The Sophos solution has achieved exceptional results in the 2024 MITRE ATT&CK Evaluation, a rigorous assessment of its ability to detect and prevent enterprise-level threats.

Sophos has as soon as once more achieved distinctive leads to the newest 2024 MITRE ATT&CK Evaluations for Enterprise. On this spherical, achieved:

• Which adversary tactics can lead to top-rated potential in Windows and Linux ransomware attack scenarios?
• The optimal potential approaches for adversary action across all three scenarios.
• ‘Adversary Action Risk Rankings: An Analytical Assessment’

---

The eagerly anticipated outcomes of the sixth spherical of MITRE ATT&CK^® The evaluations for Enterprise have been launched, scrutinizing the efficacy of 19 endpoint detection and response (EDR/XDR) solutions in accurately identifying and reporting the clandestine activities of sophisticated threat actors.

Take a few minutes to watch this concise video overview that breaks down our analysis.

^®

MITRE ATT&CK® Evaluations are among the many world’s most revered unbiased safety checks. Emulating real-world adversarial tactics, techniques, and procedures (TTPs), they carefully evaluate each participating vendor’s capacity to identify, scrutinize, and characterize threats, thereby ensuring harmonious outputs consistent with the standardised terminology and structure.

There isn’t a singular method to interpret the outcomes of ATT&CK Evaluations, and they aren’t supposed to be aggressive analyses. The findings reported by the analysis dispel misconceptions that conclude with a definitive “winner” or “best,” countering the expectations of certain stakeholders.

While vendors’ software solutions exhibit nuances in their approaches and information presentation styles, individual needs and preferences significantly impact the choice of the most suitable solution for both personal and team use.

This was the sixth spherical of ATT&CK Evaluations for Enterprise — MITRE’s product-focused analysis — designed to assist organizations higher perceive how endpoint detection and response (EDR) choices like  might help them defend towards subtle, multi-stage assaults.

The sphere-targeted intervention focused on modifying behaviors influenced by three distinct high-risk groups:

• The analysis replicated the tactics employed by North Korea’s adversaries, focusing specifically on exploiting vulnerabilities in macOS through complex multi-step attacks, including privilege escalation and credentials theft.
• The analysis simulated the tactics commonly employed in campaigns involving CL0P and LockBit ransomware, focusing on Windows and Linux operating systems, as well as the exploitation of professional tools and disruption of critical services.

Nineteen EDR/XDR resolution distributors from a diverse range of organizations collaborated on this comprehensive analysis, listed alphabetically below:

Every adversary exercise (referred to as a ‘sub-step’) emulated through the analysis acquired one of many following rankings, indicating the answer’s capability to detect, analyze, and describe the adversary exercise, with output aligned to the language and construction of the MITRE ATT&CK® Framework.

•  The adversary exercise was not detected, nor was a thorough analysis conducted to identify and rectify the sub-steps that fell short.
•  Despite execution of the sub-step, the presented evidence failed to comply with the documented detection standards, and no evidence of Crimson Group’s involvement was provided.
•  The autonomous system promptly detected the suspicious occurrence(s) and alerted the relevant stakeholders, including IT personnel, security experts, and incident response teams, with detailed information on the affected systems, compromised data, and required remediation steps.
•  Along with assembly the factors for a ‘Normal’ ranking, the answer additionally offered info on the attacker’s potential intent; the , aligned to MITRE ATT&CK Ways.
•  When determining a ‘Tactic’ ranking, the response also provided details on the attacker’s approach to achieving their goal, as the action unfolded.

Detections categorised as Normal, Tactic, or Approach are aggregated beneath the description of a metric that assesses the answer’s capacity to convert telemetry into actionable risk discoveries.

Throughout the thorough examination, MITRE successfully simulated three distinct attack scenarios – DPRK, CL0P, and LockBit – consisting of a total of 16 discrete steps and 80 detailed sub-steps.

Sophos XDR achieved outstanding results, boasting impressive metrics including:

• Ranking top-rated adversary tactics for Windows and Linux ransomware attacks:

  Which approach is most likely to lead to devastating results when a malicious actor launches a Windows or Linux-based ransomware attack?

