D3 Security’s ATTACKBOT reveals the kill chain of attacks in real-time

D3 Security, an innovator in security orchestration, automation and response (SOAR) technology, has released ATTACKBOT, a unique solution that utilizes the MITRE ATT&CK framework to identify and address the entire kill chain of complex attacks.

ATTACKBOT is a significant enhancement to existing SOAR capabilities that allows organizations to predict attacker behavior and focus remediation efforts effectively for more conclusive incident response.

ATTACKBOT streamlines the identification of incidents by allowing security teams to monitor attack progress in real time, correlate incidents with known adversary behaviors, and take appropriate action with the assistance of decision-tree-based playbooks.

ATTACKBOT delivers proactive intervention against ongoing attacks by treating every event as a link in a large chain of adversarial intent instead of solely isolated incidents. By enabling visualizations of what the attack is and how far it has progressed, organizations are able to proactively intervene before the kill chain is complete.

“As Sherlock Holmes once said, ‘There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can’t unravel the thousand and first.’ This is exactly what we are doing with ATTACKBOT,” said Gordon Benoit, President of D3 Security.

“By embedding the entire MITRE ATT&CK framework, we are now able to use MITRE’s database of thousands of past attacks to assess current actions. If you uncover one step in the attack, you can predict the next one. Phishing investigations are just one of the many use cases where this rings true.”

According to the recent 2019 Verizon Data Breach Investigations Report, phishing is involved in nearly a third (32 percent) of all data breaches and 78 percent of cyber-espionage incidents.

ATTACKBOT enhances phishing investigations by actively searching for steps that an adversary might take after a successful phishing attempt, such as credential dumping or querying the system registry.

Rather than a SOC analyst sorting through hundreds of events to determine which computer on a network of thousands has been compromised, ATTACKBOT correlates the relevant events, narrows down the list of potentially compromised computers, and analyzes logs for evidence of compromise.

Through the MITRE ATT&CK framework, ATTACKBOT can identify an adversary’s techniques and continuously survey across the D3 database and other security tools to find other traces of the kill chain.

Empowering organizations in the fight against advanced persistent threats and sophisticated adversaries is a necessity in today’s threat landscape; therefore, SOAR technology must evolve beyond the linear process of ingesting alerts and automating simple response actions.

For this reason, D3 has fully embedded the MITRE ATT&CK framework into its SOAR 2.0 platform and launched ATTACKBOT.