04/20/2021 | Press release | Distributed by Public on 04/20/2021 10:24
Today, MITRE Engenuity published their latest round of ATT&CK Evaluation results. The ATT&CK Evaluations team assessed the capability of 29 different endpoint security products to detect a range of common cyber-criminal tactics and techniques, as reflected in the real-world Carbanak and FIN7 campaigns. The evaluation is a non-trivial undertaking; it covers more than 20 different steps in the attack lifecycle, which include a total of more than 170 sub steps. The MITRE Engenuity ATT&CK results provide important insight into the inner workings of each security product beyond these test campaigns. We believe the ability to detect the techniques and tactics used for the evaluation can be reasonably inferred to apply to other campaigns as well, including campaigns that don't exist yet.
In 2020, MITRE introduced a new Protection evaluation which tested a subset of the products to determine their ability to block key techniques and tactics rather than just identifying and logging them. The ability to detect malicious activity is important, but blocking is often preferred, given the sophistication of today's cyber threats and recognition that 100% prevention over an extended period of time is unsustainable.
You might ask, 'Isn't it always better to block malicious activity?' But that's not always the case. Blocking, especially behavior-based blocking is not always better because many behaviors that are malicious in the context of a cyber-campaign may also be common in legitimate operation. Although blocking of behavior may look good in tests like MITRE Engenuity ATT&CK Evaluations, it's not always the answer for security products that are deployed in production environments. In some cases, even detection may result in more volume and investigative effort than value. Results of the MITRE testing of our FortiEDR product demonstrate this concept.
Here is one example. Test 13 replicates the actions of the FIN7 campaign, which is designed to expand access within an organization. It starts with the download of two files by PowerShell. Although FortiEDR identifies it as suspicious activity, it is still allowed to run because in certain cases like IT scripts, PowerShell is legitimately used to download files. Next, PowerShell attempts to log in to a valid account of a valid user to access an admin shared drive. So while the action is detected and recorded, it may remain inconclusive given the validity and because nothing definitively malicious has occurred. As FortiEDR continues to monitor and collect evidence, it is allowed to run. However, as soon as the downloaded file attempts to maliciously exfiltrate data via HTTPs, the blocking action takes place. The blocking takes place before the damage can occur, and afterwards and automated response works to undo the malicious activity.
FortiEDR was developed to protect data and automatically stop breaches in real time without having an effect on the system or users. Fortinet's patented code tracing capability enables FortiEDR to analyze deep system activity and precisely identify the suspicious operations. It can block specific malicious activities such as command and control, data exfiltration, in addition to file tampering, such as ransomware encryption.