• The optimal approach rankings for entire enemy movements across all three scenarios are as follows:
• Analytic protections: Ranking Whole Adversary Actions

 

As North Korea’s cyber capabilities continue to evolve, the regime has demonstrated a notable shift in attention towards exploiting vulnerabilities in macOS, thereby bolstering its capacity to launch sophisticated attacks on high-stakes targets. As a result of the severe cyberattack scenario, researchers at MITRE leveraged a software supply chain attack that unfolded through persistent exploitation, discovery, and credentials manipulation, ultimately allowing for the collection and exfiltration of sensitive system data and macOS keychain files.

This setup consisted of four stages with 21 subordinate procedures exclusive to macOS.

 

Since at least 2019, CL0P has been an energetic ransomware operator, linked to the notorious TA505 criminal syndicate, also known as Snakefly, with reports suggesting its operators are likely Russian-speaking groups. MITRE attackers employed evasion tactics, maintained a persistent foothold, and injected an in-memory payload to gather intel and steal data before unleashing the ransomware payload.

The process entailed four distinct stages, each comprising 19 specific steps, exclusive to Windows platforms.

 

Working from a notorious Ransomware-as-a-Service (RaaS) platform, LockBit is a highly notorious ransomware strain renowned for its sophisticated tools, cunning extortion tactics, and extremely perilous attacks. Hackers exploited compromised credentials, secretly installing malware that not only crippled digital systems but also stole and encrypted sensitive files, ultimately crippling the organization’s digital infrastructure.

This situation consisted of eight distinct stages, comprising a total of 40 substeps, applicable to both Windows and Linux platforms.

As a reminder, there’s no singular method to interpret the outcomes of ATT&CK Evaluations, and you will note completely different charts, graphs, and different visualizations created by taking part distributors that body the leads to alternative ways.

Detecting high-quality intelligence is crucial to providing actionable insights into an adversary’s behavior, enabling analysts to swiftly investigate and respond accordingly. Due to this fact, probably the most useful methods to view the outcomes of ATT&CK® Evaluations is by evaluating the variety of sub-steps that generated a detection that offered wealthy element on the adversarial behaviors (analytic protection) and the variety of sub-steps that achieved full ‘method’ stage protection.

When contemplating an or prolonged detection and response () resolution, assessment the outcomes from ATT&CK Evaluations alongside different respected third-party proof factors, together with verified buyer opinions and analyst evaluations. Sophos XDR has garnered notable recognition from industry leaders, including:

(Note: Minor changes made to enhance clarity and concision.)

As the assessment is conducted on the MITRE portal data for each participating vendor, please consider the following questions in relation to your team, group, and organization.

• The evaluated software effectively enables users to identify potential threats by providing a comprehensive framework for assessing and prioritizing risks.
• What’s the current information regarding this topic would be more effective.
• Potential users of this software include small business owners seeking to streamline administrative tasks, entrepreneurs establishing new ventures, and solo professionals managing their own operations. Tier 3 analysts? IT specialists or Sysadmins?
• The software empowers users to proactively identify and mitigate risks through advanced analytics and customizable dashboards that facilitate comprehensive threat assessments.
• Are disparate occasions correlated? Is it worth manually undertaking tasks typically handled by robots, or should you focus on more value-added activities instead?
• The EDR/XDR software can seamlessly integrate with various security solutions from multiple vendors, combining their strengths to create a robust security ecosystem. This integration enables the sharing of threat intelligence, incident response, and analytics across diverse platforms, such as firewalls, email gateways, cloud-based services, identity management systems, and network segments.
• Will you be utilizing the software independently, or do you anticipate collaborating with a managed detection and response (MDR) partner?

MITRE ATT&CK Evaluations are among the many world’s most revered unbiased safety checks because of the emulation of real-world assault situations and transparency of outcomes. As a committed industry leader, Sophos actively participates in rigorous evaluations alongside other top-tier security providers. Together as a community, we stand in unison against a common adversary. These evaluations enable us to grow, both personally and professionally, as a result of our dedication to the success of the organizations we serve.

Our latest findings further solidify Sophos’ position as a leading provider of cybersecurity capabilities to more than 43,000 global organizations, reinforcing its status as a trusted industry partner.

To gain insight into how Sophos can optimize your threat detection and response capabilities, driving exceptional results for your organization today.