Fidelis Blog
Author
Anders Gregg
Gregg Anders
Chief Architect

Gregg has spent more than half of his 25+ years of experience in the software industry architecting enterprise security solutions . For the last seven years as Architect at Fidelis Cybersecurity, Gregg... Read More

Comments

Fidelis Endpoint delivers 100% detection coverage across all nineteen steps during the 2022 MITRE Engenuity™ Round 4 ATT&CK® Evaluation 

hacker puzzle illustration

Fidelis Endpoint®, Fidelis Cybersecurity’s Endpoint Detection and Response (EDR) platform, successfully detected overwhelming evidence of malicious activity prior to successfully detecting the execution of ransomware: the final step for each simulated attack during the 2022 MITRE Engenuity™ Round 4 ATT&CK® Evaluation.

Fidelis Endpoint successfully provided analytic detections in 100% of the nineteen adversarial steps and visibility in 94 of the 109 sub-steps performed during the two simulated attacks performed over two days.  The precise analytic detections provided by Fidelis Endpoint demonstrate that security teams in real world attacks will be able to identify and disrupt malicious activity early in the attack lifecycle, before attackers can achieve their objectives and impact target endpoints.

Fidelis Endpoint is one key component of the Fidelis Elevate eXtended Detection and Response (XDR) platform, which helps organizations adopt an active defense posture and engage adversaries earlier in the attack lifecycle.  Fidelis Endpoint excels in providing deep visibility into the inner workings of each endpoint in an enterprise and, as part of the Fidelis Elevate XDR platform, combined with Fidelis Network and Fidelis Deception, it helps build a complete picture of what is happening in an environment and increases an organization’s security efficacy.

2022 Attack Evaluation – Wizard Spider and Sandworm Team

Independent MITRE ATT&CK Evaluations assess the detection capabilities of EDR solutions when faced with real-world cyber threats that impact businesses and governments worldwide. Through the lens of the ATT&CK knowledge base, the 2022 evaluations focused on two threat actors: Wizard Spider and Sandworm Team.  These two threat actors were chosen based on their complexity, relevancy to the market, and how well MITRE Engenuity’s staff can fittingly emulate the adversary.

  • Wizard Spider is a financially motivated criminal group, active in conducting ransomware campaigns since August 2018 against a variety of organizations, including major corporations and hospitals.
  • Sandworm Team is a destructive Russian threat group known for carrying out notable attacks such as the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks.

Understanding the Attack Scenarios and Scoring

The 2021 Wizard Spider and Sandworm Team simulated attack scenarios were broken into 19 steps across two days, with one Threat Adversary emulated each day.  On day one, the Wizard Spider attack consisted of 10 steps broken into 52 sub-steps. The Sandworm Team attack on day two consisted of 9 steps broken into 57 sub-steps.

For the purposes of scoring the attack scenarios, the following definitions apply:

  • Steps: MITRE referred to groups of sub-steps as a step. Steps represented broad activity, such as Initial Compromise. Each sub-step within a step represented the ability to detect a specific Technique, or an atomic unit of an attack.
  • Analytic Detection: An analytic detection score signifies that the product can capture and label suspicious behaviors very specifically. To achieve an analytic detection, the platform had to capture and display evidence, such as process metadata or file activity, and accurately label and/or alert on that evidence with the precise Technique or Tactic represented by the sub-step. An analytic detection score signifies the product captures and labels suspicious behaviors very specifically.
  • Telemetry: If collected evidence for a sub-step was not labeled or alerted in the precise way each sub-step dictated, the collected evidence was labeled as Telemetry.  Each Telemetry score represents a product’s capability to collected evidence associated with an attack that was not analyzed and labeled in a specific manner.

Collectively, analytic detections and telemetry demonstrate how well a product provides visibility into an attack.

Fidelis Endpoint 2022 MITRE Engenuity Round 4 ATT&CK Evaluation Results

Fidelis Endpoint provided analytic detections in 85 of the 109 sub-steps. It may not have provided an analytic detection for every sub-step but, by successfully detecting multiple, specific units of threat activity during each step, it provided actionable evidence of the attack for each step.

In all nineteen steps in the 2022 MITRE evaluation, Fidelis Endpoint demonstrated multiple analytic detections per step, except for the one step that only had one possible detection.  This highlights Fidelis Endpoint’s capability to identify and alert operators to take action early during an attack.

