{"id":6670,"date":"2023-09-22T17:01:53","date_gmt":"2023-09-22T15:01:53","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=6670"},"modified":"2023-09-22T17:01:53","modified_gmt":"2023-09-22T15:01:53","slug":"results-from-the-2023-mitre-engenuity-attck-evaluations-round-5-turla","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2023\/09\/resources\/results-from-the-2023-mitre-engenuity-attck-evaluations-round-5-turla\/","title":{"rendered":"Results from the 2023 MITRE Engenuity ATT&#038;CK Evaluations (Round 5: Turla)"},"content":{"rendered":"<p>The fifth round of\u00a0<a href=\"https:\/\/attackevals.mitre-engenuity.org\/enterprise\/turla\/\" target=\"_blank\" rel=\"noopener\">MITRE Engenuity ATT&amp;CK<sup>\u00ae<\/sup>\u00a0Evaluations<\/a>\u00a0has been released, assessing the ability of 30 endpoint detection and response (EDR) solutions to detect, analyze, and describe the tactics, techniques and procedures (TTPs) leveraged by one of the most sophisticated threat groups: Turla.<\/p>\n<p>We\u2019re going to spend most of this article explaining how\u00a0<strong>Sophos achieved 99% detection coverage<\/strong>, what contextual information\u00a0<strong>Sophos Intercept X<\/strong> presented to the user (in this case, MITRE\u2019s evaluation team), and how ATT&amp;CK Evals can be used to help select an endpoint security solution that aligns with your customers&#8217; specific needs.<\/p>\n<p>This is to say that we\u2019re not going to assess\u00a0<em>everything\u00a0<\/em>this round of ATT&amp;CK Evals covers because, quite frankly, that would be impossible. Not only do ATT&amp;CK Evals yield a ton of information, but there\u2019s no singular way for interpreting their results; there are no scores, rankings, or ratings, and no vendor is declared a \u201cwinner.\u201d<\/p>\n<p>There is nuance in the ways each vendor\u2019s tool works and how effectively it presents information to the analyst using it, but needs and individual preferences play as important a role in determining which endpoint security tool is best for your customers and their team as any other factor. If you\u2019ve heard gamers debate which console reigns supreme between PlayStation and Xbox, then you know what we mean (hint: the correct answer is Nintendo).<\/p>\n<h2>How did Sophos perform in the Round 5 MITRE Engenuity ATT&amp;CK Evaluations?<\/h2>\n<p>This round of ATT&amp;CK Evaluations focused on emulating adversary behavior associated with Russia-based threat group Turla.<\/p>\n<div class=\"embed-vimeo\"><iframe loading=\"lazy\" src=\"https:\/\/player.vimeo.com\/video\/865992322\" width=\"640\" height=\"360\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/div>\n<p>Similar to previous rounds, MITRE Engenuity executed multiple attack scenarios throughout the course of the evaluation.<\/p>\n<p><strong>Attack Scenario 1: \u201cCarbon\u201d<\/strong><br \/>\nThe first day of testing, titled \u201cCarbon,\u201d consisted of a multi-layer attack campaign targeting both Windows and Linux infrastructure via the deployment of Turla-specific malware, including\u00a0<em>Epic<\/em>, a backdoor commonly used during the initial stages of Turla\u2019s attacks,\u00a0<em>Carbon<\/em>, a second-stage backdoor and framework used to steal sensitive information from victims, and\u00a0<em>Penquin<\/em>, a remote access trojan (RAT).<\/p>\n<p><strong>Attack Scenario 2: \u201cSnake\u201d<\/strong><br \/>\nThe day two scenario, titled \u201cSnake\u201d emulated an attack on a hypothetical organization focusing on kernel and Microsoft Exchange exploitation that once again leveraged\u00a0<em>Epic,<\/em>\u00a0as well as\u00a0<em>Snake<\/em>, a tool used for long-term intelligence collection on sensitive targets and considered one of the most sophisticated cyber espionage tools\u00a0currently in use, and\u00a0<em>LightNeuron<\/em>, a sophisticated backdoor used to target Microsoft Exchange servers.<\/p>\n<p><strong>Sophos Evaluation Results<\/strong><br \/>\nWith the \u201cCarbon\u201d attack scenario consisting of 76 substeps and \u201cSnake\u201d consisting of 67, the ATT&amp;CK Evals team executed a total of\u00a0<strong>143 attack substeps\u00a0<\/strong>during the evaluation.