range Validation | D3-IRV | Ensuring that an integer is within a valid range. | |
| - Credential Scrubbing | D3-CS | The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access. | |
| - Reference Nullification | D3-RN | Invalidating all pointers that reference a specific memory block, ensuring that the block cannot be accessed or modified after deallocation. | |
| - Trusted Library | D3-TL | A trusted library is a collection of pre-verified and secure code modules or components that are used within software applications to perform specific functions. These libraries are considered reliable and have been vetted for security vulnerabilities, ensuring they do not introduce risks into the application. |