Let’s add in the telemetry. This is evidence of threat activity collected that pertains to the attack, but not necessarily labelled in the manner the MITRE evaluation expected.

Between the analytic detections we talked about and the telemetry, Fidelis Endpoint identified and collected evidence for 94 of the 109 sub-steps of the evaluation.

Interpreting the Fidelis Endpoint Results

Imagine assembling a 109-piece puzzle.  Chances are, you could determine the image or intent of the puzzle before all 109 pieces were in place.  Once key pieces are assembled, the final image becomes evident, even with less-significant pieces still missing.

Just like a puzzle, identifying a cyber-attack does not require all the pieces to be in place: once you detect behaviors containing strong signals of an attack (ie: Steal or Forge Kerberos Tickets), you can build a clear picture of the threat and start taking action. 100% visibility is not required to detect malicious activity, disrupt it, and make an impact.

The MITRE evaluation simulated attacks required EDR systems to allow attacks to progress through all stages, including the execution and impact of ransomware.  The first step in evaluation disabled attack disruption features, such as automated blocking responses, heuristic malware detection and blocking, antivirus, and behavioral-based anomaly detection and blocking. This allows the platform to demonstrate the capabilities of all the detection and analytic features and to provide telemetry and visibility into each step of the simulated attacks.

In a real-world environment, the automatic response and protection capabilities of Fidelis Endpoint would not be disabled. These key features would augment analysts’ manual workflows to identify and disrupt attacks well before the attackers could achieve their tactical goals.  With analytic detections and visibility into all the steps during the ATT&CK evaluation—especially the Initial Compromise, Execution, Persistence, and Discovery phases of both test scenarios—Fidelis Endpoint demonstrates how attacks can be detected with confidence and stopped earlier in the attack lifecycle. Automated responses and actions, when enabled, greatly enhance the efficiency of this process.

If an attack is not detected and stopped (or is allowed to run, as during the MITRE ATT&CK Evaluation) during one of the initial phases, Fidelis Endpoint continues to excel in identifying and labelling activity.  Identifying and alerting on critical Techniques associated with Credential Access, Privilege Escalation, or Lateral Movement provides even more context to detect and disrupt the attack.  Again, Fidelis Endpoint provided key analytic detections during all these critical steps of the attack during the evaluation. In real-world execution, these automated responses accelerate disruption and response to these later-stage detections.

The final step in both MITRE ATT&CK evaluation scenarios was the ransomware detonation to encrypt data.  Fidelis Endpoint successfully detected and alerted on the activity. Had automated responses been allowed during the testing, Fidelis Endpoint could have terminated the malicious processes before impact.  In a real-world implementation, these responses would have been enabled.

In the process of detecting and disrupting cyber-attacks, the early identification and labeling of suspicious activity is key to success. With detections in every step, the 2022 ATT&CK Evaluation results clearly show that Fidelis Endpoint provides operators with the tools and information needed to stop adversaries earlier in the attack lifecycle.

Fidelis Elevate® is an XDR platform that includes Fidelis Endpoint, Fidelis Network®, and Fidelis Deception®. The platform increases visibility throughout the entire attack lifecycle by combining network session and protocol anomaly detections, high-confidence and actionable detections via threat actor interaction with decoys, and endpoint detections and automated responses. We will dig into the details of how Fidelis Elevate provides comprehensive visibility to detect and disrupt ransomware and other APT-style attacks in a future blog post.

Summary

Fidelis Cybersecurity® enables security teams to engage with adversaries earlier in the attack lifecycle using active defense solutions that provide full visibility and response across endpoints, networks, and cloud systems. The ATT&CK Evaluations focus on endpoint analysis capabilities, which is an important part of a security defense, but not the only need. In fact, Fidelis Network and Deception, used in conjunction with Fidelis Endpoint, provide stronger identification and response throughout the attack lifecycle while introducing cost and confusion to adversaries. These additional XDR capabilities were not tested in this evaluation.

The Fidelis Endpoint release tested during the 2022 MITRE Engenuity ATT&CK Evaluations demonstrated exemplary detection capabilities.   We are continuing to enhance our detection capabilities and workflows with our upcoming Fidelis Elevate XDR platform components, Fidelis Endpoint, Fidelis Network, and Fidelis Deception 9.5 releases.

Learn more about Fidelis Endpoint >
Learn more about Fidelis Elevate >

 

Stay up to date on all things security

Subscribe to the Threat Geek Blog