The MITRE ATT&CK Framework is an excellent tool for organizations to plan and understand their defense-in-depth strategy. Mapping the tactics, techniques, and procedures (TTPs) coverage to understand where your gaps lie is important to protecting your organization against cyber threats.
MITRE Engenuity’s ATT&CK Evaluation Results Released
This week, MITRE Engenuity released the results from their latest round of ATT&CK Evaluations for Enterprise that focused on two complex, multi-stage impact-focused attacks carried out by advanced threat groups, Wizard Spider and the Sandworm Team. The evaluations emulated the TTPs of these threat actors throughout the kill chain and across ATT&CK tactics and techniques. Wizard Spider is a financially motivated group that operates financial malware and ransomware campaigns, and the Sandworm Team is focused on destructive encryption and wiper attacks.
In this most recent round of testing, which took place in Q4 2021, the results of the protection segment of the test validated the strength and robustness of Deep Instinct’s multi-layered, prevention-first approach and highlighted the value our customers are seeing every day. Deep Instinct also achieved exemplary detection coverage across various execution, persistence, and impact techniques emulated. These are exactly the results we would expect as a prevention-first solution.
In the past, MITRE Engenuity ATT&CK Evaluations had been more focused on evaluating detection and response, post infection. This tied closely with the reactive, “assume breach” mindset of the past decade – which looks for anomalous behaviors to stop a breach after an attack has executed on the endpoint. Beginning last year, MITRE Engenuity added a protection part to the test which aims to evaluate a solution’s ability to prevent attacks and not just provide detection and insight into the adversary’s activity.
3 Key Takeaways from Deep Instinct’s MITRE Engenuity Participation
The main takeaways from Deep Instinct’s participation in the MITRE Engenuity ATT&CK evaluation:
- Deep Instinct provided visibility and detection to adversary activities in all 15 attack steps tested.
- Our prevention and suspicious activity detection engines achieved excellent detection coverage on techniques related to execution, persistence, command and control, and impact tactics, as well as additional visibility and insight into all other tactics included in the test.
- Over 93% of Deep Instinct’s detections were at an analytic level (beyond simple telemetry), with 92% being at the highest detection level and technique. This attests to the high level of context, correlation, and actionability of the events and data presented to the user, reducing time and manual hunting and analysis resources.
*Please refer to MITRE methodology to understand the differences between the four levels of detection
The MITRE Windows protection test included eight (8) attack scenarios comprised of a series of sub-steps (90 in total for Windows) that were emulated in the detection portion of the test. Each of the scenarios tested, although part of a longer kill chain attack, represents an individual attack that is intrinsically malicious. It is expected that each individual scenario can and should be prevented. As mentioned above, the Deep Instinct Prevention Platform succeeded in preventing all eight scenarios. The results validated the importance of our multi-layer approach that deploys prevention mechanisms across the MITRE ATT&CK kill-chain and increases the likelihood of successful prevention.
The table summarizes the eight tested scenarios and the Deep Instinct engines/capabilities which triggered the prevention.
|
|
|
|---|---|---|
Emotet Initial Access, Persistence, and Collection | Wizard Spider | Script Protection - PowerShell |
TrickBot Execution, Discovery, and Kerberoasting | Wizard Spider | Deep Static Analysis + Suspicious Activity Detection (Automatic Remediation Mode – Process Termination) |
TrickBot Registry Persistence | Wizard Spider | Script Protection - PowerShell |
TrickBot ActiveDirectory Dumping | Wizard Spider | Suspicious Activity Detection (Automatic Remediation Mode – Process Termination) |
Ryuk – Inhibiting System Recovery | Wizard Spider | Suspicious Activity Detection (Automatic Remediation Mode – Process Termination) |
Ryuk – Data Encryption | Wizard Spider | Deep Static Analysis + Behavioral Analysis (Malicious Code Injection) |
NotPetya – Lateral Movement and Domain Host Compromise | Sandworm | Deep Static Analysis + Suspicious Activity Detection (Automatic Remediation Mode – File Quarantine) |
NotPetya – Data Encryption | Sandworm | Deep Static Analysis + Behavioral Analysis (Ransomware Protection) + Suspicious Activity Detection –(Automatic Remediation Mode – Process Termination) |
The Importance of Prevention
Prevention can have an extremely positive impact on your overall security posture by filling in the gaps that exist in your coverage today while reducing your reliance on the downstream impacts of detection and response. Defense-in-Depth is needed; with greater prevention you can lower security costs, improve efficiency, and reduce your overall risk. MITRE recognized this reality when they added the protection testing in 2021.
MITRE Engenuity testing is important, but sometimes a customer evaluation can say it all.
"I am now a believer of the capabilities of Deep Instinct as I had conducted my own pre-purchase trial in late 2020 and early 2021 where I tested some of the top vendors' engines and pitted them all against Deep Instinct (The competitors all lost badly in the detection phase of my testing). Deep Instinct handled many near zero-day threats that had been in the wild a much shorter time than Deep Instinct's detection engine's release date. It simply didn't matter to Deep Instinct. It found them all and stopped them at pre-execution. Since pre-execution was my strategic goal with a zero-defect mentality driving that concept - Deep Instinct rocketed to the top of my wish list. Other products I tested allowed some damage to occur or didn't detect a zero-day threat at all while they wreaked havoc in a sandboxed environment.”*
Conclusion
What the MITRE Engenuity evaluation does not assess is what it costs to run the solutions tested. In the end cost matters – and not just the hard costs associated with buying a solution, but also what it takes to manage and maintain it. Detection and response solutions are reactive and require an abundance of resources to tune models, investigate threats, and remediate breaches. Threat Hunting and Incident Response teams require skilled employees and there are not enough experienced cybersecurity professionals to fill the roles we have today. In fact, “there were 3.5 million unfilled cybersecurity jobs globally [in] 2021, up from one million positions in 2014” according to Cybersecurity Ventures. Most EDRs require extensive in-house services to configure and manage the technology. As a result, many organizations have turned to outsourcing this service to an MDR, which is not without its own risks.
Deep Instinct excels at predicting the unknown, never-before-seen threats. Our innovative approach means that organizations can proactively prevent >99% of known, unknown, ransomware, and zero-day threats. Deep Instinct also lowers false positives to <0.1%, reducing the burden on your security team and improving your ability to detect the most advanced threats. And proactive prevention can lower downstream costs, improve the efficiency of your SOC, and lower your overall risk.
We found significant value in participating in our first MITRE Engenuity testing, but in reality, we do it every day. Our customers are our real proof points as they benefit from a true prevention-first approach with Deep Instinct, lowering the resource requirements of their security professionals by reducing false positives and improving investigation and remediation. When the next unknown threat hits, you need the best preventative solution to keep the attackers out and ensure you can automate responses with your EDR. This approach delivers the best of both worlds.
We invite you to request a demo and test us out to see the positive impact a prevention-first approach will have on your organization’s security posture.
For further reading please see the EDR is not Enough eBook and Deep Instinct’s latest Cyber Threat Landscape Report.
*Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates."
Learn More
Watch our on-demand webinar "Clarifying the vendor spin on MITRE ATT&CK Evaluations." In this webinar, Hector Monsegur, Security Researcher and Charles Everette, Director, Cybersecurity Advocacy at Deep Instinct, review what the MITRE ATT&CK Evaluations truly are and walk through the best ways to interpret the results, including going into detail about how tests are performed.