MITRE ATT&CK and Cybereason

Front-runner results from the R3 Evaluation (Carbanak & FIN7)

Cybereason achieved:

MITRE-Hero-Updated-Hero-Stats

This year’s evaluation emulated threat groups Carbanak and FIN7, who are known to attack banks, retail, and the hospitality sectors. As adversaries who attack financial organizations, it’s not surprising that the evaluation tested stealthy techniques including scripting, obfuscation, “living off the land” and -- new this year -- attacks against Linux systems.

Get the highlights of the Cybereason Defense Platform below.

Demo Cybereason ATT&CK Mapping Capabilities

MITRE ATT&CK 101

Attacks are sophisticated, malware is multi-stage and it is nearly impossible to predict what form threats take once they enter the environment. As a counter to the chaos, MITRE created the ATT&CK knowledge base (short for Adversarial Tactics, Techniques and Common Knowledge), which catalogs attacker behaviors at a tactical level into a standardized framework.

MITRE ATT&CK has quickly emerged as the industry standard framework for EDR & XDR. Each year, vendors submit their solutions for evaluation of mapping and effectiveness against the ATT&CK framework. MITRE recently concluded Round 3 (R3) of their evaluations. This iteration of the ATT&CK evaluations focused on emulating the Carbanak and FIN7 threat actor groups, which primarily target large financial services, retail, restaurant, and hospitality institutions.

Mitre Attack

Highlights of Cybereason in the R3 ATT&CK Evaluation:

Vendor evaluations against the MITRE ATT&CK knowledge base are incredibly useful for separating the smoke and mirrors of marketing from a product’s real-world ability to perform under demanding field conditions.

In a crowded field - Cybereason excels

Not every vendor participated in the protection portion of the evaluation, meaning the solution likely lacks the ability to block malicious executions. Preventing advanced malicious activity greatly reduces the threat surface and ability of attackers to exploit, escalate and exfiltrate data over time.

The Cybereason platform reliably prevents more threats and most effectively ends cyber attacks.

98% coverage of deeper “technique” activity

54 attacker techniques were in the scope of the R3 ATT&CK evaluation, which tested vendor’s abilities to defend against advanced malware, living-off-the-land techniques, lateral movement and command & control activities.

The Cybereason platform had coverage of 100% of techniques within the scope of the evaluation - meaning enriched, correlated and comprehensive detections.

100% Prevention & Detection - Linux

New to R3 was expansion beyond Windows capabilities to include protection and detection on Linux-based systems. Feature parity across operating systems both new and old is a known challenge in the industry. What works great in Windows often doesn’t function in Mac or Linux.

The Cybereason platform delivers repeatable, trusted results across varying OS configurations.

Effective and mapped to ATT&CK out-of-the box

It’s not uncommon for vendors to put their best foot forward and submit a highly adjusted, custom-configured and amplified version of their product for the ATT&CK evaluation. Cybereason had among the lowest number of special configurations to the solution evaluated in the R3 of ATT&CK - with 94% of ATT&CK detections generated without additional required tuning.

Defenders can expect high-fidelity detections against the ATT&CK framework from the out-of-the-box (OOTB) Cybereason solution.

Real-time detections - no delays

In addition to analyzing the depth of the detection in evaluations (telemetry, tactic, technique), ATT&CK detections are also differentiated by delayed vs. real-time. Broad mapping against ATT&CK may mean eventual visibility, but that visibility is tainted by the delay and security teams are late to act for response and recovery.

The Cybereason platform generated 99% of ATT&CK detections in real-time - meaning defenders see adversary activity as it occurs and before escalation.

cr-mitre-r3-table