Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

MITRE Uses ATT&CK Framework to Evaluate Enterprise Security Products

MITRE Corporation’s ATT&CK framework has been used to evaluate enterprise security products from several vendors to determine how efficient they are in detecting and responding to attacks launched by sophisticated threat groups.

MITRE Corporation’s ATT&CK framework has been used to evaluate enterprise security products from several vendors to determine how efficient they are in detecting and responding to attacks launched by sophisticated threat groups.

MITRE is a not-for-profit company involved in federally funded research and development projects in various areas, including cybersecurity. Its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Matrix is a framework that describes the techniques used by adversaries, including related to persistence, privilege escalation, defense evasion, credential access, discovery, data collection, lateral movement, command and control, and execution.

Earlier this year, the company announced that it was giving cybersecurity solutions providers the chance to evaluate their products based on the ATT&CK framework, specifically a plan that emulates activities known to have been carried out by a threat group tracked as APT3.

APT3, linked by researchers to the Chinese Ministry of State Security (MSS), is also known as UPS Team, Gothic Panda, Buckeye and TG-0110. The group has been active since at least 2009, targeting organizations in the United States and elsewhere via spear-phishing, zero-day exploits, and various other methods.

In the first round of evaluations performed by Mitre, the threat actor’s tactics and techniques were tested against products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne.

Unlike other evaluations, the MITRE ATT&CK testing does not provide scores or ratings and it’s difficult to make a direct comparison between the products using the results. Instead, the goal is to show how a product’s capabilities can detect different types of malicious activities typically carried out by hackers once they have gained access to an organization’s systems. The tests are also designed to help vendors improve their tools and coverage.

For example, the results of the evaluation show how one of the products failed to detect that the attacker used the Cobalt Strike tool to steal access tokens and escalate privileges. A different product managed to detect the attempt using a combination of telemetry and behavior indicators.

Mitre publishes results of ATT&CK evaluations

It’s also worth noting that MITRE openly communicates with vendors during these evaluations.

Advertisement. Scroll to continue reading.

“We announce the techniques as they are executed, and the vendor can ask us details about how the procedures were implemented,” MITRE’s Frank Duff explained. “The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”

MITRE pointed out that its evaluations focus on the technical ability of a product to detect malicious behavior.

“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”

Related: MITRE ATT&CK Matrix Used to Evaluate Endpoint Detection and Response Product

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.