D3 Security, an innovator in security orchestration, automation and response (SOAR) technology, announced it has operationalized the MITRE ATT&CK framework, enabling the intelligent correlation of security events against the world’s largest knowledgebase of adversary tactics and techniques.
Ushering in a shift from event-based to intent-based response, D3’s SOAR 2.0 treats events as links in a chain of adversarial intent, rather than as isolated occurrences. This allows security teams to proactively intervene before the chain is complete, armed with a reliable understanding of what the attack is, how far it has progressed, and what the adversary is likely to do next.
To date, SOAR platforms have been broadly effective at the linear process of intaking events and orchestrating response actions. However, they vary widely in their ability to support larger investigations that identify the entire scope of an incident, because they take an event-based approach to incident response.
While effective in handling a high volume of alerts and leveraging automation to stop simple threats, this method takes a very narrow view on cybersecurity and fails to capture the context of attacks.
Observing that the industry was in need of an evolved approach to SOAR, D3 has built a live and contextual cyber kill chain framework—based on the MITRE ATT&CK matrix—into its platform to investigate how events fit into larger incidents, based on IOCs and attack techniques.
When an event is ingested into D3, the system strips out IOCs and enters them into a kill chain discovery process, which identifies the ATT&CK techniques and tactics being used, and uses that information to search for correlated events. As more events are found, their IOCs and contextual data are entered back into kill chain discovery, continuously expanding the operator’s view of the incident.
D3’s SOAR 2.0 allows operators to predict adversary behavior based on patterns that MITRE has analyzed across their expansive knowledgebase of cyber attacks and threat indicators. This means that security teams do not need to search for needles in haystacks or hope that detection tools will catch every important event.
Instead, security operations and incident response teams can focus their efforts on the traces of attacks, techniques, and tactics that are highly correlated, prioritized, or in need of human attention.
Enhanced by the behavior-based MITRE ATT&CK framework, D3 SOAR 2.0 helps to protect organizations from zero-day attacks, IOC modification by adversaries, and other techniques that are effective against signature-based systems.
“D3 has always believed that SOAR should become more intelligent—contextualizing data and making it readily available to enhance the speed and quality of operators’ decision-making. By operationalizing the MITRE ATT&CK framework through our SOAR platform, we are giving organizations the best possible chance to disrupt cyber attacks and data breaches before they are completed,” said Gordon Benoit, President of D3 Security.
“We are thrilled to launch the SOAR market forward into this next phase, where every event is placed into the context of what the attacker is trying to do, and how you can stop them.”