Spoiler alert! Sophos has as soon as once more achieved distinctive ends in the newest 2024 MITRE ATT&CK Evaluations for Enterprise. On this spherical, Sophos XDR achieved:
- The best potential (‘Approach’) scores for 100% of adversary actions within the Home windows and Linux ransomware assault situations
- The best potential (‘Approach’) scores for 78 out of 80 whole adversary actions throughout all three complete situations
- ‘Analytic protection’ scores for 79 out of 80 whole adversary actions actions
The eagerly anticipated outcomes of the sixth spherical of MITRE ATT&CK® Evaluations for Enterprise have been launched, assessing the flexibility of 19 endpoint detection and response (EDR/XDR) options to precisely determine and report the malicious actions of refined menace teams.
Watch this brief video for an outline of the analysis:
What are MITRE ATT&CK® Evaluations?
MITRE ATT&CK® Evaluations are among the many world’s most revered impartial safety exams. They emulate the techniques, strategies, and procedures (TTPs) leveraged by real-world adversarial teams and consider every taking part vendor’s means to detect, analyze, and describe threats, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
There isn’t a singular technique to interpret the outcomes of ATT&CK Evaluations, and they don’t seem to be supposed to be aggressive analyses. The outcomes present what the analysis noticed and don’t end in a “winner” or “chief” – regardless of what some distributors may such as you to suppose!
There’s nuance within the methods every vendor’s software works and the way it presents data to the analyst utilizing it, and your particular person wants and preferences play an important position in figuring out which resolution is greatest for you and your group. Find out about Sophos Prolonged Detection and Response (XDR)
Analysis overview
This was the sixth spherical of ATT&CK Evaluations for Enterprise — MITRE’s product-focused analysis — designed to assist organizations higher perceive how endpoint detection and response (EDR) choices like Sophos XDR might help them defend towards refined, multi-stage assaults.
This spherical centered on behaviors impressed by three recognized menace teams:
- Democratic Individuals’s Republic of Korea (DPRK)
The analysis emulated DPRK’s adversary behaviors concentrating on macOS through multi-stage operations, together with elevating privileges and credential theft. - CL0P and LockBit Ransomware
The analysis emulated behaviors prevalent throughout campaigns utilizing CL0P and LockBit ransomware concentrating on Home windows and Linux platforms, together with the abuse of authentic instruments and disabling important providers.
Analysis individuals
Nineteen EDR/XDR resolution distributors participated on this analysis spherical (in alphabetical order):
Understanding the outcomes
Every adversary exercise (referred to as a ‘sub-step’) emulated in the course of the analysis acquired one of many following scores, indicating the answer’s means to detect, analyze, and describe the adversary exercise, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
- Not relevant — a “miss”: The adversary exercise was not detected or the analysis for the sub-step was not accomplished.
- None: Execution of the sub step was profitable; nevertheless, proof supplied didn’t meet the documented Detection Standards, or there was no proof of Crimson Workforce exercise supplied.
- Common: The answer autonomously recognized that the malicious/suspicious occasion(s) occurred and reported the What, The place, When, and Who.
- Tactic: Along with assembly the standards for a ‘Common’ score, the answer additionally supplied data on the attacker’s potential intent; the Why, aligned to MITRE ATT&CK Ways.
- Approach — the best potential score: Along with assembly the standards for a ‘Tactic’ score, the answer additionally supplied particulars on the attacker’s technique for reaching a purpose; How the motion was carried out.
Detections labeled as Common, Tactic, or Approach are grouped beneath the definition of Analytic Protection, which measures the answer’s means to transform telemetry into actionable menace detections.
How did Sophos carry out on this analysis?
All through the analysis, MITRE executed three discrete assault situations (DPRK, CL0P, and LockBit), comprising a complete of 16 steps and 80 sub-steps.
Sophos XDR delivered spectacular outcomes, reaching:
- The best potential (‘Approach’) scores for 100% of adversary actions within the Home windows and Linux ransomware assault situations
- The best potential (‘Approach’) scores for 78 out of 80 whole adversary actions throughout all three complete situations
- ‘Analytic protection’ scores for 79 out of 80 whole adversary actions actions
Assault state of affairs 1: DPRK (macOS solely)
North Korea has emerged as a formidable cyber menace, and by increasing its focus to macOS, they’ve gained the flexibility to focus on and infiltrate further high-value techniques. On this assault state of affairs, the MITRE group used a backdoor from a provide chain assault, adopted by persistence, discovery, and credential entry, ensuing within the assortment and exfiltration of system data and macOS keychain information.
