A Look at the MITRE ATT&CK Content Pack from Cortex XSOAR Marketplace

Feb 17, 2021
4 minutes

As professionals in security, we know that the tactics, techniques and procedures (TTPs) used by cyber criminals are constantly evolving to evade our existing defense systems. That is why it is critical that security leaders continue to update their programs, and leverage new information and technologies to ensure their environments stay secure. Detecting new threats in real time and remediating issues quickly is a challenge for every type of organization. Here at Palo Alto Networks, our fully dedicated Unit42 threat research team works around the clock to ensure our company and our customers have the intel they need to neutralize these emerging and evolving threats without missing a beat. To carry out their mission, our researchers work with various tools and information sharing systems including the MITRE ATT&CK framework. This framework consists of real-world observations of threat actors and organizes them into a standardized language of TTPs and provides recommendations to help organizations develop response and action plans for their environments to harden their security programs.

What is the Cortex XSOAR Marketplace?

  • The Cortex XSOAR Marketplace is a digital storefront for discovering turnkey security orchestration content packs centrally within Cortex XSOAR.
  • Content packs are prebuilt bundles of integrations, playbooks, dashboards, fields, subscription services, and all the dependencies needed to support specific security orchestration use cases.

The MITRE ATT&CK content pack leverages Unit42 Actionable Threat Objects and Mitigations (ATOMs) intel and research, which details attack groups and their actions via the MITRE ATT&CK framework, developed into Cortex XSOAR automated orchestration playbooks. These playbooks leverage the latest ATT&CK updates and draw context from our Unit42 team to further enrich alert triage from events and activity across the corporate environment, 3rd party data sources, and threat intelligence feeds. This pack is extremely powerful because it enables security teams to operationalize the MITRE ATT&CK framework using Cortex XSOAR without having to manually translate hundreds of TTPs from the framework into effective rules, lists, and other resources for detection, enrichment, and response.

What does this content pack do?

  • Automatically maps MITRE ATT&CK Techniques into Courses of Action playbooks.
  • Takes action to remediate the techniques across Palo Alto Networks security products, following the MITRE ATT&CK kill chain.
  • Checks existing profiles against best practices and suggests manual or automated policy changes.
  • The playbooks in the Pack can be triggered manually, by a job, by an incident, or by any threat intelligence feed.
  • MITRE ATT&CK techniques are the playbook inputs and therefore playbooks can be triggered by any third party tools mapping to this framework.
  • With theUnit 42 feed ingesting Actionable Threat Objects and Mitigations (ATOMs) - users get notified as soon as there is a new threat actor report and playbook actions are taken immediately.

Using the MITRE ATT&CK Courses of Action content pack with Cortex XSOAR, security teams can take immediate action to identify and stop the latest threats early in the attack cycle and keep their organization out of the next big cyberattack news headline.

The pack is easily deployed with a few clicks from the Cortex XSOAR Marketplace and provides all the content needed to operationalize the MITRE ATT&CK framework using automated playbooks.

How can security professionals discover more content packs?

Organizations can bridge the gaps and advance the maturity of their security program by tapping into the fastest growing community of security experts. Visit us here for a list of available integrations and featured content packs.

Don’t have Cortex XSOAR? Download our free Community Edition today!

For more information on the MITRE ATT&CK Courses of Action content pack, please visit: https://xsoar.pan.dev/docs/reference/articles/courses-of-action

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.