Spoiler alert! Sophos has as soon as once more achieved distinctive ends in the newest 2024 MITRE ATT&CK Evaluations for Enterprise. On this spherical, Sophos XDR achieved:
- The best attainable (‘Method’) scores for 100% of adversary actions within the Home windows and Linux ransomware assault situations
- The best attainable (‘Method’) scores for 78 out of 80 whole adversary actions throughout all three complete situations
- ‘Analytic protection’ scores for 79 out of 80 whole adversary actions actions
The eagerly anticipated outcomes of the sixth spherical of MITRE ATT&CK® Evaluations for Enterprise have been launched, assessing the flexibility of 19 endpoint detection and response (EDR/XDR) options to precisely establish and report the malicious actions of refined risk teams.
Watch this brief video for an summary of the analysis:
What are MITRE ATT&CK® Evaluations?
MITRE ATT&CK® Evaluations are among the many world’s most revered impartial safety exams. They emulate the ways, strategies, and procedures (TTPs) leveraged by real-world adversarial teams and consider every collaborating vendor’s potential to detect, analyze, and describe threats, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
There is no such thing as a singular technique to interpret the outcomes of ATT&CK Evaluations, and they don’t seem to be supposed to be aggressive analyses. The outcomes present what the analysis noticed and don’t end in a “winner” or “chief” – regardless of what some distributors would possibly such as you to suppose!
There’s nuance within the methods every vendor’s instrument works and the way it presents info to the analyst utilizing it, and your particular person wants and preferences play a significant position in figuring out which resolution is greatest for you and your crew. Learn about Sophos Extended Detection and Response (XDR)
Analysis overview
This was the sixth spherical of ATT&CK Evaluations for Enterprise — MITRE’s product-focused analysis — designed to assist organizations higher perceive how endpoint detection and response (EDR) choices like Sophos XDR can assist them defend towards refined, multi-stage assaults.
This spherical centered on behaviors impressed by three identified risk teams:
- Democratic Individuals’s Republic of Korea (DPRK)
The analysis emulated DPRK’s adversary behaviors concentrating on macOS by way of multi-stage operations, together with elevating privileges and credential theft. - CL0P and LockBit Ransomware
The analysis emulated behaviors prevalent throughout campaigns utilizing CL0P and LockBit ransomware concentrating on Home windows and Linux platforms, together with the abuse of reliable instruments and disabling essential providers.
Analysis individuals
Nineteen EDR/XDR resolution distributors participated on this analysis spherical (in alphabetical order):
Understanding the outcomes
Every adversary exercise (known as a ‘sub-step’) emulated throughout the analysis acquired one of many following scores, indicating the answer’s potential to detect, analyze, and describe the adversary exercise, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
- Not relevant — a “miss”: The adversary exercise was not detected or the analysis for the sub-step was not accomplished.
- None: Execution of the sub step was profitable; nonetheless, proof offered didn’t meet the documented Detection Standards, or there was no proof of Purple Staff exercise offered.
- Basic: The answer autonomously recognized that the malicious/suspicious occasion(s) occurred and reported the What, The place, When, and Who.
- Tactic: Along with assembly the factors for a ‘Basic’ score, the answer additionally offered info on the attacker’s potential intent; the Why, aligned to MITRE ATT&CK Techniques.
- Method — the best attainable score: Along with assembly the factors for a ‘Tactic’ score, the answer additionally offered particulars on the attacker’s methodology for attaining a purpose; How the motion was carried out.
Detections categorized as Basic, Tactic, or Method are grouped below the definition of Analytic Protection, which measures the answer’s potential to transform telemetry into actionable risk detections.
How did Sophos carry out on this analysis?
All through the analysis, MITRE executed three discrete assault situations (DPRK, CL0P, and LockBit), comprising a complete of 16 steps and 80 sub-steps.
Sophos XDR delivered spectacular outcomes, attaining:
- The best attainable (‘Method’) scores for 100% of adversary actions within the Home windows and Linux ransomware assault situations
- The best attainable (‘Method’) scores for 78 out of 80 whole adversary actions throughout all three complete situations
- ‘Analytic protection’ scores for 79 out of 80 whole adversary actions actions
Assault state of affairs 1: DPRK (macOS solely)
North Korea has emerged as a formidable cyber risk, and by increasing its focus to macOS, they’ve gained the flexibility to focus on and infiltrate extra high-value programs. On this assault state of affairs, the MITRE crew used a backdoor from a provide chain assault, adopted by persistence, discovery, and credential entry, ensuing within the assortment and exfiltration of system info and macOS keychain recordsdata.
