Mapping: Nexus SecOps ↔ MITRE ATT&CK / D3FEND
This document maps Nexus SecOps detection and response controls to MITRE ATT&CK tactics/techniques (offensive) and D3FEND countermeasures (defensive).
ATT&CK Tactic Coverage by Nexus SecOps Domain
| ATT&CK Tactic | ID | Primary Nexus SecOps Domain | Key Controls |
| Reconnaissance | TA0043 | CTI, DET | Nexus SecOps-082, Nexus SecOps-089 |
| Resource Development | TA0042 | CTI | Nexus SecOps-082, Nexus SecOps-083 |
| Initial Access | TA0001 | DET, TEL | Nexus SecOps-031, Nexus SecOps-012, Nexus SecOps-138 |
| Execution | TA0002 | DET, END | Nexus SecOps-031, Nexus SecOps-140, Nexus SecOps-141 |
| Persistence | TA0003 | DET, END | Nexus SecOps-031, Nexus SecOps-044, Nexus SecOps-142 |
| Privilege Escalation | TA0004 | DET, IAM | Nexus SecOps-031, Nexus SecOps-116, Nexus SecOps-044 |
| Defense Evasion | TA0005 | DET, END | Nexus SecOps-031, Nexus SecOps-044, Nexus SecOps-143 |
| Credential Access | TA0006 | DET, IAM | Nexus SecOps-031, Nexus SecOps-048, Nexus SecOps-112 |
| Discovery | TA0007 | DET, TEL | Nexus SecOps-031, Nexus SecOps-044 |
| Lateral Movement | TA0008 | DET, TEL | Nexus SecOps-031, Nexus SecOps-046, Nexus SecOps-064 |
| Collection | TA0009 | DET, CLD | Nexus SecOps-031, Nexus SecOps-049, Nexus SecOps-126 |
| Command and Control | TA0011 | DET, TEL | Nexus SecOps-031, Nexus SecOps-013, Nexus SecOps-046 |
| Exfiltration | TA0010 | DET, CLD | Nexus SecOps-031, Nexus SecOps-049, Nexus SecOps-127 |
| Impact | TA0040 | DET, INC | Nexus SecOps-031, Nexus SecOps-066, Nexus SecOps-070 |
Key Technique Mappings
Initial Access (TA0001)
| Technique | ID | Detection Controls | Response Controls |
| Phishing | T1566 | Nexus SecOps-012, Nexus SecOps-031, Nexus SecOps-083 | Nexus SecOps-070, Nexus SecOps-106 |
| Valid Accounts | T1078 | Nexus SecOps-011, Nexus SecOps-048, Nexus SecOps-116 | Nexus SecOps-115, Nexus SecOps-106 |
| Exploit Public-Facing Application | T1190 | Nexus SecOps-031, Nexus SecOps-151, Nexus SecOps-153 | Nexus SecOps-070, Nexus SecOps-154 |
| Supply Chain Compromise | T1195 | Nexus SecOps-151, Nexus SecOps-204 | Nexus SecOps-070, Nexus SecOps-080 |
| Drive-by Compromise | T1189 | Nexus SecOps-013, Nexus SecOps-031 | Nexus SecOps-070 |
Execution (TA0002)
| Technique | ID | Detection Controls | Response Controls |
| Command and Scripting Interpreter | T1059 | Nexus SecOps-010, Nexus SecOps-031, Nexus SecOps-140 | Nexus SecOps-070, Nexus SecOps-137 |
| Scheduled Task/Job | T1053 | Nexus SecOps-031, Nexus SecOps-044 | Nexus SecOps-070 |
| User Execution | T1204 | Nexus SecOps-010, Nexus SecOps-031 | Nexus SecOps-106 |
| System Services | T1569 | Nexus SecOps-031, Nexus SecOps-044 | Nexus SecOps-070 |
Persistence (TA0003)
| Technique | ID | Detection Controls | Response Controls |
| Registry Run Keys | T1547 | Nexus SecOps-010, Nexus SecOps-031 | Nexus SecOps-070 |
| Scheduled Task/Job | T1053 | Nexus SecOps-031, Nexus SecOps-044 | Nexus SecOps-070 |
| Create or Modify System Process | T1543 | Nexus SecOps-031, Nexus SecOps-044 | Nexus SecOps-070 |
