MITRE ATT&CK 2024 Results for Enterprise Security
Enterprise 2024 will incorporate multiple, smaller emulations for a more nuanced and targeted evaluation of defensive capabilities. We’re excited to offer two distinct adversary focus areas: Ransomware targeting Windows and Linux, and the Democratic People's Republic of Korea's targeting macOS.
Another year, another MITRE eval. The good folks at MITRE have once again given security vendors an opportunity to put their money where their mouths are when it comes to their ability to protect against modern attack techniques. As always, Trend eagerly jumped in to show you what we've got.
By the way, if you haven't yet, join the MITRE Slack workspace or follow them on X to stay up to date with the latest MITRE ATT&CK news: Contact | MITRE ATT&CK®
What's new this year?
- Two distinct adversary focus areas: Ransomware targeting Windows and Linux, and the Democratic People's Republic of Korea (DPRK) targeting macOS.
- Ransomware: "The evolution to the more adaptable Ransomware-as-a-service (Raas) model reduces barriers to entry for malicious groups, eliminating the need for custom malware and enabling less experienced operators to successfully target organizations. This democratization of ransomware has fueled a surge in ransomware attacks worldwide."
- DPRK: "North Korea has emerged as a formidable cyber threat, progressively leveraging cyber operations to fund the advancement of their nuclear capabilities. By expanding their focus to macOS, the DPRK gains the ability to target and infiltrate additional high-value systems, a method they have increasingly utilized over the past few years." "The macOS emulation will delve into adversary behavior inspired by the DPRK's shift into developing sophisticated, multi-stage malware."
- Read more here: ATT&CK® Evaluations
- MacOS - While Windows is still more prevalent and more vulnerable, gone are the days where you could just run MacOS and feel totally safe. This year, MITRE has included macOS to offer more platform-diverse assessments. It's important to remember that attackers don't discriminate - whatever industry you operate in, whatever OS you run, wherever you are in the world; it's important to remain vigilant. Naturally, Trend Vision One is available for Windows, Linux, MacOS, and more.
- This year was way closer to a true real world test, and we're thrilled that MITRE has taken this step. It gives organizations a much better understanding of how each vendor prepares for modern and novel attack techniques.
Visibility and Detection
Not to toot our own horns, but Trend Vision One came storming out of the gate this year with;
- 100% analytic coverage for all major steps
- 100% analytic coverage for all sub-steps in Linux and MacOS
- 100% analytic coverage for all sub-steps in server platforms (Windows/Linux)
- 99% analytic coverage for all sub-steps
Is Trend Vision One good at detecting threats? You bet it is. Trend Vision One leaves attackers with nowhere to hide.
In last year's Turla evaluation, we had a lower detection rate but still stopped every attack, meaning that there was no successful breach in any scenario. We talked about the trade-off of detections vs. noise. 100% detection is impressive, but it can also result in a high volume of alerts, something that security pros know all too well. This year we had 100% detection and a higher volume of alerts. This speaks to the trade-offs that security teams have to deal with as well: do we go for total visibility and accept that we'll have more alerts, or do we limit noise as much as possible without sacrificing too much on the detection side? Ultimately, each organization must determine where to strike that balance for themselves.
It's also important to note that not all alerts and not all detections are created equal. There are absolutely critical alerts and there are also (way more) 'other' alerts that are a bit like junk mail filling up your inbox. If you had to sort through all of those yourself, you'd probably never finish and you'd likely pull all of your hair out along the way. Alert prioritization is something that security teams simply should not have to live without. Fortunately, we have you covered there as well.
One of the great things about Trend Vision One is that it's not one or the other - we give you the tools to decide precisely where your team wants to be. The Workbench in Vision One gives you peace of mind by correlating alerts and prioritizing them while filtering out some of the noise and redundant alerts. On the other hand, Observed Attack Techniques in Vision One give you a more unfiltered view akin to what you might see in a SIEM, while still arranging the alerts in order of severity. Trend customers always have access to both approaches, and they're never left looking at a mess of alerts and thinking, "…now what" We show you where to start your investigations, and help you automate your response.
There is a third choice as well: letting someone else worry about it all for you and taking back your evenings and weekends. You can read about how our MDR team performed in the recent MITRE Managed Services evaluation here: Attackers in Profile: menuPass and ALPHV/BlackCat. If you're looking for security that never sleeps, look no further than Trend.
Protection
Trend's ability to protect the enterprise against cyber threats has been our calling card for decades. In previous evals it was a forgone conclusion that Trend would block 100% of threats. This time around, we stopped 70%, which means that 3 techniques were not blocked by Trend Vision One. The good news is that by the time you're reading this, Trend Vision One has been updated with the required protections. It does however mean that certain techniques were not blocked that should have been blocked. But that's the beauty of these MITRE evals: we get a clearer picture of some of the things we need to work on next. Just about every single vendor that participated this year has room for improvement in this regard: proof that while it is the first line of defense, protection alone isn’t enough.
Why do we participate in these evaluations?
They’re a great litmus test of the work we do every day and help to keep us on our toes. We have thousands of satisfied customers all over the world, but the reason why we've been around for so long is because we never stop and we are never satisfied. We have some of the best threat researchers in the world working around the clock to make sure we're always staying ahead of attackers, and our products are put to the test every single day. MITRE evaluations are another way for us to do so and demonstrate to our customers that we live and breathe cybersecurity, and that we will never stop. I think our devotion to that mission is why security pros start their day in Trend Vision One.
"I live and die by my Vision One. First thing I do, I log in every morning. I look at my score.
Troy Riegsecker, Infrastructure Manager, Fischer Homes
While you're hopefully slowly winding down for the holidays, we're working on preparing for the next evolution of threats and the next MITRE evaluation. As always, stay vigilant, and if you want to see how Trend Vision One can help you stay ahead of attackers, check it out and try it for free.
Read about last year's evaluation here: Decoding Turla: Trend Micro's MITRE Performance
Related articles