It is widely agreed upon in the security world that the MITRE ATT&CK Framework is a valuable tool for security teams to wield in their never-ending fight against sophisticated adversaries. Among other benefits, ATT&CK brings “behavior-based” (as opposed to “signature-based”) detection into the SOC. This is a crucial shift because while an adversary can easily change the signatures associated with their methods, changing their behaviors to avoid detection forces them to rethink their attack playbooks from scratch.
When one considers the consensus around the value of MITRE, the number of organizations that have fully implemented ATT&CK into their security operations is still relatively low. This is largely because of a few common obstacles. In this article, we’ll describe three of these obstacles and talk about how D3 is helping organizations overcome them with D3 SOAR 2.0: the only SOAR platform with a fully built-in MITRE ATT&CK Matrix.
“We Don’t Have Enough Internal Expertise Regarding MITRE”
Knowledge of the value of ATT&CK doesn’t necessarily equate to the knowledge it takes to implement it effectively. The analysts we’ve talked to have told us that lots of security teams struggle to meaningfully use ATT&CK because they don’t have enough internal experience on the subject. One example of the challenges security teams face is threat modelling. To prioritize their detection and response efforts, security teams need to determine their key assets, understand what TTPs (techniques, tactics, and procedures) from the ATT&CK Matrix represent the biggest risks, and figure out which data sources can cover the most important TTPs.
Because D3 has built ATT&CK into its platform, it greatly reduces the level of user expertise that is required. D3’s Monitor Module displays the entire ATT&CK Matrix, showing the frequency with which each TTP has been detected in your system, quickly creating a picture of your most pressing threats. D3 also makes it easy to tag artifacts as critical assets, to trigger specialized responses and influence automated risk scores.
D3 further helps promote internal expertise by providing detailed definitions of every technique, right down to the exact MITRE search strings, and making them visible to analysts with a single click. At the incident level, D3 shows the kill chain of the attack mapped across the ATT&CK Matrix, so the analyst can understand the relationships between TTPs without the need for any prior knowledge.
“We Don’t Have the Time and Resources to Categorize and Correlate Incidents”
Even when security teams are committed to using ATT&CK to categorize events, the process of manually correlating events against TTP criteria is time-consuming and difficult. The process involves pulling logs from a SIEM, endpoints, and more, to confirm the use of a TTP. It’s even more difficult when the TTP involves a string of seemingly legitimate tasks that are only suspicious when they happen in a parent-child relationship.
D3 categorizes and correlates against ATT&CK automatically. It doesn’t rely on other tools to tag events with TTPs, and users don’t need to script anything themselves. Because D3 integrates across your entire security infrastructure, it can easily pull all the data that is necessary to make intelligent correlations, identify related events, and build out the kill chain of the attack.
“We Can’t Afford to Replace or Reconfigure our Tools to Work with ATT&CK”
Changing the framework you use for your security operations is a difficult project to get off the ground, because the effects ripple out across your entire infrastructure. Some tools offer basic tagging of ATT&CK TTPs, but to create a holistic system that leverages MITRE, all of your security tools would need to be replaced with tools that have that tagging feature, or reconfigured with rules that can capture ATT&CK criteria.
Implementing D3 allows you to bypass this difficulty by filtering all events from your entire infrastructure through a single system that correlates and analyzes them for ATT&CK TTPs and orchestrates the necessary data gathering and action automation. Every event ingested into D3 is correlated against ATT&CK by D3 itself, not the detection tool, so you can use the ATT&CK framework for every event without replacing or reconfiguring any of your existing tools. Best of all, D3 comes configured for MITRE categorization and correlation right out of the box.
To learn more about how D3 integrates MITRE ATT&CK into SOAR, check out our SOAR Product Guide.