D3 Security's Attackbot integrates Mitre ATT&CK in SOAR 2.0

With the Mitre ATT&CK framework, D3's SOAR 2.0 platform can identify and map security events, predict the kill chain and trigger automated responses to remediate threats.

D3 Security has released Attackbot, a proactive response matrix that combines security orchestration automation response technology and the Mitre ATT&CK framework to identify the entire kill chain of complex cyberattacks.

Building on existing SOAR capabilities to predict attacker behavior, Attackbot enables security teams to monitor attack progress in real time, correlate incidents with known adversary behaviors and take action with the aid of decision tree-based playbooks. Attackbot's capabilities give security teams the ability to focus remediation efforts for a more conclusive incident response.

The Mitre Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework, developed by Mitre Corp., is a document of threat tactics and techniques observed from millions of attacks on enterprise networks. Used by security vendors and consultants, ATT&CK classifies attacks for researchers to identify common patterns, see who authored campaigns and track malware development.

Embedding the Mitre ATT&CK framework into its SOAR 2.0 platform, D3's Attackbot brings the following capabilities:

  • automatically identify and map security events against the Mitre ATT&CK matrix to focus incident response;
  • visualize and predict the kill chain, including searching backward across events in addition to focusing analysts on next steps; and
  • automated response triggering a D3 kill chain playbook to remediate the threat.

According to a Verizon Data Breach Investigations Report, phishing is involved in 32% of all data breaches and 78% of all cyberespionage incidents. D3 claims that Attackbot actively searches for steps that an adversary might take after a phishing attempt -- such as credential dumping -- in an effort to augment phishing investigations.

Additionally, Attackbot automatically searches and correlates relevant events, narrows a list of compromised computers, analyzes logs for evidence of compromise and identifies an adversary's techniques through the Mitre ATT&CK framework and the D3 database. Typically, an analyst would have to sort through those hundreds of events manually to find the compromised computer.

D3's Attackbot supports over 200 out-of-the-box integrations across threat intelligence, IT service management and network security software.

Dig Deeper on Security analytics and automation