| Account Manipulation | T1098 | Nexus SecOps-011, Nexus SecOps-031, Nexus SecOps-048 | Nexus SecOps-115 |
| Boot or Logon Autostart | T1547 | Nexus SecOps-031, Nexus SecOps-136 | Nexus SecOps-070 |
Privilege Escalation (TA0004)
| Technique | ID | Detection Controls | Response Controls |
| Access Token Manipulation | T1134 | Nexus SecOps-031, Nexus SecOps-044, Nexus SecOps-116 | Nexus SecOps-115 |
| Process Injection | T1055 | Nexus SecOps-031, Nexus SecOps-140 | Nexus SecOps-070 |
| Exploitation for Privilege Escalation | T1068 | Nexus SecOps-031, Nexus SecOps-151 | Nexus SecOps-070 |
| Sudo and Sudo Caching | T1548 | Nexus SecOps-031, Nexus SecOps-048 | Nexus SecOps-115 |
Defense Evasion (TA0005)
| Technique | ID | Detection Controls | Response Controls |
| Indicator Removal | T1070 | Nexus SecOps-005, Nexus SecOps-031 | Nexus SecOps-071 |
| Masquerading | T1036 | Nexus SecOps-031, Nexus SecOps-044, Nexus SecOps-140 | Nexus SecOps-070 |
| Obfuscated Files or Information | T1027 | Nexus SecOps-031, Nexus SecOps-044 | Nexus SecOps-070 |
| Modify Registry | T1112 | Nexus SecOps-010, Nexus SecOps-031 | Nexus SecOps-070 |
| Process Injection | T1055 | Nexus SecOps-031, Nexus SecOps-140 | Nexus SecOps-070 |
Credential Access (TA0006)
| Technique | ID | Detection Controls | Response Controls |
| OS Credential Dumping | T1003 | Nexus SecOps-031, Nexus SecOps-048, Nexus SecOps-140 | Nexus SecOps-115, Nexus SecOps-070 |
| Brute Force | T1110 | Nexus SecOps-011, Nexus SecOps-031, Nexus SecOps-048 | Nexus SecOps-115, Nexus SecOps-106 |
| Steal or Forge Kerberos Tickets | T1558 | Nexus SecOps-011, Nexus SecOps-031, Nexus SecOps-048 | Nexus SecOps-115 |
| Adversary-in-the-Middle | T1557 | Nexus SecOps-031, Nexus SecOps-046 | Nexus SecOps-070 |
| Multi-Factor Authentication Bypass | T1621 | Nexus SecOps-011, Nexus SecOps-031, Nexus SecOps-113 | Nexus SecOps-115 |
Lateral Movement (TA0008)
| Technique | ID | Detection Controls | Response Controls |
| Remote Services | T1021 | Nexus SecOps-001, Nexus SecOps-031, Nexus SecOps-046 | Nexus SecOps-070, Nexus SecOps-106 |
| Use Alternate Auth Material | T1550 | Nexus SecOps-011, Nexus SecOps-031 | Nexus SecOps-115 |
| Exploitation of Remote Services | T1210 | Nexus SecOps-031, Nexus SecOps-151 | Nexus SecOps-070 |
| Lateral Tool Transfer | T1570 | Nexus SecOps-031, Nexus SecOps-046 | Nexus SecOps-070 |
Command and Control (TA0011)
| Technique | ID | Detection Controls | Response Controls |
| Application Layer Protocol | T1071 | Nexus SecOps-013, Nexus SecOps-031, Nexus SecOps-046 | Nexus SecOps-070, Nexus SecOps-106 |
| Encrypted Channel | T1573 | Nexus SecOps-031, Nexus SecOps-046 | Nexus SecOps-070 |
| Ingress Tool Transfer | T1105 | Nexus SecOps-031, Nexus SecOps-046 | Nexus SecOps-070 |
| DNS | T1071.004 | Nexus SecOps-013, Nexus SecOps-031 | Nexus SecOps-070 |
| Web Service | T1102 | Nexus SecOps-031, Nexus SecOps-046, Nexus SecOps-083 | Nexus SecOps-070 |
Exfiltration (TA0010)
| Technique | ID | Detection Controls | Response Controls |
| Exfiltration Over Web Service | T1567 | Nexus SecOps-031, Nexus SecOps-049, Nexus SecOps-127 | Nexus SecOps-070, Nexus SecOps-106 |
