How to Leverage MITRE ATT&CK in Your Security Operations with D3 SOAR

By Walker Banerd September 27, 2019 security-orchestration-automation-response

The MITRE ATT&CK matrix has gained widespread recognition in the security industry for its valuable data on adversary groups, and the tactics and techniques they use to target organizations. However, there is a gap between recognizing the value of this data and being able to leverage it for improved security operations. D3’s ATTACKBOT is the previously missing piece that makes ATT&CK data actionable.

ATTACKBOT is much more than just searching the ATT&CK matrix to identify the attack techniques in your security events. It is a completely new way to approach SOAR, where events are organized into the kill chain of an attack, enriched with contextual data, correlated with related events, and monitored in real-time from D3’s kill-chain-based interface.

D3’s ATTACKBOT is a uniquely powerful tool for automation-powered incident response and is highly effective against common attack types like phishing. But there are myriad other ways in which D3 can help you bring the power of MITRE ATT&CK into your security operations. Here are 4 advanced use-cases for MITRE ATT&CK + D3 SOAR.

 

1. Targeting the Techniques Used by Your Adversaries

MITRE catalogues techniques, tactics, and the adversary groups that are known to use them. This adversary-specific data is extremely valuable for allocating security resources to mitigate your most likely risks, especially if you are in a vertical that is commonly targeted by sophisticated adversaries, such as finance, healthcare, or energy. But this data is hard to make actionable without a tool like D3.

 D3 enables you to search the groups you are most concerned about and see their commonly used tactics and techniques. You can then flag those techniques for immediate attention when they are detected in your environment. D3’s link analysis tool can work in the opposite direction to show you what groups are associated with a tactic or technique that has been detected.

 

2. Tracking Attack Patterns

Even when you know what patterns of attack to be on the lookout for—such as in the previous example—it can be difficult to effectively detect those patterns. Many attack patterns will require logging of data from numerous sources, as well as the detection of behaviors that will not appear malicious out of context.

With D3, you can take all the IOCs of an attack pattern and search for correlations. Playbooks can also be run to search for specific attack patterns. Because of D3’s ability to aggregate data from across your environment, including logs from selected endpoints, these searches give you the ability to effectively monitor your environment for subtle traces of high-risk attack patterns.

 

3. Persistent Observation of IOCs

During an incident like a phishing attempt, many users are likely to be targeted. Using D3’s MITRE-based correlations, you can determine which users were targeted, and then narrow that set down further to which users may have been compromised. Closer investigation should confirm which users were compromised and which were not, based on evidence of further steps in the phishing kill chain. However, it is also possible that the adversary has compromised the user’s ID but has not yet taken further action. They could be doing this deliberately to avoid detection. For some types of IOCs, it’s easy enough to err on the side of caution and take action, but it’s very inconvenient to deactivate a user ID, so you might be less likely to take that action without good cause.

That’s why using MITRE ATT&CK to inform persistent observation of IOCs is so valuable. Using D3, you can place IOCs under kill chain surveillance, so that when any related MITRE technique surfaces, you’ll immediately know about it. You can even trigger automated actions, such as deactivating the user, if the next step in the kill chain is detected.

 

4. Gap Analysis

We did an entire post on using D3 ATTACKBOT for gap analysis, which you can read for more detail, but here’s a quick overview. D3’s reimagined SOAR 2.0 interface provides a home screen where analysts can immediately see the frequency at which every attack technique is being detected in your environment. Attack trends can also be easily translated into reports.

This creates a clear picture of what the most significant threats you are facing are, what root causes are creating vulnerabilities, and where your current security strategy is working effectively. You can use this analysis to effectively allocate resources, orchestrate rule changes across your tools, and assign tasks to relevant personnel—all from the D3 interface.

D3 has operationalized the MITRE ATT&CK matrix, taking a goldmine of granular attack intelligence and giving security teams a way to put it into action. To learn more about how D3 is using MITRE ATT&CK to lead the evolution of SOAR, check out our SOAR 2.0 whitepaper.

Or, if you’re ready to see D3’s SOAR 2.0 in action, schedule a demo today.

Walker Banerd

Walker Banerd

Walker is the Communications Manager at D3. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.


Comments

comments for this post are closed