<\/p>\n<p><strong>Sophos Intercept X Results:<\/strong><\/p>\n<ul>\n<li><strong>99% Total Detection Coverage<\/strong>\u00a0(141 of 143 attack substeps)<\/li>\n<li><strong>98% Total Analytic Coverage\u00a0<\/strong>(140 of 143 attack substeps)<\/li>\n<li><strong>99% Analytic Coverage for \u201cCarbon\u201d<\/strong>\u00a0(75 of 76 substeps)<\/li>\n<li><strong>97% Analytic Coverage for \u201cSnake\u201d<\/strong>\u00a0(65 of 67 substeps)<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-465032 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Results.png\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Results.png 1430w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Results.png?resize=300,159 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Results.png?resize=768,406 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Results.png?resize=1024,541 1024w\" alt=\"\" width=\"1430\" height=\"756\" \/><\/p>\n<p>You can see a complete view of our results on the\u00a0<a href=\"https:\/\/attackevals.mitre-engenuity.org\/results\/enterprise?vendor=sophos&amp;evaluation=turla&amp;scenario=1\" target=\"_blank\" rel=\"noopener\">MITRE Engenuity results page for Sophos<\/a>.<\/p>\n<h2>How did Sophos\u2019 results compare to other participants?<\/h2>\n<p>We will reiterate once more that there\u2019s no singular way for interpreting the results of MITRE Engenuity ATT&amp;CK Evaluations. And, over the coming days and weeks, you are going to see countless vendor-created charts, graphs, and other visualizations that each frame the results in different ways (some more credibly than others).<\/p>\n<p>That said, one of the most common ways to view ATT&amp;CK Evaluation results at a macro level is by comparing Visibility (the total number of substeps that generated a detection) and Analytic Coverage (the total number of detections that provided rich detail on the adversary\u2019s behaviors):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-465033 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Chart.png\" sizes=\"auto, (max-width: 862px) 100vw, 862px\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Chart.png 862w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Chart.png?resize=300,252 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Chart.png?resize=768,645 768w\" alt=\"\" width=\"862\" height=\"724\" \/><\/p>\n<h2>MITRE ATT&amp;CK detection categories explained<\/h2>\n<p>This year, the ATT&amp;CK Evals team completely overhauled how participant results are displayed in the evaluation portal, making it easier than ever to see detection categories for every attack scenario step and substep.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-465034 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Categories.png\" sizes=\"auto, (max-width: 1628px) 100vw, 1628px\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Categories.png 1628w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Categories.png?resize=300,156 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Categories.png?resize=768,400 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Categories.png?resize=1024,533 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/09\/Categories.png?resize=1536,799 1536w\" alt=\"\" width=\"1628\" height=\"847\" \/><\/p>\n<p>Detection quality is critical for giving analysts detail on the adversary\u2019s behavior so investigations and response actions can be executed quickly and efficiently.<\/p>\n<p><strong>Detection categories include:<\/strong><\/p>\n<ul>\n<li>Not applicable \u2013 there was no visibility (typically used in situations where the participant opted out or could not complete that portion of the evaluation)<\/li>\n<li>None \u2013 Nothing was detected; a \u201cmiss\u201d<\/li>\n<li>Telemetry \u2013 Something happened but not sure what; no context provided<\/li>\n<li>General \u2013 An abnormal event was detected but there\u2019s no context on why or how; the \u201cWHAT\u201d<\/li>\n<li>Tactic \u2013 The detection includes info on the attacker\u2019s potential intent; the \u201cWHY\u201d<\/li>\n<li>Technique \u2013 The detection includes info on the attacker\u2019s method for achieving a goal; the \u201cHOW\u201d<\/li>\n<\/ul>\n<p>Detections classified as General, Tactic, or Technique are grouped under the definition of \u201cAnalytic Coverage,\u201d which is a measure of the EDR tool\u2019s ability to convert telemetry into actionable threat detections.<\/p>\n<h2>How to use MITRE Engenuity ATT&amp;CK Evaluation Results<\/h2>\n<p>ATT&amp;CK Evaluations are among the world\u2019s most respected independent security tests due in large part to the thoughtful construction of real-world attack scenarios, transparency of results, and richness of participant information. When considering an EDR or Extended Detection and Response (XDR) solution, ATT&amp;CK Evaluation results should undoubtedly be input alongside other third-party proof points, including\u00a0<a href=\"https:\/\/www.gartner.com\/reviews\/market\/endpoint-protection-platforms\/vendor\/sophos\/product\/sophos-intercept-x-endpoint\" target=\"_blank\" rel=\"noopener\">verified customer reviews<\/a>, and\u00a0<a href=\"https:\/\/www.sophos.com\/en-us\/press\/press-releases\/2023\/03\/sophos-named-leader-2022-gartnerr-magic-quadranttm-endpoint-protection\" target=\"_blank\" rel=\"noopener\">analyst evaluations<\/a>.