How To Use & Extract Value from MITRE Engenuity ATT&CK® Evaluations
Knowing how to review ATT&CK Evaluations best empowers you to pick the vendor that is most relevant to your organization’s needs and helps you understand your tool. Many people stop their analyses of ATT&CK Evaluations at the summary, but it’s important to go beyond because:
- Each section informs the other for a meaningful analysis.
- The sum of what you discover in the details is greater than the whole found in single-number results.
Remember, we don’t compare or rate providers or tools. We only evaluate individual tools.
Evaluation Overview Page
Access an Enterprise Evaluation Overview
Each Enterprise evaluation has available information specific to those evaluations. The overview page for each round provides high-level information and includes:
- Links to the results
- A list of participants
- A description of the adversary
- Emulation notes
- The technique scope
- Environment notes
- Detection categories
- Related resources about the evaluation
Detection Summary Screenshots
A detection summary shows a collection of screenshots from the provider. This allows users to quickly review the UX/UI of the tool.
Detailed Results & Screenshots
Within Evaluations results for every provider, there are specifics on each scenario and details for every step and sub-step of the emulation plan including:
- Tactic, technique, and sub-technique information
- Detection categories
- Detection criteria and data sources
- Screen shots of detections within the provider’s environment
These are linear tests with a defined start and end. They are opt-in and not every result includes them.
This includes provider product versions and descriptions used in the evaluation.
JSON (Java Script Object Notation) File
The JSON file can be downloaded to dive more deeply into results and build internal analytics to further parse data.
Call For Participation Now Open
ATT&CK EVALUATIONS WILL EMULATE Ransomware with an Introduction to macOS
Enterprise 2024 will focus on ransomware with an introduction into macOS and targeting by the Democratic People's Republic of Korea (DPRK). This year, we examine common behaviors that are prevalent across prolific ransomware campaigns, such as the abuse of legitimate tools and efforts to evade defenses.
Call for Participation is open through April 30, 2024.
Evaluations by Industry
The ATT&CK Evaluations program continues to develop new methodologies, and open new rounds of evaluations. Currently, there are four types of ongoing ATT&CK Evaluations available:
ATT&CK® Evaluation for Enterprise empowers end-users to make more informed decisions on endpoint detection capabilities by articulating how each vendor can protect against or detect adversary behavior.
ATT&CK® Evaluations for Managed Services provides transparent and impartial insights into how managed security service providers (MSSPs) and managed detection and response (MDR) capabilities provide context of adversary behavior.
MITRE Engenuity ATT&CK® Evaluations for Industrial Control Systems (ICS) clarify anomaly and threat detection capabilities of industrial control systems security solutions.
Apply to be part of the ATT&CK Evaluations Community Advisory Board
Our commitment to innovation and consistency requires deeper interaction in a more structured format with the community we are looking to benefit. Our goal is to learn how we can make the data we present more accessible to the community at large. As an end user of ATT&CK Evaluations and a member of the infosec community, your insights are valuable to us.