2021 MITRE Engenuity Results

June 14, 2021

What is it? 

Since MITRE introduced ATT&CK® in May 2015, the practitioner community has come to rely on it to enable better communications and management around cybersecurity. Our ATT&CK Evaluations provide vendors with an assessment of their ability to defend against specific adversary tactics and techniques. We emulate known adversary behavior to ensure the evaluation is threat-informed, and carefully select adversaries that allow us to exercise common ATT&CK techniques, as well as push the market to more effectively secure the world’s networks. We openly publish the results to provide industry end-users of these cybersecurity products with the information they need to make good decisions about what is best for their organizations.

Why does it matter?

MITRE Enginuity Evaluations does not determine a winner, nor rankings, providing you with an unbiased assessment of detection capabilities in the context of real world threats.

What was tested in 2021?

There were two rounds of Engenuity testing. MITRE chose to emulate Carbanak and FIN7; both campaigns rely heavily on stealth, scripting and fully exploitation of the users behind the machine while attacking the environment. Engenuity tests for the first time spanned Windows and Linux devices. 

Expand the sections below to review specifics on Day 1 and 2 emulations within the Carbon Black Cloud console.
 

Day 1 Test

MITRE Engenuity Test Results Day 1

Emulated Attack: Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately 

Carbanak Scenario: This scenario begins with a legitimate user executing a malicious payload delivered via spearphishing attacks targeting financial institutions. Following initial compromise, Carbanak expands access to other hosts through privilege escalation, credential access, and lateral movement with the goal of compromising money processing services, automated teller machines, and financial accounts. As Carbanak compromises potentially valuable targets, they establish persistence so that they can learn the financial organization's internal procedures and technology. Using this information, Carbanak transfers funds to bank accounts under their control, completing their mission.

To review Day 1 results in Carbon Black Cloud click on the image below.

Click on the image to review a walkthrough of day 1 test results

Day 2 Test

MITRE Engenuity Test Results Day 2

Emulated Attack: FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security.

FIN7 Scenario: This scenario emulates FIN7 targeting a hotel manager network to gain access to credit card information. The scenario begins with FIN7 achieving initial access to the network after an unwitting user executes a malicious .LNK file. FIN7 then pivots to a privileged IT administrator workstation. From this system, FIN7 keylogs credentials needed to access an accounting workstation. FIN7 then pivots to the accounting workstation, establishes persistence, and deploys malware to scrape credit card information from process memory.

To review Day 2 results in Carbon Black Cloud click on the image below.

Click on the image to review a walkthrough of day 2 test results

Carbon Black Evaluation Takeaways

  • Comprehensive telemetry coverage provided for each step. 
  • Introduction of XDR visibility with VMware NSX ATP provided high confidence lateral movement and privilege escalation detections. 
  • AMSI Reveal provided quick access to decode malicious commands. 
  • 100% detection coverage of the steps emulated for Linux environment.

 

VMware Security Detection & Efficacy Strategy

The goal of our strategy is to balance detection and efficacy with operational impact and fidelity. To determine development efforts, detection and efficacy are measured and vetted against three key areas: fingerprinting capabilities, configuration analysis, and real world attacks.

Fingerprinting the Capabilities

Comparing what we see vs. what we know.

There are over 240 techniques in the MITRE ATT&CK framework, it is imperative that we validate our solutions against the ATT&CK Framework to identify gaps and determine how to appropriately detect these techniques. The key with detection and telemetry is NOT to alert to each TID, this would result in high levels of fatigue creating operational complexities for your organization. MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected. For example TID 1059  Command and Scripting Interpreter, while scripting is leveraged in many adversarial scenarios it is not 100% indicative of nefarious activity. Scripting tools are leveraged by many common applications as well as administrators within your organization. By blocking and/or alerting on TID 1059 in isolation you will impact your organizations ability to operate as expected, creating greater friction within the organization. While telemetry and detections have proven to be a necessity in the fight against adversaries, the challenge is enhancing that data with the right context. How do we take TID 1059 and increase the fidelity to block and alert on only nefarious usage of interpreters? We marry fingerprinting with configuration analysis.

Configuration Analysis

Analyzing known IOCs and C2 frameworks to learn the adversarial trends and identify choke points.

To drive better outcomes for our customers, the intelligence gathered from our threat research not only correlates contextual events it is also leveraged to drive zero-touch preventions directly to our customers. In order to make the security industry as a whole more successful we must take in data from different control points across endpoints, workloads, containers, network, user, and cloud and deliver higher fidelity prevention and detection capabilities.

VMware Carbon Blacks efficacy strategy is based on the adversaries lifecycle. Take ransomware for example, in the case of ransomware the adversary often operates with a goal of dumping credentials and escalating privileges. MITRE ATT&CK TID 1003 OS Credential Dumping for example requires strong coverage due to the criticality of credential theft for lateral movement. VMware's Threat Research Team runs extensive tests against key phases in the ransomware lifecycle to identify new ways of detection and protection. Once analyzed our Threat Research team is able to push new preventions directly to our customers without requiring an agent upgrades. The intention is to continue enhancing and delivering on a “Born Secure” approach, increasing your organizations security posture prior to an incident occurring. 

For hands on experience with our protection check out our new Malware Lab!

Real World Attacks

Collaborating with our IR, MDR Partners as well as our Research Community drives intelligence decisions on existing bad actors. While Internal attacker emulation allows for proactive identifications of adversaries.

Carbon Black is developed with an API first mentality, meaning that if we build something into the product we need to be able to access this via the API to power our IR and MSSP partners to strengthen their support of your organization. With our growing partner base it is critical that we leverage the intelligence driven from Incident Response engagements to understand how to improve our detection and prevention mechanisms.

List of IR and MSSP partners available here.

Ensuring we are staying proactive a key piece of our detection and efficacy strategy is performing detailed attacker emulation. Leveraging internal threat researcher who know how the product functions empowers the Threat Research team to mitigate gaps that arise related to adversary simulation.

Conclusion

Detection and efficacy is always evolving, at VMware Carbon Black we leverage the MITRE ATT&CK framework to guide our intelligence with the goal of delivering high fidelity detections and preventions to reduce fatigue while increasing your security posture.

 

Filter Tags

Empowering the Modern SOC Enterprise EDR VMware Security

Sanara Marsh

Read More from the Author

Manager, Technical Marketing, Security Business Unit, VMware. Having worked with customers at a variety of organizational levels; Sanara Marsh brings a real-world perspective on security. Taking this knowledge to TechZone, Sanara creates content focused on enabling cyber professionals to implement and optimize their security stack. "Cybersecurity has evolved to play a role in all areas of business and must be approached with a team sport mentality."