To empower organizations in the fight against advance persistent threats and sophisticated adversaries, SOAR platforms must evolve beyond the linear process of ingesting alerts and automating simple response actions. This is why D3 has fully embedded the MITRE ATT&CK framework into its SOAR platform and developed a unique solution for identifying and addressing the entire kill chain of complex attacks.
To give you a clear example of how D3’s MITRE ATT&CK correlation can transform security operations, in this post we’ll walk you through a phishing investigation and show you the impact of D3’s unique capabilities.
Investigating Phishing with ATT&CK Surveillance
Our hypothetical scenario takes place within a large company with 10,000 computers on its network. An external adversary sends a phishing email to 100 users on the network. These emails are flagged by the company’s email security tool, which automatically generates 100 events in D3 SOAR. The investigator, a Tier 1 or 2 SOC analyst who is operating D3, must now determine which of the targeted computers has been successfully compromised. In other words, who, if anyone, clicked on the malicious link in the email.
When the 100 events are ingested into D3, the system automatically strips out all available information on both the adversary and the targets, including hashes, IP addresses, user IDs, and more. That information is then added to the company’s D3 database alongside IOCs from all past events.
The D3 operator then puts the set of extracted IOCs under kill chain surveillance. This means that D3 will identify the adversary techniques being used in the event (as defined in the MITRE ATT&CK matrix) and continuously query across the D3 database and other integrated security tools to find other traces of the kill chain. So in this instance, D3 would search for steps that an adversary might take after a successful phishing attempt, such as credential dumping or querying the system registry. D3 then correlates the relevant events and narrows down the list of potentially compromised computers.
Now that the D3 operator has compelling evidence of what computers may have been compromised, they escalate the case to their supervisor, a Tier 3 or 4 analyst with the authority to pull logs from the implicated computers. The senior analyst then uses D3 to pull and parse the logs and finds confirmation of compromise.
It is worth noting that D3 can securely conduct the process of pulling and parsing logs from an employee’s computer because its data access controls restrict the information to authorized parties; however, this process should not be conducted via a SIEM, because all of the employee’s personal data would then be searchable by anyone with access to the SIEM.
Now that the compromised computers have been identified, the D3 operator can trigger an automation-powered playbook that will orchestrate actions to remediate the threat.
As you can see from this example, D3 goes way beyond simply searching the MITRE framework for adversary techniques. Uniquely, D3 has embedded the entire MITRE framework into the platform for proactive intervention against ongoing attacks. Because D3 automates the time-consuming tasks generally done by senior analysts—e.g. querying tools, finding correlations, pulling logs—it is the only SOAR platform to effectively support Tier 3 and 4 SOC analysts.