A Modern Model for Cyber Adversarial Behavior

Organizations worldwide are facing an onslaught of targeted attacks, or attacks that are uniquely designed and executed against a specific enterprise or government entity. These attacks are 100% successful because they outperform enterprise security programs and outpace vulnerability, patch, and configuration management programs. At the heart of this problem is an outdated attack model implicit in most security programs. In other words, some enterprises -- and the endpoint technologies that protect them -- account for only a few attacker techniques like malware-based attacks. These outdated frameworks lack the comprehensive scope of techniques and technologies used by today’s adversaries. Enterprises and vendors alike must adopt a modern model that accounts for this new level of sophistication.

MITRE, a not-for-profit organization operating Federally Funded Research and Development Centers, created a model with that much-needed granularity. Starting in 2015,  MITRE integrated the vast array of cyber adversarial behavior into the "Adversarial Tactics, Techniques, and Common Knowledge" (ATT&CK™) Matrix. Today, the MITRE ATT&CK™ Matrix provides the most comprehensive framework for adversarial techniques and tactics that enterprises encounter daily.  

MITRE ATT&CK™ has become the highest standard for efficacy measurement in the security community.  A growing community of developers like Roberto Rodriguez built open source tools that apply the ATT&CK™ Matrix to help security programs assess coverage and identify gaps. While Roberto’s use case for MITRE applies to threat hunting exclusively, the ATT&CK™ Matrix is effective across a range of use cases, including prevention, detection, and incidence response.

 

MITRE ATT&CK vs. FIN7

The importance of testing program efficacy against MITRE ATT&CK™ can be understood by applying it to the highly impactful FIN7 attack.

 

MITRE Evaluates Endgame

Endgame recently collaborated with MITRE to go beyond the scope of malware-based efficacy and measures its performance against targeted attacks that include the broader range of adversarial behavior. MITRE mimicked the tactics used by APT3 (a prolific Chinese APT group) to determine Endgame’s coverage of the ATT&CK™ Matrix. Endgame successfully stopped APT3 in the emulation exercise before any data theft or damage would have occurred.

At Endgame, we believe MITRE’s framework provides a far more realistic understanding of protection against targeted attacks compared to other testing regimens. We are committed to providing full transparency about the efficacy of our platform for customers and the broader community, and look forward to continuing to collaborate with MITRE to measure against more malicious attack types.

 

Innovating People, Processes, & Technology

By evaluating an enterprise security program against a more sophisticated and modern model, enterprises can identify gaps in coverage and protection, shift focus to cover those gaps, help security programs gain greater coverage, and be more proactive in countering the range of adversarial behavior.

Endgame’s prevention, detection and response, and threat hunting capabilities provide the scope, speed and simplicity to cover the entire ATT&CK™ Matrix. Moreover, with our focus on usability and augmenting the analytic workflow, the Endgame platform provides this comprehensive coverage without requiring additional resources.

If you’d like to dive deeper into how Endgame performed on MITRE’s evaluation, please reach out to us at products@endgame.com.