Spoiler alert! Sophos has as soon as once more achieved distinctive leads to the newest 2024 MITRE ATT&CK Evaluations for Enterprise. On this spherical, Sophos XDR achieved:
- The best doable (‘Approach’) rankings for 100% of adversary actions within the Home windows and Linux ransomware assault eventualities
- The best doable (‘Approach’) rankings for 78 out of 80 complete adversary actions throughout all three complete eventualities
- ‘Analytic protection’ rankings for 79 out of 80 complete adversary actions actions
The eagerly anticipated outcomes of the sixth spherical of MITRE ATT&CK® Evaluations for Enterprise have been launched, assessing the flexibility of 19 endpoint detection and response (EDR/XDR) options to precisely establish and report the malicious actions of refined menace teams.
Watch this quick video for an outline of the analysis:
What are MITRE ATT&CK® Evaluations?
MITRE ATT&CK® Evaluations are among the many world’s most revered impartial safety assessments. They emulate the ways, strategies, and procedures (TTPs) leveraged by real-world adversarial teams and consider every collaborating vendor’s capability to detect, analyze, and describe threats, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
There isn’t any singular solution to interpret the outcomes of ATT&CK Evaluations, and they don’t seem to be supposed to be aggressive analyses. The outcomes present what the analysis noticed and don’t lead to a “winner” or “chief” – regardless of what some distributors may such as you to suppose!
There’s nuance within the methods every vendor’s software works and the way it presents info to the analyst utilizing it, and your particular person wants and preferences play an important position in figuring out which answer is greatest for you and your workforce. Find out about Sophos Prolonged Detection and Response (XDR)
Analysis overview
This was the sixth spherical of ATT&CK Evaluations for Enterprise — MITRE’s product-focused analysis — designed to assist organizations higher perceive how endpoint detection and response (EDR) choices like Sophos XDR might help them defend towards refined, multi-stage assaults.
This spherical centered on behaviors impressed by three identified menace teams:
- Democratic Folks’s Republic of Korea (DPRK)
The analysis emulated DPRK’s adversary behaviors focusing on macOS through multi-stage operations, together with elevating privileges and credential theft. - CL0P and LockBit Ransomware
The analysis emulated behaviors prevalent throughout campaigns utilizing CL0P and LockBit ransomware focusing on Home windows and Linux platforms, together with the abuse of reliable instruments and disabling crucial providers.
Analysis individuals
Nineteen EDR/XDR answer distributors participated on this analysis spherical (in alphabetical order):
Understanding the outcomes
Every adversary exercise (known as a ‘sub-step’) emulated through the analysis obtained one of many following rankings, indicating the answer’s capability to detect, analyze, and describe the adversary exercise, with output aligned to the language and construction of the MITRE ATT&CK® Framework.
- Not relevant — a “miss”: The adversary exercise was not detected or the analysis for the sub-step was not accomplished.
- None: Execution of the sub step was profitable; nevertheless, proof supplied didn’t meet the documented Detection Standards, or there was no proof of Pink Crew exercise supplied.
- Basic: The answer autonomously recognized that the malicious/suspicious occasion(s) occurred and reported the What, The place, When, and Who.
- Tactic: Along with assembly the factors for a ‘Basic’ ranking, the answer additionally supplied info on the attacker’s potential intent; the Why, aligned to MITRE ATT&CK Techniques.
- Approach — the best doable ranking: Along with assembly the factors for a ‘Tactic’ ranking, the answer additionally supplied particulars on the attacker’s technique for attaining a purpose; How the motion was carried out.
Detections labeled as Basic, Tactic, or Approach are grouped underneath the definition of Analytic Protection, which measures the answer’s capability to transform telemetry into actionable menace detections.
How did Sophos carry out on this analysis?
All through the analysis, MITRE executed three discrete assault eventualities (DPRK, CL0P, and LockBit), comprising a complete of 16 steps and 80 sub-steps.
Sophos XDR delivered spectacular outcomes, attaining:
- The best doable (‘Approach’) rankings for 100% of adversary actions within the Home windows and Linux ransomware assault eventualities
- The best doable (‘Approach’) rankings for 78 out of 80 complete adversary actions throughout all three complete eventualities
- ‘Analytic protection’ rankings for 79 out of 80 complete adversary actions actions
Assault situation 1: DPRK (macOS solely)
North Korea has emerged as a formidable cyber menace, and by increasing its focus to macOS, they’ve gained the flexibility to focus on and infiltrate extra high-value programs. On this assault situation, the MITRE workforce used a backdoor from a provide chain assault, adopted by persistence, discovery, and credential entry, ensuing within the assortment and exfiltration of system info and macOS keychain information.
