Highlights:

  • To ensure impartiality, MITRE Engenuity ATT&CK assessments were based on a knowledge base of tactics, methods, and sub-techniques. MITRE’s ATT&CK Matrix for the Enterprise Segment is the most popular framework for assessing the security of enterprise systems and softwares.

Social engineering and spear-phishing are used to compromise IT infrastructures, endpoints and identities. They typically begin persistent attacks quickly and steal credentials to move laterally unnoticed across the networks. MITRE’s first closed-book, “ATT&CK Evaluations for Security Service Providers,” has used this breach sequence.

The ATT&CK Evaluation gauges providers’ cybersecurity efficiency. How well can these solutions identify and halt a breach attempt without knowing when or how it will happen?

To ensure impartiality, MITRE Engenuity ATT&CK assessments are based on a knowledge base of tactics, methods, and sub-techniques. MITRE’s ATT&CK Matrix for the Enterprise Segment is the most popular framework for assessing the security of enterprise systems and softwares.

Managed services and MDR stress-testing

MITRE ATT&CK evaluations have historically informed security vendors what attack and breach attempts they’ll be tested on and why. With advanced knowledge, suppliers can rig assessments, leading to incorrect outcomes.

Suppliers don’t know what dangers they’ll encounter in a closed-book evaluation. MITRE ATT&CK Evaluations for Security Service Providers is the first closed-book evaluation to stress-test the Vendors’ Managed Services or Managed Detection and Response (MDR) solutions.

Closed-book assessments are the most accurate representation of a security vendor’s performance in a client environment. Michael Sentonas, the Chief Technology Officer at CrowdStrike, said, “The closed book test provides an opportunity to show how security platforms operate against adversary tradecraft in a real-world setting, as vendors have no prior knowledge to guide their actions.”

MITRE’s evaluation of MDRs is particularly pertinent, given that persistent cybersecurity skills shortages increase the likelihood of data breaches for enterprises. According to the (ISC)2 Cybersecurity Workforce Study, an additional 3.4 million cybersecurity professionals are required to safeguard assets successfully. Managed detection and response (MDR) offers businesses an efficient method for bridging the skills gap and enhancing company resilience.

Five days were allotted for the MITRE Security Service Providers examination, including a 24-hour reporting window. The sixteen MDR program participants had no prior knowledge of the enemy or its tactics, strategies, and procedures (TTPs). Each participant was rated on ten stages comprising 76 events, including ten distinct ATT&CK approaches and 48 distinct ATT&CK techniques.

Ashwin Radhakrishnan of MITRE Engenuity said, “We selected OilRig based on their defense evasion and persistence techniques, complexity, and relevancy across industry verticals.” The first set of MITRE ATT&CK Evaluations examined vendors by simulating the tactics, techniques, and procedures (TTPs) of OilRig (also known as HELIX KITTEN), the enemy organization whose actions correspond with the strategic goals of the Iranian government.

The attack began with a spear-phishing assault on a national organization utilizing malware connected with HELIX KITTEN operations. The end objective of the simulated threat assault was to exfiltrate data.

Weaving human intelligence with AI and ML delivers the best results

MITRE evaluated MDR vendors with several product generations of platform and Managed Services expertise leveraging AI/ML and human intelligence in real-time. CrowdStrike Falcon Complete, Microsoft, SentinelOne, and Palo Alto Networks spotted the most attacker techniques from the sum total of 76.

MDR providers utilize AI/ML tools and methodologies to evaluate endpoint, network and cloud telemetry. AI-assisted threat-hunting knowledge identifies and thwarts intrusions.

MITRE Engenuity explains its testing outcomes in ATT&CK® Evaluations: Managed Services — OilRig (2022) and the Top Ten Ways to Interpret the Outcomes Report. This paper gives an overview of the technique and the interpretation of the results. MITRE also provides the layer file graphic for additional examination in their ATT&CK Navigator.

MITRE ATT&CK Evaluations for Security Service Providers highlighted what helped 16 suppliers succeed. Best-performing vendors operated their own security technologies. They provide a range of security capabilities. These suppliers consistently have the most significant detection coverage and best security results.

CrowdStrike reported 75 of 76 advising methods during the MITRE ATT&CK examination. CrowdStrike could identify the mimicked nation-state opponent in under 13 minutes, just like the top performing vendors.

AI-assisted threat intelligence is essential for an MDR

The future of cybersecurity is mastering the confluence of AI, ML, and human intelligence in one integrated MDR solution. Therefore, cybersecurity platform product lifecycles must be strongly linked to MDR procedures. Valuable capabilities, such as native, first-party threat information, become actionable in this manner.

The research revealed that the most successful MDR solutions can develop or build threat intelligence and validate it. The integration of Indicators of Compromise (IOCs) and other strategic insights throughout CrowdStrike’s products demonstrates how threat intelligence may be expanded across an MDR solution. The MITRE ATT&CK Evaluations for Security Service Providers are so beneficial for businesses seeking advice because they identify the complex features of MDR solutions and what corporations should look for in a solution.