2021 VMware Carbon Black MITRE ATT&CK Engenuity Results
What is it?
Since MITRE introduced MITRE ATT&CK® in May 2015, the practitioner community has come to rely on it to enable better communications and management around cybersecurity. Our ATT&CK Evaluations provide vendors with an assessment of their ability to defend against specific adversary tactics and techniques. We emulate known adversary behavior to ensure the evaluation is threat-informed, and carefully select adversaries that allow us to exercise common ATT&CK techniques, as well as push the market to more effectively secure the world’s networks. We openly publish the results to provide industry end-users of these cybersecurity products with the information they need to make good decisions about what is best for their organizations.
Why does it matter?
MITRE Enginuity Evaluations do not determine a winner, nor rankings, providing you with an unbiased assessment of detection capabilities in the context of real-world threats.
What was tested in 2021?
There were two rounds of Engenuity testing. MITRE chose to emulate Carbanak and FIN7; both campaigns rely heavily on stealth, scripting and full exploitation of the users behind the machine while attacking the environment. Engenuity tests for the first time spanned Windows and Linux devices.
Expand the sections below to review specifics on Day 1 and 2 emulations within the Carbon Black Cloud console.
- Day 1 Test
MITRE Engenuity Test Results Day 1
Emulated Attack: Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately
Carbanak Scenario: This scenario begins with a legitimate user executing a malicious payload delivered via spearphishing attacks targeting financial institutions. Following initial compromise, Carbanak expands access to other hosts through privilege escalation, credential access, and lateral movement with the goal of compromising money processing services, automated teller machines, and financial accounts. As Carbanak compromises potentially valuable targets, they establish persistence so that they can learn the financial organization's internal procedures and technology. Using this information, Carbanak transfers funds to bank accounts under their control, completing their mission.
To review Day 1 results in Carbon Black Cloud click on the image below.
- Day 2 Test
MITRE Engenuity Test Results Day 2
Emulated Attack: FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security.
FIN7 Scenario: This scenario emulates FIN7 targeting a hotel manager network to gain access to credit card information. The scenario begins with FIN7 achieving initial access to the network after an unwitting user executes a malicious .LNK file. FIN7 then pivots to a privileged IT administrator workstation. From this system, FIN7 keylogs credentials needed to access an accounting workstation. FIN7 then pivots to the accounting workstation, establishes persistence, and deploys malware to scrape credit card information from process memory.
To review Day 2 results in Carbon Black Cloud click on the image below.
Carbon Black Evaluation Takeaways
- Comprehensive telemetry coverage is provided for each step.
- The introduction of XDR visibility with VMware NSX ATP provided high confidence lateral movement and privilege escalation detections.
- AMSI Reveal provided quick access to decode malicious commands.
- 100% detection coverage of the steps emulated for the Linux environment.
VMware Security Detection & Efficacy Strategy
The goal of our strategy is to balance detection and efficacy with operational impact and fidelity. To determine development efforts, detection and efficacy are measured and vetted against three key areas: fingerprinting capabilities, configuration analysis, and real-world attacks.
Fingerprinting the Capabilities
Comparing what we see vs. what we know.
There are over 240 techniques in the MITRE ATT&CK framework, it is imperative that we validate our solutions against the ATT&CK Framework to identify gaps and determine how to appropriately detect these techniques. The key with detection and telemetry is NOT to alert to each TID, this would result in high levels of fatigue creating operational complexities for your organization. MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected. For example, TID 1059 Command and Scripting Interpreter, while scripting is leveraged in many adversarial scenarios it is not 100% indicative of nefarious activity. Scripting tools are leveraged by many common applications as well as administrators within your organization. By blocking and/or alerting on TID 1059 in isolation you will impact your organization's ability to operate as expected, creating greater friction within the organization. While telemetry and detections have proven to be a necessity in the fight against adversaries, the challenge is enhancing that data with the right context. How do we take TID 1059 and increase the fidelity to block and alert on only nefarious usage of interpreters? We marry fingerprinting with configuration analysis.
Analyzing known IOCs and C2 frameworks to learn the adversarial trends and identify choke points.
To drive better outcomes for our customers, the intelligence gathered from our threat research not only correlates contextual events it is also leveraged to drive zero-touch preventions directly to our customers. In order to make the security industry as a whole more successful we must take in data from different control points across endpoints, workloads, containers, networks, users, and cloud and deliver higher fidelity prevention and detection capabilities.
VMware Carbon Black's efficacy strategy is based on the adversaries' lifecycle. Take ransomware for example, in the case of ransomware the adversary often operates with a goal of dumping credentials and escalating privileges. MITRE ATT&CK TID 1003 OS Credential Dumping for example requires strong coverage due to the criticality of credential theft for lateral movement. VMware's Threat Research Team runs extensive tests against key phases in the ransomware lifecycle to identify new ways of detection and protection. Once analyzed our Threat Research team is able to push new preventions directly to our customers without requiring an agent upgrade. The intention is to continue enhancing and delivering on a “Born Secure” approach, increasing your organization's security posture prior to an incident occurring.
For hands-on experience with our protection check out our new Malware Lab!
Collaborating with our IR, MDR Partners as well as our Research Community drives intelligence decisions on existing bad actors. While Internal attacker emulation allows for proactive identifications of adversaries.
Carbon Black is developed with an API first mentality, meaning that if we build something into the product we need to be able to access this via the API to power our IR and MSSP partners to strengthen their support of your organization. With our growing partner base, it is critical that we leverage the intelligence-driven from Incident Response engagements to understand how to improve our detection and prevention mechanisms.
List of IR and MSSP partners available here.
Ensuring we are staying proactive a key piece of our detection and efficacy strategy is performing detailed attacker emulation. Leveraging internal threat researchers who know how the product functions empower the Threat Research team to mitigate gaps that arise related to adversary simulation.
Detection and efficacy are always evolving, at VMware Carbon Black we leverage the MITRE ATT&CK framework to guide our intelligence with the goal of delivering high fidelity detections and preventions to reduce fatigue while increasing your security posture.