Spoiler alert! Sophos has as soon as once more achieved distinctive leads to the most recent 2024 MITRE ATT&CK Evaluations for Enterprise. On this spherical, Sophos XDR achieved:
- The very best attainable (‘Approach’) rankings for 100% of adversary actions within the Home windows and Linux ransomware assault situations
- The very best attainable (‘Approach’) rankings for 78 out of 80 whole adversary actions throughout all three complete situations
- ‘Analytic protection’ rankings for 79 out of 80 whole adversary actions actions
The eagerly anticipated outcomes of the sixth spherical of MITRE ATT&CK® Evaluations for Enterprise have been launched, assessing the power of 19 endpoint detection and response (EDR/XDR) options to precisely determine and report the malicious actions of refined menace teams.
Watch this brief video for an summary of the analysis:
What are MITRE ATT&CK® Evaluations?
MITRE ATT&CK® Evaluations are among the many world’s most revered impartial safety checks. They emulate the techniques, methods, and procedures (TTPs) leveraged by real-world adversarial teams and consider every taking part vendor’s skill to detect, analyze, and describe threats, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
There isn’t any singular technique to interpret the outcomes of ATT&CK Evaluations, and they aren’t meant to be aggressive analyses. The outcomes present what the analysis noticed and don’t lead to a “winner” or “chief” – regardless of what some distributors would possibly such as you to suppose!
There may be nuance within the methods every vendor’s instrument works and the way it presents data to the analyst utilizing it, and your particular person wants and preferences play an important position in figuring out which answer is finest for you and your staff. Study Sophos Prolonged Detection and Response (XDR)
Analysis overview
This was the sixth spherical of ATT&CK Evaluations for Enterprise — MITRE’s product-focused analysis — designed to assist organizations higher perceive how endpoint detection and response (EDR) choices like Sophos XDR can assist them defend towards refined, multi-stage assaults.
This spherical targeted on behaviors impressed by three identified menace teams:
- Democratic Folks’s Republic of Korea (DPRK)
The analysis emulated DPRK’s adversary behaviors focusing on macOS by way of multi-stage operations, together with elevating privileges and credential theft. - CL0P and LockBit Ransomware
The analysis emulated behaviors prevalent throughout campaigns utilizing CL0P and LockBit ransomware focusing on Home windows and Linux platforms, together with the abuse of respectable instruments and disabling essential providers.
Analysis individuals
Nineteen EDR/XDR answer distributors participated on this analysis spherical (in alphabetical order):
Understanding the outcomes
Every adversary exercise (referred to as a ‘sub-step’) emulated through the analysis acquired one of many following rankings, indicating the answer’s skill to detect, analyze, and describe the adversary exercise, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
- Not relevant — a “miss”: The adversary exercise was not detected or the analysis for the sub-step was not accomplished.
- None: Execution of the sub step was profitable; nonetheless, proof offered didn’t meet the documented Detection Standards, or there was no proof of Crimson Staff exercise offered.
- Normal: The answer autonomously recognized that the malicious/suspicious occasion(s) occurred and reported the What, The place, When, and Who.
- Tactic: Along with assembly the factors for a ‘Normal’ score, the answer additionally offered data on the attacker’s potential intent; the Why, aligned to MITRE ATT&CK Ways.
- Approach — the very best attainable score: Along with assembly the factors for a ‘Tactic’ score, the answer additionally offered particulars on the attacker’s methodology for attaining a purpose; How the motion was carried out.
Detections categorised as Normal, Tactic, or Approach are grouped below the definition of Analytic Protection, which measures the answer’s skill to transform telemetry into actionable menace detections.
How did Sophos carry out on this analysis?
All through the analysis, MITRE executed three discrete assault situations (DPRK, CL0P, and LockBit), comprising a complete of 16 steps and 80 sub-steps.
Sophos XDR delivered spectacular outcomes, attaining:
- The very best attainable (‘Approach’) rankings for 100% of adversary actions within the Home windows and Linux ransomware assault situations
- The very best attainable (‘Approach’) rankings for 78 out of 80 whole adversary actions throughout all three complete situations
- ‘Analytic protection’ rankings for 79 out of 80 whole adversary actions actions
Assault situation 1: DPRK (macOS solely)
North Korea has emerged as a formidable cyber menace, and by increasing its focus to macOS, they’ve gained the power to focus on and infiltrate further high-value programs. On this assault situation, the MITRE staff used a backdoor from a provide chain assault, adopted by persistence, discovery, and credential entry, ensuing within the assortment and exfiltration of system data and macOS keychain information.
