The Threat Landscape

According to the Fortinet February 2022 Global Threat Landscape Report, industries worldwide experienced a dramatic 15x growth in ransomware volume over the past 18 months, with sustained volume throughout 2021. Furthermore, attacks are harder to stop because of the evolution of increasing capabilities thanks to a very active economy of threat actors with fresh code for sale. Additionally, with nearly 47% of people working away from the office part- or full-time, many are away from traditional corporate network defenses such as firewalls (which are used to eliminate attacks in the initial phases). Because of this, organizations look to EDR solutions for the first and last lines of defense for employee endpoints, cloud workloads, and servers.

The Buyer’s Peril

Due to the rich history of endpoint security offerings and a growing market, many vendors (with numerous claims) are looking to peddle their wares to customers. Buyers will often look to third-party analysts to help them focus on a shortlist of candidate offerings. Unfortunately, most analyst reports are built on survey data and, as a result, vary from source to source and are based mainly on opinion. Furthermore, they don’t always consider the actual performance of products in the face of living threats. Additionally, pay-to-play agencies are always available to produce positive reports for vendors to hand to their prospects.

MITRE’s Clear View Into Solutions

Thankfully, the MITRE Foundation is a not-for-profit entity sponsored by the U.S. federal government to provide cyber-defense testing of security technology. Its ATT&CK Evaluations test multiple EPP solutions against hand-picked threats that exhibit multiple trackable behaviors. In each of the four rounds of these evaluations, MITRE picked one or two strains to test by breaking them into two scenarios and then measuring the protection against their attack, followed by detecting each sub-technique. Strains are selected for their presence in attacks and the number and variety of adversary tactics, techniques, and procedures (TTPs). MITRE states that “adversaries must either employ these known techniques or expend vast resources to develop novel techniques regardless of their capabilities or strategic mission objectives.”

The Round Four Evaluations

Two Russian nation-state ransomware strains were selected in the fourth round of the MITRE ATT&CK Evaluations. Wizard Spider and Sandworm represented roughly one-third of the cataloged TTPs in the malware used. MITRE placed each strain into a scenario comprised of eight Windows tests and an additional and optional Linux test. The Windows tests were represented by 90 sub-techniques, and 19 were in the Linux test. In all, 30 vendors participated in Round Four, with eight vendors not participating in the protection tests and five vendors not able to participate in the Linux test because they either didn’t cover the platform with their agent or their threat hunting module for Linux wasn’t publicly available for the test.

To read full download the whitepaper:

Making Sense of EPP Solutions: Reading the 2022 MITRE ATT&CK® Evaluation Results

Leave a Reply

Your email address will not be published. Required fields are marked *