| Exfiltration Over C2 Channel | T1041 | Nexus SecOps-031, Nexus SecOps-046 | Nexus SecOps-070 |
| Data Transfer Size Limits | T1030 | Nexus SecOps-031, Nexus SecOps-127 | Nexus SecOps-070 |
| Automated Exfiltration | T1020 | Nexus SecOps-031, Nexus SecOps-044, Nexus SecOps-127 | Nexus SecOps-070 |
Impact (TA0040)
| Technique | ID | Detection Controls | Response Controls |
| Data Encrypted for Impact | T1486 | Nexus SecOps-031, Nexus SecOps-140, Nexus SecOps-044 | Nexus SecOps-066, Nexus SecOps-070 |
| Inhibit System Recovery | T1490 | Nexus SecOps-031, Nexus SecOps-136 | Nexus SecOps-066, Nexus SecOps-080 |
| Service Stop | T1489 | Nexus SecOps-031, Nexus SecOps-044 | Nexus SecOps-066, Nexus SecOps-070 |
| Defacement | T1491 | Nexus SecOps-031 | Nexus SecOps-070, Nexus SecOps-080 |
| Disk Wipe | T1561 | Nexus SecOps-031, Nexus SecOps-136 | Nexus SecOps-066, Nexus SecOps-071 |
D3FEND Countermeasure Mapping
MITRE D3FEND provides a taxonomy of defensive techniques. Key Nexus SecOps control alignments:
| D3FEND Category | D3FEND Technique | Nexus SecOps Controls |
| Harden | Application Hardening | Nexus SecOps-136, Nexus SecOps-137, Nexus SecOps-153 |
| Harden | Credential Hardening | Nexus SecOps-111, Nexus SecOps-112, Nexus SecOps-113 |
| Harden | Message Hardening | Nexus SecOps-012, Nexus SecOps-003 |
| Harden | Network Hardening | Nexus SecOps-121, Nexus SecOps-122 |
| Harden | Platform Hardening | Nexus SecOps-136, Nexus SecOps-151 |
| Detect | File Analysis | Nexus SecOps-031, Nexus SecOps-140 |
| Detect | Identifier Analysis | Nexus SecOps-018, Nexus SecOps-019, Nexus SecOps-083 |
| Detect | Network Traffic Analysis | Nexus SecOps-001, Nexus SecOps-031, Nexus SecOps-046 |
| Detect | Platform Monitoring | Nexus SecOps-010, Nexus SecOps-031, Nexus SecOps-044 |
| Detect | Process Analysis | Nexus SecOps-031, Nexus SecOps-140 |
| Detect | User Behavior Analysis | Nexus SecOps-044, Nexus SecOps-049, Nexus SecOps-119 |
| Isolate | Network Isolation | Nexus SecOps-070, Nexus SecOps-106, Nexus SecOps-122 |
| Isolate | Execution Isolation | Nexus SecOps-136, Nexus SecOps-137 |
| Deceive | Decoy Environment | Nexus SecOps-031 (honeypot detection) |
| Evict | Credential Eviction | Nexus SecOps-070, Nexus SecOps-106, Nexus SecOps-115 |
| Evict | Process Eviction | Nexus SecOps-070, Nexus SecOps-106 |
| Restore | Backup | Nexus SecOps-080 |
| Restore | Restore | Nexus SecOps-066, Nexus SecOps-080 |
ATT&CK Coverage by Nexus SecOps Maturity Level
| Maturity Level | Expected ATT&CK Coverage | Primary Nexus SecOps Controls Achieved |
| Level 1 | <30% — basic perimeter only | Nexus SecOps-001–003, 031 (basic) |
| Level 2 | 30–50% — endpoint + network | Nexus SecOps-010, 031, 046, 048 |
| Level 3 | 50–70% — broad coverage | Nexus SecOps-031, 044, 046, 048, 049 |
| Level 4 | 70–85% — comprehensive | Nexus SecOps-031, 044, 046, 048, 049, 050 |
| Level 5 | >85% — optimized, purple-team validated | All DET controls at Level 4+ |
See Detection Engineering chapter for implementation guidance. Reference: MITRE ATT&CK | MITRE D3FEND