D3 SOAR: Incident & Security Management Software

D3 ATTACKBOT

Intent-Based SOAR Powered by MITRE ATT&CK

D3 has built the entire MITRE ATT&CK matrix into its SOAR platform to create ATTACKBOT, which enables proactive analysis, response, and reporting on threats from across your security infrastructure. ATTACKBOT is the first solution to enable intent-based SOAR—as opposed to conventional event-based SOAR—by using MITRE’s database of thousands of real-world cyberattacks to analyze adversary behavior and predict their next steps. We call it SOAR 2.0.


RECENT UPDATES

Kill Chain Surveillance for Endpoints

When an attack technique, such as a spearphishing attempt, is identified on an endpoint, ATTACKBOT isolates the endpoint and associated user ID, and places them under Kill Chain Surveillance, continuously searching for related techniques. Uniquely, D3’s endpoint agent can then pull logs from the targeted endpoint for deeper investigation. This continuous surveillance of IOCs enables detection of adversary activity weeks or even months after initial compromise.

TARGET RESPONSE BASED ON ADVERSARY TACTICS AND TECHNIQUES

Automatically identify and map security events against the MITRE ATT&CK matrix’s hundreds of tactics and techniques, based on MITRE’s extensive knowledgebase of real-world attacks. MITRE’s 12 tactics describe what an adversary is trying to do, such as escalate privileges within a network. Each tactic has numerous associated techniques, which describe how they will achieve that goal, such as via access token manipulation. D3 ATTACKBOT can identify the tactics and techniques used in an event and plot them across the ATT&CK matrix.

TARGET RESPONSE BASED ON ADVERSARY TACTICS AND TECHNIQUES

Automatically identify and map security events against the MITRE ATT&CK matrix’s hundreds of tactics and techniques, based on MITRE’s extensive knowledgebase of real-world attacks. MITRE’s 12 tactics describe what an adversary is trying to do, such as escalate privileges within a network. Each tactic has numerous associated techniques, which describe how they will achieve that goal, such as via access token manipulation. D3 ATTACKBOT can identify the tactics and techniques used in an event and plot them across the ATT&CK matrix.

Visualize and Predict the Kill Chain

Once ATTACKBOT has determined the tactics and techniques involved in an event, it then searches for correlated tactics and techniques based on the likely kill chain of the attack—in other words, the logical steps an adversary might take to reach their goal. This includes searching backwards across previous events to find steps that were previously overlooked, as well as looking forward to predict and disrupt likely next steps.

Visualize and Predict the Kill Chain

Once ATTACKBOT has determined the tactics and techniques involved in an event, it then searches for correlated tactics and techniques based on the likely kill chain of the attack—in other words, the logical steps an adversary might take to reach their goal. This includes searching backwards across previous events to find steps that were previously overlooked, as well as looking forward to predict and disrupt likely next steps.

Trigger Automated Responses

At any point during an attack, the analyst can trigger a D3 Kill Chain Playbook to rapidly address the threat. The playbook will draw on ATTACKBOT’s understanding of what stage of the kill chain the attack has reached, as well as valuable data related to IOCs, techniques, and correlations that have been established. The playbook then springs into action using D3’s powerful orchestration capabilities and hundreds of integrated apps and actions. Because of ATTACKBOT’s ability to identify ongoing attacks by correlating steps in the kill chain, users have the best possible chance to disrupt attacks before they do real damage.

Trigger Automated Responses

At any point during an attack, the analyst can trigger a D3 Kill Chain Playbook to rapidly address the threat. The playbook will draw on ATTACKBOT’s understanding of what stage of the kill chain the attack has reached, as well as valuable data related to IOCs, techniques, and correlations that have been established. The playbook then springs into action using D3’s powerful orchestration capabilities and hundreds of integrated apps and actions. Because of ATTACKBOT’s ability to identify ongoing attacks by correlating steps in the kill chain, users have the best possible chance to disrupt attacks before they do real damage.

GAP ASSESSMENT AND REPORTING WITH ATTACKBOT

Because D3 aggregates events from across your entire security infrastructure, you can use ATTACKBOT to generate comprehensive reports that show what techniques, tactics, and adversaries your SOC has faced. The report can break down which have succeeded and which have not—revealing gaps and issues that can be flagged for action. ATTACKBOT reports can be run ad hoc or on a scheduled cadence, such as to show how many instances of a specific adversarial technique were seen in a given month.

GAP ASSESSMENT AND REPORTING WITH ATTACKBOT

Because D3 aggregates events from across your entire security infrastructure, you can use ATTACKBOT to generate comprehensive reports that show what techniques, tactics, and adversaries your SOC has faced. The report can break down which have succeeded and which have not—revealing gaps and issues that can be flagged for action. ATTACKBOT reports can be run ad hoc or on a scheduled cadence, such as to show how many instances of a specific adversarial technique were seen in a given month.

INTEGRATION STATION

Simplify your security with 200+ out-of-the-box integrations

SIEM

Threat Intelligence

ITSM

Network Security

Identity

Forensic

Email

Conventional event-based SOAR might be enough to protect against simple threats, but to stand a chance against complex targeted attacks, you need the intent-based SOAR that ATTACKBOT enables. With ATTACKBOT’s Kill Chain Surveillance, you can use the power of MITRE ATT&CK to illuminate subtle correlations that might look innocuous in isolation, but when placed in context with other events, begin to form the kill chain of an attack.

MITRE has the world’s largest database of real-world cyberattacks, which they used to create the ATT&CK matrix. The matrix is continuously updated as new techniques are discovered. ATTACKBOT brings all of that research to your fingertips, so that you can use MITRE’s knowledge of techniques, tactics, and adversaries to target your security efforts. If you’ve ever felt like you’re searching for needles in haystacks, going through endless streams of alerts, this is the solution. MITRE has calculated the most likely patterns of attack, and ATTACKBOT automates surveillance based on those patterns.

Using ATTACKBOT, Kill Chain Surveillance is a dynamic process. This means that as ATTACKBOT finds related events, IOCs, and other correlations, they are added to Kill Chain Surveillance. As the new information is added, ATTACKBOT continues to search for correlations based on this new data set. The result is a web of relationships and events that expands in real time as your understanding of the kill chain grows.

It’s not enough to just detect attacks, you need to take decisive action to disrupt them. Using ATTACKBOT, D3 users can activate a Kill Chain Playbook that leverages all the known information related to an attack to generate the appropriate response steps. This playbook can be customized in D3’s drag-and-drop Visual Playbook Editor, with no scripting required. D3 has hundreds of integrated apps and actions, so orchestrating a response step such as updating a firewall rule or detonating a suspicious file is as simple as dropping it into the playbook.

Most conventional security tools are signature-based, meaning that they detect threats based on known malicious hashes, IP addresses, URLs, etc. Correlating events against MITRE ATT&CK, on the other hand, is a behavior-based approach, because it highlights suspicious patterns of behavior, based on MITRE’s knowledgebase of real-world cyberattacks. While it is important to use both models in your security operations, the behavior-based model overcomes the many shortcomings of signature-based models that smart adversaries know to exploit, such as by using seemingly legitimate actions to achieve malicious goals.