Making a case for the importance for real-time reporting is a simple exercise when considering almost every major campaign. Take the case of Shamoon, where analysis into the Disttrack wiper revealed a date in the future when destruction would happen. Similarly, cases where actors use different techniques in their attacks reveal that once mapped out, a story becomes visible. The question is, do you have visibility and early warnings into these threats and how timely are they presented to you so there’s time to respond?
MITRE’s ATT&CK for Enterprise, produced by the Cyber Security division of MITRE, is an adversarial behavior model for possible attacker actions. The ATT&CK matrix used is a visualization tool in the form of a large table, intended to help provide a framework to talk about attacks in a unified way. This is coupled to detailed descriptions of different tactics and techniques and how they differ from attacker to attacker.
When you participate in the assessment, MITRE is the red team simulating the techniques, used by APT3 in this case, and we as McAfee are the blue team using our products to detect their actions and report them. When the red team attacks us with a variant of a technique, as a blue team, we need to prove we detected it.
McAfee went through a MITRE ATT&CK assessment early this summer and we are excited to announce that MITRE has published the results of the APT3 assessment today on their website. In today’s cyber-threat landscape, it’s all about ‘time’, time to detect, time to respond, time to remediate, etc. When it comes to advanced attacks represented in APT3 – real time detections offer a significant advantage to incident responders to rapidly contain threats.
As the results show, McAfee provided the most real-time alerts while detecting the attacks. When real-time alerts and simple efficacy score, as calculated using criteria published by Josh Zelonis of Forrester, are considered together, McAfee occupies a leadership position in the upper right quadrant of the chart:
During MITRE’s APT3 evaluation, McAfee was the only vendor to display real-time alerts for certain attacks, including T1088: Bypass User Account Control, one of the techniques used by Shamoon.
While MITRE’s evaluation focused on MVISION EDR’s detection capabilities, there are several aspects that defenders need to consider in order to properly triage, scope, contain and close an incident. During the APT3 attack we generated 200+ alerts and telemetry datapoints which were the core of MITRE’s evaluation. Yet we don’t expect analysts to review them individually. In MVISION EDR those 200+ data points got clustered into 14 threats which added context to paint a more complete picture of what happened in order to speed triage.
Furthermore, analysts could trigger an automated investigation from a threat and therefore involve our AI driven investigation guides to bring more context from other products (e.g. ePO, SIEM), endpoint forensics, analytics and threat intelligence.
Investigation case collecting 4000+ pieces of evidence, linking it, showing expert findings and uncovering potential lateral movement between two devices
Thanks to our automated investigation guides, in the case of APT3, MVISION EDR was able to gather passive DNS information and link the evidence to further expose potential lateral movement and C2.
Although it was not exercised by MITRE, the next step for the analyst would have been to use MVISION EDR’s real time search to further scope the affected devices and take containment actions (e.g. quarantine, kill processes, etc).
McAfee has been engaged with MITRE in expanding the ATT&CK Matrix and helping to evolve future ATT&CK Evaluations. We are a proud sponsor of ATT&CKcon and will be exhibiting at ATT&CKcon 2.0 later this month. Come learn more about how automated AI-driven investigations can reduce the time to detect and respond to threats using McAfee MVISION EDR.
About the Author
Categories: Endpoint Security