MITRE Uses ATT&CK Framework to Evaluate Enterprise Security Products
MITRE Corporation’s ATT&CK framework has been used to assessment undertaking safety merchandise from a number of distributors to decide how environment friendly they’re in detecting and responding to assaults introduced by way of refined risk teams.
MITRE is a not-for-profit corporate all in favour of federally funded analysis and construction initiatives in quite a lot of spaces, together with cybersecurity. Its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Matrix is a framework that describes the ways utilized by adversaries, together with similar to endurance, privilege escalation, protection evasion, credential get admission to, discovery, knowledge assortment, lateral motion, command and regulate, and execution.
Earlier this 12 months, the corporate introduced that it used to be giving cybersecurity answers suppliers the risk to assessment their merchandise according to the ATT&CK framework, particularly a plan that emulates actions identified to had been performed by way of a risk workforce tracked as APT3.
APT3, connected by way of researchers to the Chinese Ministry of State Security (MSS), is often referred to as UPS Team, Gothic Panda, Buckeye and TG-0110. The workforce has been lively since a minimum of 2009, focused on organizations within the United States and in other places by way of spear-phishing, zero-day exploits, and quite a lot of different strategies.
In the primary spherical of reviews carried out by way of Mitre, the risk actor’s ways and methods have been examined towards merchandise from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne.
Unlike different reviews, the MITRE ATT&CK checking out does now not supply ratings or rankings and it’s tricky to make a right away comparability between the goods the use of the effects. Instead, the function is to display how a product’s features can stumble on various kinds of malicious actions normally performed by way of hackers as soon as they have got won get admission to to a company’s programs. The checks also are designed to lend a hand distributors give a boost to their equipment and protection.
For instance, the result of the analysis display how one of the most merchandise failed to stumble on that the attacker used the Cobalt Strike software to thieve get admission to tokens and escalate privileges. A special product controlled to stumble on the strive the use of a mix of telemetry and behaviour signs.
It’s additionally value noting that MITRE brazenly communicates with distributors throughout those reviews.
“We announce the techniques as they are executed, and the vendor can ask us details about how the procedures were implemented,” MITRE’s Frank Duff defined. “The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”
MITRE identified that its reviews focal point at the technical talent of a product to stumble on malicious conduct.
“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff mentioned. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”