Written by: Marc Feghali, Co-founder and VP of Product Management – Detecting more tactics of the MITRE ATT&CK® Matrix for Enterprise and achieving broader coverage is demonstrable when you incorporate the Attivo EDN suite to any EPP/EDR solution. The EDN suite produced an average increase of 42% in the detection rate when assessed with leading endpoint security solutions during a recent MITRE ATT&CK DIY evaluation.
The core strength of EPP/EDR solutions is in the first five stages of the MITRE ATT&CK® Matrix for Enterprise (Initial Access, Execution, Persistence, Privileged Escalation, and Defense Evasion). Unfortunately, attackers can still infiltrate the network and loiter for extended periods to move laterally and elevate privileges to achieve their goals.
The Attivo EDN solution augments traditional endpoint solutions by denying attackers the ability to move laterally unimpeded. The Attivo EDN solution includes multiple technologies that work together in concert to detect attackers and their activities very early in their attack cycle and deny them the freedom of movement while they remain undetected.
The Attivo EDN solution family of products includes:
- ThreatStrike suite of deceptive lures that detects an attacker’s attempt to use stolen credentials to move laterally and misdirects them using stolen deceptive credentials for engagement
- ThreatPath, which reduces the attack surface by providing visibility of potential lateral movement paths in the network and removing exposed credentials
- ADSecure protects Active Directory by hiding high privilege AD objects, alerting when attackers enumerate AD or query deceptive objects, and controlling the attackers’ paths by feeding them fake data
- Deflect, which prevents network service enumeration, redirects probes and connection attempts to decoys, avoids accurate fingerprinting of network services, and denies East-West lateral movement
- Ransomware Protection Using Deception hides production network mapped shares and select files or folders from ransomware while only showing deceptive network shares, files, or other data to engage with and delay encryption
The MITRE ATT&CK® Matrix for Enterprise and APT Assessments
The MITRE Corporation released the ATT&CK® Matrix in May of 2015 as a knowledge base of adversary tactics and techniques based on real-world observations. Since then, the security community has used it to enable better communications within all facets of security with Red teams, Blue teams, and management. Defenders use ATT&CK Matrix for tabletop exercises, assessments, and hands-on evaluations. The security community uses it to perform testing that informs capabilities and gaps in both network security coverage and product capabilities. The ATT&CK Matrix is appealing for testing because it uses known threats rather than just hypotheticals, and the visualization provides a useful scorecard to capture evaluation results.
As part of its support for ATT&CK, MITRE recently began evaluating vendor products as a neutral authority for testing the ability of specific solutions to detect inbound attacks based on the framework. While MITRE does not rate or recommend tools, the methodology serves as a useful benchmark for comparison. MITRE’s evaluation methodology is publicly available, and all evaluation results are publicly released (please see https://attackevals.mitre.org/ for more information).
Attivo Network used the MITRE ’Do It Yourself’ Evaluation Tool for assessing the performance of the EDN solution.
The role of EDN in the MITRE ATT&CK® Matrix for Enterprise
The EDN solution extends any EDR security control to cover Credential Access, Discovery, Lateral Movement, and Collection tactics of the MITRE ATT&CK Matrix, as illustrated in Figure 1. The combined EDN and EDR solution extends coverage to 9 out of the 12 ATT&CK framework stages.
To prove its efficacy and value to EDR solutions, Attivo evaluated the MITRE APT29 test of several EDR vendors and analyzed their performance individually and with the EDN solution to gauge relative performance and identify any relative gains. Attivo did not count any duplicate detection with each EDR solution. It only counted new detections that complemented the EDR solutions.
When we compared the results of the top four EDR vendors, the Attivo EDN solution enhanced detections coverage by 17-93%, depending on the vendor. On average, it increased detection rates by 42%.
These results prove that the combination of the EDN suite and any of the EDR solutions create a more comprehensive solution against attackers as together, they act as a force multiplier to severely constrain the adversary’s ability to operate inside the network at will.
Further information on Attivo test results can be found here .