This state of affairs comprised 4 steps with 21 sub-steps on macOS solely.
- Sophos XDR detected and supplied wealthy ‘analytic’ protection for 20 out of 21 sub-steps (95%) on this state of affairs.
- 19 sub-steps have been assigned ‘Approach’ degree categorization — the best potential score.
Assault state of affairs 2: CL0P ransomware (Home windows)
Energetic since a minimum of 2019, CL0P is a ransomware household affiliated with the TA505 cyber-criminal menace actor (also referred to as Snakefly) and is extensively believed to be operated by Russian-speaking teams. The MITRE group used evasion strategies, persistence, and an in-memory payload to carry out discovery and exfiltration earlier than executing ransomware.
This state of affairs comprised 4 steps with 19 sub-steps on Home windows solely.
- Sophos XDR detected and supplied full ‘approach’ degree protection — the best potential score — for 100% of sub-steps on this state of affairs.
Assault state of affairs 3: LockBit ransomware (Home windows and Linux)
Working on a Ransomware-as-a-Service (RaaS) foundation, LockBit is a infamous ransomware variant that has gained infamy for its refined instruments, extortion strategies, and high-severity assaults. The MITRE group gained entry utilizing compromised credentials, finally deploying an exfiltration software and ransomware to cease digital machines and exfiltrate and encrypt information.
This state of affairs comprised 8 steps with 40 sub-steps on Home windows and Linux.
- Sophos XDR detected and supplied full ‘approach’ degree protection — the best potential score — for 100% of sub-steps on this state of affairs.
Be taught extra at sophos.com/mitre and discover the complete outcomes on the MITRE web site.
How do Sophos’ outcomes evaluate to different individuals?
As a reminder, there’s no singular technique to interpret the outcomes of ATT&CK Evaluations, and you will notice completely different charts, graphs, and different visualizations created by taking part distributors that body the ends in alternative ways.
Detection high quality is important for offering particulars on the adversary’s conduct so analysts can examine and reply shortly and effectively. Subsequently, some of the invaluable methods to view the outcomes of ATT&CK® Evaluations is by evaluating the variety of sub-steps that generated a detection that supplied wealthy element on the adversarial behaviors (analytic protection) and the variety of sub-steps that achieved full ‘approach’ degree protection.
MITRE doesn’t rank or price individuals of ATT&CK Evaluations.
The best way to use the outcomes of MITRE ATT&CK Evaluations
When contemplating an EDR or prolonged detection and response (XDR) resolution, evaluate the outcomes from ATT&CK Evaluations alongside different respected third-party proof factors, together with verified buyer critiques and analyst evaluations. Current third-party recognitions for Sophos XDR embody:
As you evaluate the info out there within the MITRE portal for every taking part vendor, contemplate the next questions as they pertain to you, your group, and your group:
- Does the evaluated software assist you determine threats?
- Does it current data to you the way in which you need it?
- Who might be utilizing the software? Tier 3 analysts? IT specialists or Sysadmins?
- How does the software allow you to conduct menace hunts?
- Are disparate occasions correlated? Is that carried out robotically, or do it’s worthwhile to try this by yourself?
- Can the EDR/XDR software combine with different expertise in your surroundings (e.g., firewall, e-mail, cloud, id, community, and so on.) together with options from different distributors?
- Are you planning to make use of the software by your self, or will you will have the assist of a Managed Detection and Response (MDR) associate?
Why we take part in MITRE ATT&CK Evaluations
MITRE ATT&CK Evaluations are among the many world’s most revered impartial safety exams because of the emulation of real-world assault situations and transparency of outcomes. Sophos is dedicated to taking part in these evaluations alongside a number of the greatest safety distributors within the {industry}. As a neighborhood, we’re united towards a typical enemy. These evaluations assist make us higher, individually and collectively, for the advantage of the organizations we defend.
Get began with Sophos XDR
Our outcomes on this newest analysis additional validate Sophos’ place as an industry-leading supplier of endpoint detection and response (EDR) and prolonged detection and response (XDR) capabilities to over 43,000 organizations worldwide.
Go to our web site or communicate with an professional to see how Sophos can streamline your detection and response and drive superior outcomes in your group at the moment.