September 12, 2024
x minute read
Phishing and credential theft remain two of the top methods adversaries use to breach networks. To counter these effectively, it’s not enough to understand the attacks themselves—you also need a strong defensive strategy. That’s where a framework like MITRE D3FEND can make all the difference, providing a structured approach to securing your organization.
For those unfamiliar, MITRE D3FEND is a knowledge base designed to focus on defensive techniques, as opposed to MITRE ATT&CK, which focuses on attack tactics, techniques, and procedures (TTPs). D3FEND helps organizations deploy and configure security tools more effectively, identifying gaps and overlaps while ensuring the right defenses are in place.
Reach goes beyond simply aligning with D3FEND by integrating data from email security, endpoint, and identity tools to offer actionable recommendations based on the actual threats observed in your environment. This means that instead of generic guidance, you get tailored advice specific to both your organization and the current threat landscape.
To illustrate, let’s break down how Reach could be applied to a real-world attack, using a 2023 CISA advisory about a Kimsuky phishing campaign. This campaign demonstrated TTPs for gaining initial access, executing malicious code, and maintaining persistence. By mapping this to the D3FEND framework, we can show how Reach enhances your defense at each stage of the attack.
In the Kimsuky campaign, spear-phishing emails were used to deliver malicious payloads. This highlights the need for thorough email analysis to detect and block these threats early. Reach ingests data from tools like Proofpoint to understand who within your organization is being targeted and how the attacks are being delivered. With this information, Reach provides precise recommendations for configuring Proofpoint, ensuring it’s optimized to detect and block phishing attempts.
If a phishing email bypasses initial defenses, adversaries often try to trick users into executing malicious scripts. Kimsuky attackers used scripts to maintain persistence, reinforcing the need for strong endpoint controls. Reach analyzes data from previous attacks to recommend enhanced endpoint protections, focusing on stricter controls for the users most frequently targeted.
Kimsuky attackers also compromised user credentials, underscoring the importance of robust multi-factor authentication (MFA) policies. Reach identifies high-risk users who need stronger MFA configurations and recommends less strict policies for users not currently under attack. By continuously analyzing attack data, Reach ensures your MFA settings are always aligned with the latest threat patterns.
Understanding the stages of an attack is key to effective defense. Reach empowers you to look beyond individual security tools and take a proactive stance, identifying areas for improvement based on real attacks that target your organization. By mapping this data to the MITRE D3FEND framework, Reach keeps your defenses relevant and up-to-date, helping you stay ahead of evolving threats with a comprehensive, continuously updated security strategy.
While mapping threats to MITRE D3FENDS is a valuable first step, the next challenge is putting it into action. In the next post we'll focus on operationalizing D3FEND by turning the data into actionable strategies to enhance your security posture. Stay tuned to learn how you can apply D3FEND in practice and strengthen your organization's defenses.
Reach is the first AI purpose-built to reprogram your security infrastructure based on who you are and how you're being attacked. Organizations of all sizes trust Reach to make mission-critical decisions because it doesn't hallucinate and it doesn't make mistakes. It's a different kind of AI. To learn more, visit reach.security/try-reach.