D3 Security, a player in smart security orchestration, automation, and response (SOAR), has published In the Wild 2024 report. This inaugural report from the company offers analysis of real-world cyber security incidents and provides response workflows to some of the most prevalent threats. D3 Security has used the MITRE ATT&CK framework to scrutinise tens of thousands of security incidents, listing the top 10 frequently employed techniques by adversaries.

The most notable technique, Command and Scripting Interpreter, was discovered in over 50% of the incidents. This research was led by D3 Labs, an internal team committed to the study of cybersecurity threats and developing innovative solutions to their challenges. "Understanding what attacker techniques you are most likely to come up against is important, but you also need to know how to respond to those threats," said Adrianna Chen, VP of Product and Service at D3 Security. She added that their report includes sample playbooks for each of the top 10 techniques, which can be immediately applied by security teams.

The data for the In the Wild 2024 report was collected through D3 Smart SOAR which integrates with hundreds of tools and captures MITRE ATT&CK TTP information from incoming alerts. This platform uniquely positions D3 Security to accumulate comprehensive data on adversary techniques that security teams are combatting. The report, boasting incident response workflows for the top 10 ATT&CK techniques, is a valuable asset for security teams aiming to efficiently distribute resources to lessen the most common threats.

D3 Labs analysed 75,331 incidents that happened between January and December 2023. The top 10 MITRE ATT&CK techniques were Execution: Command and Scripting Interpreter (52.2%), Initial Access: Phishing (15.44%), Credential Access: Unmapped (3.8%), Initial Access: Valid Accounts (3.47%), Initial Access: Spearphishing (2.57%), Initial Access: Unmapped (2.55%), Credential Access: Brute Force (2.05%), Persistence: Unmapped (1.62%), Credential Access: OS Credential Dumping (1.37%), and Persistence: Account Manipulation (1.34%). About 13.56% of incidents did not involve an identifiable technique.

The report showed a high reliance on established attack methods among adversaries, such as command and scripting interpreter threats and phishing, but a variety of tactics and techniques were used. It also emphasised the importance of real-time surveillance and the ability to swiftly terminate malicious processes, especially in the context of Command and Scripting Interpreter threats. The report further underscored the necessity of comprehensive account and device management strategies in contemporary cybersecurity defences due to the prevalence of tactics for gaining initial access and maintaining persistence within target networks.

To manage these threats, D3 Security recommended incident response and detection capabilities' continuous evaluation and gap analysis. They also suggested strengthening incident response through automation and the integration of the MITRE D3FEND framework into cybersecurity strategies to complement the MITRE ATT&CK framework's insights.