<\/p>\n<p>As you cull through the data available in MITRE Engenuity\u2019s evaluation portal, look beyond the numbers and consider the following as it pertains to your customers. And keep in mind that there are some questions that the ATT&amp;CK Evaluation cannot help you answer.<\/p>\n<ul>\n<li>Does the tool help you identify threats?<\/li>\n<li>Does it present information to you the way you want it?<\/li>\n<li>Who will be using the tool? Tier 3 analysts? IT specialists or Sysadmins?<\/li>\n<li>How does the tool enable you to conduct threat hunts?<\/li>\n<li>Are disparate events correlated? Is that done automatically, or do you need to do that on your own?<\/li>\n<li>Can the EDR\/XDR tool integrate with other technology in your environment (e.g., firewall, email, cloud, identity, network, etc.)<\/li>\n<li>Are you planning to use the tool by yourself, or will you have the support of a Managed Detection and Response (MDR) partner?<\/li>\n<\/ul>\n<h2>Why we participate<\/h2>\n<p>As a closing note, we wanted to say how proud we are to participate in this MITRE Engenuity ATT&amp;CK Evaluation alongside some of the best security vendors in the industry. Yes, we compete with one another on the commercial side of our business, but we are\u2014most importantly\u2014a community united against a common enemy. We participate in these evaluations because they make us better, individually and as a collective. And that is a win for the entire industry and the organizations we defend.<\/p>\n<h2>Share with your customers<\/h2>\n<p><span data-contrast=\"none\">Sophos Intercept X with Sophos XDR brings together active adversary mitigations <\/span><span data-contrast=\"none\">\u2013 including industry-first <\/span><a href=\"https:\/\/vimeo.com\/813614946\/28094f5214\"><span data-contrast=\"none\">Adaptive Attack Protection<\/span><\/a><span data-contrast=\"none\"> that <\/span><span data-contrast=\"none\">activates heightened defenses when a hands-on-keyboard attack is detected \u2013 actionable attack context and threat intelligence, and an intuitive detection and response platform.\u00a0<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:276}\">\u00a0<\/span><\/p>\n<p>Find out more about\u00a0<a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-antivirus\" target=\"_blank\" rel=\"noopener\">Sophos Intercept X<\/a> and <a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-antivirus\/xdr\" target=\"_blank\" rel=\"noopener\">Sophos XDR<\/a>, discover\u00a0<a href=\"https:\/\/partners.sophos.com\/prm\/English\/c\/selling-sophos-intercept-x\" target=\"_blank\" rel=\"noopener\">sales and marketing resources<\/a>, and also check out the\u00a0<a href=\"https:\/\/attackevals.mitre-engenuity.org\/enterprise\/turla\/\" target=\"_blank\" rel=\"noopener\">full report<\/a>.<\/p>\n<p>To share this news with your customers, please visit the Sophos Partner Portal where you can an <a href=\"https:\/\/partners.sophos.com\/prm\/English\/s\/assets?collectionId=20397&amp;q=MITRE%20\" target=\"_blank\" rel=\"noopener\">download an email template<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our view on this round of ATT&amp;CK Evaluations and how Sophos detected 99% of real-world threat activity.<\/p>\n","protected":false},"author":11,"featured_media":3000006666,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[30,235,142,147,34],"coauthors":[64],"class_list":["post-6670","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-resources","tag-intercept-x","tag-mitre-attck","tag-sophos-endpoint","tag-sophos-xdr","tag-third-party-reviews"],"jetpack_featured_media_url":"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2023\/09\/featured-image-MITRE-Turla.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/comments?post=6670"}],"version-history":[{"count":3,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6670\/revisions"}],"predecessor-version":[{"id":6675,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/6670\/revisions\/6675"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/media?parent=6670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/categories?post=6670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/tags?post=6670"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/coauthors?post=6670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}