The MITRE Corporation is a US Government federally funded research and development center (FFRDC), and the MITRE Engenuity is a foundation dedicated to using the research and technology developed there for the public good.
One of the services that MITRE Engenuity provides is MITRE ATT&CK evaluations. These exercises simulate attacks by major cyber threat actors based on the threat intelligence collected in the MITRE ATT&CK framework.
The MITRE ATT&CK framework is a tool to increase understanding of cyber threats and the cyberattack lifecycle by breaking this lifecycle into fourteen stages called Tactics. Each of these Tactics describes a particular objective that an attacker may need to achieve during an attack. Example Tactics include Initial Access, Privilege Escalation, and Lateral Movement.
Under each Tactic, MITRE ATT&CK describes the methods by which an attacker could accomplish that goal in Techniques and Sub-Techniques. Each Technique is a distinct method of achieving the goal, and each Technique can have zero or more Sub-Techniques based on whether there are multiple ways of carrying it out. For example, the Brute Force Technique under Credential Access has four Sub-Techniques (Password Guessing, Password Cracking, Password Spraying, and Credential Stuffing).
Each MITRE ATT&CK Technique and Sub-Technique has its own page describing how the attack works, affected platforms, detection mechanisms, and mitigations. It also includes a listing of the malware, tools, and threat actors known to use the Technique or Sub-Technique, which is based on threat intelligence data and vital for MITRE Engenuity.
The MITRE Engenuity ATT&CK Evaluations are intended to provide an independent third-party assessment of cybersecurity vendors’ products and their ability to protect against cyber threats. Using the MITRE ATT&CK framework as a guide, MITRE Engenuity can perform a structured and comprehensive evaluation of whether a product can detect or prevent a particular type of attack.
MITRE Engenuity does not provide rankings, scores, or ratings of the products that they analyze. Their objective is to highlight the differences in approach that various cybersecurity vendors take to cyber threat detection and prevention, and whether those approaches effectively protect against cyber threats.
The MITRE ATT&CK framework includes a Procedures section in each Technique or Sub-Technique page that describes the tools, malware, and threat actors known to use that particular method. Each of these entities also has its own page that provides a description of it and a complete listing of the Techniques and Sub-Techniques that they have been observed to use in the wild.
MITRE Engenuity’s annual evaluations are structured around these collections of known Techniques employed by threat actors. Each year, MITRE Engenuity selects two advanced persistent threat (APT) groups and emulates their tactics and techniques based on the MITRE ATT&CK framework. This provides a realistic evaluation of the solution’s ability to detect and protect against the attacks by the simulated APTs.
Unbiased, realistic assessments of the effectiveness of cybersecurity solutions are difficult to perform. Cyberattacks are complex and the realism of a simulation can be undermined by even small mistakes.
The MITRE Engenuity Evaluations are invaluable because they provide a third-party simulation of security solutions using extremely realistic attacks. The MITRE Engenuity simulations are built using the information contained within the MITRE ATT&CK framework, which describes the attack chains commonly used by different threat actors.
Each MITRE ATT&CK Engenuity simulation only covers the tactics and techniques used by a few threat actors. However, there is often overlap between groups (such as the use of phishing for initial access), and each annual evaluation focuses on different threat groups. This combination means that a high score in the ATT&CK evaluations demonstrates strong protection against real-world threats, and consistent high scores across multiple evaluations show extremely high-performance and comprehensive cyber threat protection.
The 2021 MITRE ATT&CK Engenuity Evaluations focused on the Carbanak and FIN7 APTs. Both of these groups use the same Carbanak malware in their attacks but appear to be different groups with different targets and techniques. The MITRE ATT&CK evaluation included tests for 65 MITRE ATT&CK Techniques across 11 Tactics. This includes 12 techniques across 7 tactics that are in scope for the Linux portion of Round 3 evaluation of the Carbanak evaluation.
Check Point Harmony Endpoint achieved a leading result in this evaluation, detecting 100% of the unique techniques simulated during the exercise. For 96% of these unique techniques, Harmony Endpoint also achieved the highest detection level of the twenty-nine solutions evaluated by MITRE Engenuity.
MITRE ATT&CK Engenuity’s evaluations provide an independent third-party attestation of the effectiveness of Check Point Harmony Endpoint at protecting against attacks by Carbanak, FIN7, and other APTs. To learn more about the MITRE ATT&CK Evaluations, check out this guide. You’re also welcome to learn more about the capabilities of Harmony Endpoint by signing up for a free demo.