This situation comprised 4 steps with 21 sub-steps on macOS solely.
- Sophos XDR detected and offered wealthy ‘analytic’ protection for 20 out of 21 sub-steps (95%) on this situation.
- 19 sub-steps had been assigned ‘Approach’ stage categorization — the very best attainable score.
Assault situation 2: CL0P ransomware (Home windows)
Energetic since a minimum of 2019, CL0P is a ransomware household affiliated with the TA505 cyber-criminal menace actor (also called Snakefly) and is extensively believed to be operated by Russian-speaking teams. The MITRE staff used evasion methods, persistence, and an in-memory payload to carry out discovery and exfiltration earlier than executing ransomware.
This situation comprised 4 steps with 19 sub-steps on Home windows solely.
- Sophos XDR detected and offered full ‘method’ stage protection — the very best attainable score — for 100% of sub-steps on this situation.
Assault situation 3: LockBit ransomware (Home windows and Linux)
Working on a Ransomware-as-a-Service (RaaS) foundation, LockBit is a infamous ransomware variant that has gained infamy for its refined instruments, extortion strategies, and high-severity assaults. The MITRE staff gained entry utilizing compromised credentials, in the end deploying an exfiltration instrument and ransomware to cease digital machines and exfiltrate and encrypt information.
This situation comprised 8 steps with 40 sub-steps on Home windows and Linux.
- Sophos XDR detected and offered full ‘method’ stage protection — the very best attainable score — for 100% of sub-steps on this situation.
Be taught extra at sophos.com/mitre and discover the complete outcomes on the MITRE web site.
How do Sophos’ outcomes examine to different individuals?
As a reminder, there’s no singular technique to interpret the outcomes of ATT&CK Evaluations, and you will note totally different charts, graphs, and different visualizations created by taking part distributors that body the leads to other ways.
Detection high quality is essential for offering particulars on the adversary’s habits so analysts can examine and reply rapidly and effectively. Subsequently, one of the vital precious methods to view the outcomes of ATT&CK® Evaluations is by evaluating the variety of sub-steps that generated a detection that offered wealthy element on the adversarial behaviors (analytic protection) and the variety of sub-steps that achieved full ‘method’ stage protection.
MITRE doesn’t rank or charge individuals of ATT&CK Evaluations.
Tips on how to use the outcomes of MITRE ATT&CK Evaluations
When contemplating an EDR or prolonged detection and response (XDR) answer, assessment the outcomes from ATT&CK Evaluations alongside different respected third-party proof factors, together with verified buyer opinions and analyst evaluations. Current third-party recognitions for Sophos XDR embrace:
As you assessment the info out there within the MITRE portal for every taking part vendor, take into account the next questions as they pertain to you, your staff, and your group:
- Does the evaluated instrument make it easier to determine threats?
- Does it current data to you the way in which you need it?
- Who will likely be utilizing the instrument? Tier 3 analysts? IT specialists or Sysadmins?
- How does the instrument allow you to conduct menace hunts?
- Are disparate occasions correlated? Is that carried out mechanically, or do it’s worthwhile to do this by yourself?
- Can the EDR/XDR instrument combine with different expertise in your atmosphere (e.g., firewall, e-mail, cloud, id, community, and many others.) together with options from different distributors?
- Are you planning to make use of the instrument by your self, or will you might have the assist of a Managed Detection and Response (MDR) associate?
Why we take part in MITRE ATT&CK Evaluations
MITRE ATT&CK Evaluations are among the many world’s most revered impartial safety checks as a result of emulation of real-world assault situations and transparency of outcomes. Sophos is dedicated to taking part in these evaluations alongside among the finest safety distributors within the {industry}. As a neighborhood, we’re united towards a standard enemy. These evaluations assist make us higher, individually and collectively, for the good thing about the organizations we defend.
Get began with Sophos XDR
Our outcomes on this newest analysis additional validate Sophos’ place as an industry-leading supplier of endpoint detection and response (EDR) and prolonged detection and response (XDR) capabilities to over 43,000 organizations worldwide.
Go to our web site or communicate with an professional to see how Sophos can streamline your detection and response and drive superior outcomes to your group at the moment.