This situation comprised 4 steps with 21 sub-steps on macOS solely.
- Sophos XDR detected and supplied wealthy ‘analytic’ protection for 20 out of 21 sub-steps (95%) on this situation.
- 19 sub-steps have been assigned ‘Approach’ degree categorization — the best doable ranking.
Assault situation 2: CL0P ransomware (Home windows)
Lively since not less than 2019, CL0P is a ransomware household affiliated with the TA505 cyber-criminal menace actor (often known as Snakefly) and is broadly believed to be operated by Russian-speaking teams. The MITRE workforce used evasion strategies, persistence, and an in-memory payload to carry out discovery and exfiltration earlier than executing ransomware.
This situation comprised 4 steps with 19 sub-steps on Home windows solely.
- Sophos XDR detected and supplied full ‘approach’ degree protection — the best doable ranking — for 100% of sub-steps on this situation.
Assault situation 3: LockBit ransomware (Home windows and Linux)
Working on a Ransomware-as-a-Service (RaaS) foundation, LockBit is a infamous ransomware variant that has gained infamy for its refined instruments, extortion strategies, and high-severity assaults. The MITRE workforce gained entry utilizing compromised credentials, finally deploying an exfiltration software and ransomware to cease digital machines and exfiltrate and encrypt information.
This situation comprised 8 steps with 40 sub-steps on Home windows and Linux.
- Sophos XDR detected and supplied full ‘approach’ degree protection — the best doable ranking — for 100% of sub-steps on this situation.
Be taught extra at sophos.com/mitre and discover the total outcomes on the MITRE web site.
How do Sophos’ outcomes evaluate to different individuals?
As a reminder, there’s no singular solution to interpret the outcomes of ATT&CK Evaluations, and you will notice totally different charts, graphs, and different visualizations created by collaborating distributors that body the leads to alternative ways.
Detection high quality is crucial for offering particulars on the adversary’s conduct so analysts can examine and reply shortly and effectively. Subsequently, some of the precious methods to view the outcomes of ATT&CK® Evaluations is by evaluating the variety of sub-steps that generated a detection that supplied wealthy element on the adversarial behaviors (analytic protection) and the variety of sub-steps that achieved full ‘approach’ degree protection.
MITRE doesn’t rank or fee individuals of ATT&CK Evaluations.
Learn how to use the outcomes of MITRE ATT&CK Evaluations
When contemplating an EDR or prolonged detection and response (XDR) answer, evaluation the outcomes from ATT&CK Evaluations alongside different respected third-party proof factors, together with verified buyer opinions and analyst evaluations. Current third-party recognitions for Sophos XDR embrace:
As you evaluation the information obtainable within the MITRE portal for every collaborating vendor, think about the next questions as they pertain to you, your workforce, and your group:
- Does the evaluated software allow you to establish threats?
- Does it current info to you the way in which you need it?
- Who shall be utilizing the software? Tier 3 analysts? IT specialists or Sysadmins?
- How does the software allow you to conduct menace hunts?
- Are disparate occasions correlated? Is that completed routinely, or do you should do this by yourself?
- Can the EDR/XDR software combine with different expertise in your setting (e.g., firewall, electronic mail, cloud, id, community, and many others.) together with options from different distributors?
- Are you planning to make use of the software by your self, or will you’ve got the help of a Managed Detection and Response (MDR) companion?
Why we take part in MITRE ATT&CK Evaluations
MITRE ATT&CK Evaluations are among the many world’s most revered impartial safety assessments because of the emulation of real-world assault eventualities and transparency of outcomes. Sophos is dedicated to collaborating in these evaluations alongside a few of the greatest safety distributors within the {industry}. As a neighborhood, we’re united towards a typical enemy. These evaluations assist make us higher, individually and collectively, for the advantage of the organizations we defend.
Get began with Sophos XDR
Our outcomes on this newest analysis additional validate Sophos’ place as an industry-leading supplier of endpoint detection and response (EDR) and prolonged detection and response (XDR) capabilities to over 43,000 organizations worldwide.
Go to our web site or communicate with an knowledgeable to see how Sophos can streamline your detection and response and drive superior outcomes on your group at this time.
