ATT&CK® Evaluations Emulated Threats known as FIN7 and Carbanak
McLean, VA, and Bedford, MA, April 20, 2021— MITRE Engenuity released its third round of independent ATT&CK Evaluations for enterprise cybersecurity products from 29 vendors. The MITRE Engenuity team’s mission is to drive cyber innovation for public good by helping government and industry combat security threats and improve industry’s threat detection capabilities.
MITRE Engenuity’s focus on specific threats is based on extensive knowledge and research of the threat landscape, and prioritizes threats that offer unique impact to businesses and governments worldwide. Through the lens of the MITRE ATT&CK® knowledge base, MITRE Engenuity emulated the tactics and techniques of FIN7 and Carbanak, two threat actors that have each demonstrated the ability to compromise financial service and hospitality organizations, respectively, using malware and tradecraft. Together, these attack operations have resulted in the theft of more than $1 billion across hundreds of businesses over the past five years. Despite the arrest of key members in 2018, Carbanak and FIN7 remain active cyber threats to organizations globally.
MITRE developed and maintains the ATT&CK knowledge base, which is based on real world reporting of adversary tactics and techniques. ATT&CK is freely available and is widely used by defenders in industry and government to find gaps in visibility, defensive tools, and processes as they evaluate and select options to improve their network defense.
The evaluations, which were paid for by the vendors, include products from: AhnLab, Bitdefender, BlackBerry Cylance, Broadcom, Check Point, Cisco, CrowdStrike, Cybereason, CyCraft, Cynet, Elastic, ESET, F-Secure, Fidelis, FireEye, Fortinet, GoSecure, Malwarebytes, McAfee, Micro Focus, Microsoft, OpenText, Palo Alto Networks, ReaQta, SentinelOne, Sophos, Trend Micro, Uptycs, and VMware.
The ATT&CK Evaluations team chose to emulate Carbanak and FIN7 because they both target a wide range of industries for financial gain, whereas prior emulated groups were more focused on espionage. As always, the Evaluations team also sought to balance previously tested techniques with untested techniques and variations on how those techniques were executed to best capture how the defensive solutions are evolving to address a diverse set of threats.
Previous evaluations pitted cybersecurity products from 12 vendors against the threat from APT3, a Chinese group that analysts believe most recently focused on monitoring Hong Kong-based political targets, and products from 21 vendors against the threat of APT29. Cybersecurity analysts believe APT29 operates on behalf of the Russian government and compromised the Democratic National Committee starting in 2015, and has recently been attributed with the SolarWinds supply chain injection.
“Not only are we seeing increased vendor participation with each new round of evaluations, plus many participants who found content from previous rounds valuable and want to continue collaborating with us, but we’re also seeing improved capabilities from the products each time, which helps make cyberspace safer for everyone,” said Frank Duff, ATT&CK Evaluations lead.
Seventeen of the vendors elected to take an optional protections extension to the detection evaluations where MITRE Engenuity examined their ability to block specific adversary techniques utilized by these groups. This was also the first time that the evaluations went beyond Windows systems and addressed techniques aimed at the Linux devices that are often used on enterprise networks as file servers, databases, and other non-workstation infrastructure.
For full results and more information about the evaluations, visit attackevals.mitre-engenuity.org.
Tanmay Ganacharya, partner director, Microsoft Defender Security Research
“Microsoft is thrilled to have participated in the MITRE ATT&CK evaluation for the third year in a row. The testing simulations provided by MITRE Engenuity are the most comprehensive tests that most closely mirror real-world attacks. The partnership with MITRE Engenuity is essential to enhancing our products to meet the needs of our customers and keep pace with the evolving threat landscape. We appreciate the collaborative and transparent nature of the evaluation.”
Ismael Valenzuela, senior principal, head of AC3, Applied Countermeasures team at McAfee
“At McAfee we know that cybercriminals are always evolving their tradecraft, and we are committed to provide cyber defenders the capabilities needed to win the game. To demonstrate our commitment, McAfee has participated in all of the three ATT&CK enterprise evaluations to date, including the latest with Carbanak and FIN7. In the most comprehensive evaluation to date, the MITRE ATT&CK team demonstrated their expertise completing four days of rigorous testing. This has a tremendous value to both our customers and our threat content engineers. As one of our blue teamers indicated, being part of these evaluations feels like being an engineer in a Formula One race team in the pit on the test track. We take the products for a spin and we use the telemetry to improve the efficacy of our protection, detection and response capabilities.”
Adam Bromwich, vice president and general manager, Symantec Endpoint Security, a Division of Broadcom
“Symantec is pleased to participate in the 2021 MITRE ATT&CK test, which provides a gold standard evaluation of today’s visibility, prevention and protection solutions. Our performance demonstrates the strength of the analytics-driven protection and detection technologies delivered in Symantec Endpoint Security (SES) Complete, and we are thrilled that our participation in MITRE Engenuity’s evaluation helps us continue raising the bar on innovation and providing security value to our customers.”
Jared Phipps, senior vice president, worldwide sales engineering for SentinelOne
“MITRE Engenuity ATT&CK Evaluations continues its stellar record in pushing the security industry forward and brings much-needed visibility and independent testing to the EDR space as practitioners sort through a complex threat and vendor landscape. Participating in all the evaluations has become an essential practice that we have used to improve our products further. At SentinelOne, we continue to be enthusiastic supporters for the work MITRE Engenuity is doing to painstakingly define and continually expand a common cybersecurity language that describes how adversaries operate.”
Ganesh Pai, CEO, Uptycs
“We chose to participate in the MITRE ATT&CK evaluation because we believe transparency and quantitative third-party vendor assessments are important for customers and the industry at large. We also wanted to showcase our agility and innovation with our Windows EDR capabilities that complement our market-leading strength in macOS and Linux. We’re proud to stand among some of the biggest vendors in the security industry and showcase our multi-OS detection capabilities—a testament to the hard work of our engineering and threat research teams.”
John Maddison, executive vice president of products and chief marketing officer, Fortinet
“Fortinet is a firm believer in independent security testing of all kinds- effectiveness, performance and capability. An outside perspective helps us make our products better and gives organizations a credible, often comparable benchmark. What we really like about ATT&CK Evaluations by MITRE Engenuity is that they not only show what a security product detects (and now protects), but also identify when, how and why. This insight “under the hood” of security products helps organizations to confidently apply the Evaluation results well beyond the specific campaigns emulated, to campaigns using similar reactions s and techniques, today and tomorrow.
This is just one of many areas in which we collaborate with MITRE; from the early definition of the STIX format to membership in the Center for Threat Informed Defense and the Round 3 ATT&CK Evaluation and more recently membership in the Sightings Ecosystem project this year. Fortinet continues to collaborate closely in the threat intelligence community.”
Ian Heritage, cybersecurity architect, Trend Micro
“The MITRE Engenuity ATT&CK Evaluation offers both transparency to customers and real-world attack scenarios, which are top highlights for our participation. This ensures that customers can actively evaluate security products to protect themselves from the latest advances from attackers based on their areas of greatest need.”
About MITRE Engenuity
MITRE Engenuity is a tech foundation focused in innovation for public good, collaborating with the private sector on challenges that demand public interest solutions, to include cybersecurity, infrastructure resilience, healthcare effectiveness, microelectronics, quantum sensing, and next generation communications. www.mitre-engenuity.org