MITRE ATT&CK: Wizard Spider and Sandworm Evaluations Explained
MITRE is the preeminent third-party security solution evaluator. We explain the key metrics to look for in their upcoming Enterprise ATT&CK Evaluation...
Greg Day
When I started in anti-virus back in 1991, the solution was simple: find a unique identifier to detect the malware, then you could block it and if needed instigate the right programmatic steps to recover. Alan Solomon would say it's a math problem, we have the solution, and we can scale it infinitely. However, over the years threats, the solutions and the environments we deploy them into have become ever more complex. We have moved from file viruses that were one simple object to complex multifaceted ransomware attacks made up of hundreds of elements. Just as an example if you look at the latest MITRE testing, it used Turla which is made up of 143 objects (Indicators & behaviors linked to the attack).
Every day I hear people say “All vendors are the same, the market is saturated, etc."
Having been involved in the anti-virus, now endpoint protection space for over 30 years I can tell you we have come from those early days with simple anti-virus with Alan. Detecting threats requires numerous different techniques, a mixture of pattern matching, behavioral analytics, and machine learning techniques. Differing threats requiring differing, specific techniques. Behavioral detection can be extremely complex as it requires interacting with volatile processes in memory in many instances.
So when I hear such complacency for endpoint security it leaves me frustrated, as I know how hard so many engineers, programmers, and researchers work to keep pace and, dare I say it, try and get ahead of the threats.
Some vendors are on an evolutionary path, they started from that antivirus background and have over the years added in more and more new capabilities. Others are on more of a revolutionary path. What do I mean by this?
Well, the obvious goal is always to stop the attack, which is the typical evolution. The challenge is that today's threats are so complex, their likelihood of getting through is higher than ever. Part of this comes down to the shift from binary detection methods, such as pattern matching. A simple Yes or No, it's Good or it's Bad. To behavioral matching, which is akin to it could be good or it could be bad. This latter approach is increasingly relied on with even more unique, complex threats.
I remember in 1991 with the advent of polymorphic viruses (code that changed on each replication) with the goal of rendering signature detection inert. Thankfully, by looking at the decryptor loader rather than the threat first we could decode the attack so that pattern matching would work. Yet post turn of the century metamorphic / self modifying threats that truly mean the need to lean on behavioral and machine learning techniques.
Like everything in life, we learn through experience, which is why I focus on those that have evolved organically with the threat vs. those that have been revolutionary. In the last decade, the Endpoint Detection and Response (EDR) market has significantly grown.
When either prevention doesn’t work, or more commonly, because the detection was only a partial behavior, it was simply flagged rather than blocked as the trust in the detection wasn’t high enough. We rely on EDR solutions to gather the evidence to verify or identify the threat and understand how to block it.
If something wasn’t prevented, it means that your current controls need to evolve, and the natural way to do this is to learn from what you missed, why you missed it so you can stop it from happening next time.
As such, with increasingly complex threats, the first question should be just how much of the threat could you actually see? The more of the threat you can see, the more confidence you will have in verifying it is actually good or bad, which ultimately provides you with a wider array of methods to identify threats. I.e. Your detection coverage.
Going forward, I see revolutionary endpoint solutions (those starting from an EDR background) becoming even more important. Solutions that start by looking at what is being missed and leveraging these learnings dynamically back into their protection capabilities. Like humans, endpoint security can only evolve when it fails, therefore a truly good endpoint solution must have both EDR and prevention capabilities that are truly intertwined.
Next time someone tells you all endpoint solutions are the same, don’t take it on face value, ask yourself the following questions?
Visibility - How well does each solution do in terms of seeing the whole attack end to end? This is key both in terms of learning and also confidence in blocking particularly with behavioral based techniques.
Detection - How much of the attack could actually be blocked by the vendor. Do you want to put all of your prevention in one metaphorical basket? Or does it make sense to have multiple points to stop the attack. The answer I would suggest is a no brainer!
Evolutionary vs. Revolutionary - I know this seems like the chicken and egg question. But in fact the answer is much simpler. Improving endpoint security relies on learning from what got by and as such if you look at the most recent test results from MITRE you see those that have come from an EDR background score higher. They are quicker in taking learnings and turning them into the next levels of prevention. It's a virtuous circle that is key to endpoint security. What's also typical is that these solutions typically require less out of the box turning.
So next time when someone tells you all endpoints are the same, do yourself a favor, challenge that perception and think of the hard work that goes into keeping pace with the ever evolving and increasingly complex threats and the challenge of ensuring endpoints are secure against them.
Greg Day is a Vice President and Global Field CISO for Cybereason in EMEA. Prior to joining Cybereason, Greg held CSO and CTO positions with Palo Alto Networks, FireEye and Symantec. A respected thought leader and long-time advocate for stronger, more proactive cybersecurity, Greg has helped many law enforcement agencies improve detection of cybercriminal behavior. In addition, he previously taught malware forensics to agencies around the world and has worked in advisory capacities for the Council of Europe on cybercrime and the UK National Crime Agency. He currently serves on the Europol cyber security industry advisory board.
MITRE is the preeminent third-party security solution evaluator. We explain the key metrics to look for in their upcoming Enterprise ATT&CK Evaluation...
Things escalated even further in June of 2021, when public sector entities experienced 10 times as many ransomware attempts as organizations in other sectors, an increase of 917% year over year...
MITRE is the preeminent third-party security solution evaluator. We explain the key metrics to look for in their upcoming Enterprise ATT&CK Evaluation...
Things escalated even further in June of 2021, when public sector entities experienced 10 times as many ransomware attempts as organizations in other sectors, an increase of 917% year over year...
Get the latest research, expert insights, and security industry news.
Subscribe