Vancouver, BC — April 10, 2024 — D3 Security, the leader in smart security orchestration, automation, and response (SOAR), today published In the Wild 2024, the first in a series of reports that analyzes real-world cybersecurity data and provides incident response workflows for the most prevalent threats. For this report, D3 tracked MITRE ATT&CK techniques across tens of thousands of security incidents to determine the 10 most frequently used adversary techniques. The most detected technique was Command and Scripting Interpreter, which was found in more than 50% of the incidents.
The research was conducted by D3 Labs, D3’s internal team dedicated to deep research into cybersecurity threats and creating innovative solutions to the challenges they pose. D3 Labs’ research is the basis for threat profiles, detections, stack-specific playbooks, and other valuable assets for D3 Smart SOAR users.
“Understanding what attacker techniques you are most likely to come up against is important, but you also need to know how to respond to those threats,” said Adrianna Chen, VP of Product and Service at D3 Security. “That’s why our report includes sample playbooks for each of the top 10 techniques, providing practical resources that security teams can immediately put to use.”
The data for In the Wild 2024 was collected, in collaboration with a subset of users, through D3 Smart SOAR, which integrates with hundreds of other tools and captures MITRE ATT&CK TTP information from ingested alerts. This makes it uniquely situated to track comprehensive data about what attacker techniques security teams are facing.
With incident response workflows for the top 10 ATT&CK techniques, In the Wild 2024 is an invaluable asset for security teams that want to more effectively allocate resources to mitigate the most common threats.
The entire report can be downloaded for free from D3’s Resource Hub.
Research Methodology and Results
D3 Labs reviewed 75,331 incidents that occurred between January and December of 2023. The sources for the incidents included endpoint detection and response, email services, security information and event management, and network security tools.
The top 10 MITRE ATT&CK techniques were:
- Execution: Command and Scripting Interpreter (52.2%)
- Initial Access: Phishing (15.44%)
- Credential Access: Unmapped (3.8%)
- Initial Access: Valid Accounts (3.47%)
- Initial Access: Spearphishing (2.57%)
- Initial Access: Unmapped (2.55%)
- Credential Access: Brute Force (2.05%)
- Persistence: Unmapped (1.62%)
- Credential Access: OS Credential Dumping (1.37%)
- Persistence: Account Manipulation (1.34%)
13.56% of incidents involved other techniques or did not involve a known technique.
Key Findings
Key Finding #1: Adversaries Rely on Established Techniques. The report indicates a significant reliance on established attack methods such as command and scripting interpreter threats and phishing. However, it also notes a diverse array of tactics and techniques, including less common methods like OS credential dumping and account manipulation. This suggests that while attackers continue to innovate, they still depend heavily on tried-and-true techniques.
Key Finding #2: Process Monitoring and Remote Termination are Crucial. The emphasis on monitoring processes, especially in the context of Command and Scripting Interpreter threats, highlights the critical importance of real-time surveillance and the capability to terminate malicious processes swiftly. These capabilities ensure that organizations can quickly neutralize threats before they escalate, minimizing potential damage and enhancing overall security resilience.
Key Finding #3: Strategic Account and Device Management is Valuable for Mitigating Threats. The analysis of tactics involving valid accounts and the exploitation of compromised devices highlights the indispensable role of comprehensive account and device management strategies in modern cybersecurity defenses. Given the prevalence of these tactics for gaining initial access and maintaining persistence within target networks, organizations must prioritize the implementation of robust identity and access management solutions, coupled with strict device management policies.
Recommendations
Recommendation #1: Perform Continuous Evaluation and Gap Analysis of Incident Response and Detection Capabilities. Review and evaluate incident response and detection capabilities against each of the common attack techniques identified in our research, such as scripting threats, phishing, spearphishing, and account manipulation. Where gaps are identified, teams must define and document the processes needed to bridge these gaps, whether through the adoption of new technologies, the refinement of existing procedures, or enhanced training and awareness programs.
Recommendation #2: Strengthen Incident Response with Automation. Develop and refine incident response playbooks, particularly for high-frequency and high-impact threats identified in the report, such as scripting attacks and unauthorized account access. Incorporate automation and orchestration capabilities to expedite the detection, containment, and remediation processes, ensuring a swift and efficient response to incidents.
Recommendation #3: Adopt and Integrate the MITRE D3FEND Framework. Security teams should consider adopting and integrating the MITRE D3FEND framework into their cybersecurity strategies to complement the MITRE ATT&CK framework’s insights. The structured design of incident response playbooks is an opportunity for security teams to embed D3FEND best practices into their processes automatically. By leveraging D3FEND’s countermeasures against the tactics and techniques identified in the report, teams can develop a more proactive and comprehensive defense strategy.
About D3 Security
D3 Security’s Smart SOAR™ helps solve many of the most entrenched problems in cybersecurity—including analyst burnout, alert overwhelm, and information silos—by transforming separate tools into a unified ecosystem with multi-tier automation, codeless orchestration, robust case management, and environment-wide reporting. Smart SOAR performs autonomous triage and drastically reduces false positives so that enterprise, MSSP, and public sector security teams can spend more time on real threats.