This state of affairs comprised 4 steps with 21 sub-steps on macOS solely.
- Sophos XDR detected and offered wealthy ‘analytic’ protection for 20 out of 21 sub-steps (95%) on this state of affairs.
- 19 sub-steps have been assigned ‘Method’ degree categorization — the best attainable score.
Assault state of affairs 2: CL0P ransomware (Home windows)
Lively since at the very least 2019, CL0P is a ransomware household affiliated with the TA505 cyber-criminal risk actor (also referred to as Snakefly) and is broadly believed to be operated by Russian-speaking teams. The MITRE crew used evasion strategies, persistence, and an in-memory payload to carry out discovery and exfiltration earlier than executing ransomware.
This state of affairs comprised 4 steps with 19 sub-steps on Home windows solely.
- Sophos XDR detected and offered full ‘approach’ degree protection — the best attainable score — for 100% of sub-steps on this state of affairs.
Assault state of affairs 3: LockBit ransomware (Home windows and Linux)
Working on a Ransomware-as-a-Service (RaaS) foundation, LockBit is a infamous ransomware variant that has gained infamy for its refined instruments, extortion strategies, and high-severity assaults. The MITRE crew gained entry utilizing compromised credentials, finally deploying an exfiltration instrument and ransomware to cease digital machines and exfiltrate and encrypt recordsdata.
This state of affairs comprised 8 steps with 40 sub-steps on Home windows and Linux.
- Sophos XDR detected and offered full ‘approach’ degree protection — the best attainable score — for 100% of sub-steps on this state of affairs.
Study extra at sophos.com/mitre and discover the complete outcomes on the MITRE website.
How do Sophos’ outcomes examine to different individuals?
As a reminder, there’s no singular technique to interpret the outcomes of ATT&CK Evaluations, and you will note completely different charts, graphs, and different visualizations created by collaborating distributors that body the ends in other ways.
Detection high quality is essential for offering particulars on the adversary’s conduct so analysts can examine and reply shortly and effectively. Due to this fact, one of the vital beneficial methods to view the outcomes of ATT&CK® Evaluations is by evaluating the variety of sub-steps that generated a detection that offered wealthy element on the adversarial behaviors (analytic protection) and the variety of sub-steps that achieved full ‘approach’ degree protection.
MITRE doesn’t rank or fee individuals of ATT&CK Evaluations.
Easy methods to use the outcomes of MITRE ATT&CK Evaluations
When contemplating an EDR or prolonged detection and response (XDR) resolution, assessment the outcomes from ATT&CK Evaluations alongside different respected third-party proof factors, together with verified buyer critiques and analyst evaluations. Current third-party recognitions for Sophos XDR embody:
As you assessment the info obtainable within the MITRE portal for every collaborating vendor, think about the next questions as they pertain to you, your crew, and your group:
- Does the evaluated instrument show you how to establish threats?
- Does it current info to you the way in which you need it?
- Who might be utilizing the instrument? Tier 3 analysts? IT specialists or Sysadmins?
- How does the instrument allow you to conduct risk hunts?
- Are disparate occasions correlated? Is that performed mechanically, or do it is advisable do this by yourself?
- Can the EDR/XDR instrument combine with different expertise in your surroundings (e.g., firewall, electronic mail, cloud, identification, community, and so on.) together with options from different distributors?
- Are you planning to make use of the instrument by your self, or will you may have the assist of a Managed Detection and Response (MDR) companion?
Why we take part in MITRE ATT&CK Evaluations
MITRE ATT&CK Evaluations are among the many world’s most revered impartial safety exams as a result of emulation of real-world assault situations and transparency of outcomes. Sophos is dedicated to collaborating in these evaluations alongside among the greatest safety distributors within the {industry}. As a group, we’re united towards a typical enemy. These evaluations assist make us higher, individually and collectively, for the good thing about the organizations we defend.
Get began with Sophos XDR
Our outcomes on this newest analysis additional validate Sophos’ place as an industry-leading supplier of endpoint detection and response (EDR) and extended detection and response (XDR) capabilities to over 43,000 organizations worldwide.
Visit our website or speak with an expert to see how Sophos can streamline your detection and response and drive superior outcomes on your group in the present day.