MITRE’s ATT&CK to assess cybersecurity products based on APT29/Cozy Bear/The Dukes

MITRE’s ATT&CK Evaluations program will assess commercial cybersecurity products based on techniques used by APT29/Cozy Bear/The Dukes. Cybersecurity analysts believe the group operates on behalf of the Russian government, and that it compromised the Democratic National Committee starting in 2015.

Endpoint detection and response (EDR) vendors may apply for an evaluation via attackevals.mitre.org. The selection of vendors for evaluation is subject to MITRE’s sole discretion. The evaluations are paid for by vendors and are intended to help vendors better understand their product’s capabilities.

ATT&CK evaluations do not constitute a score, rank, or endorsement. MITRE also makes evaluation results available to the public, so other organizations may benefit as well as provide their own analysis and interpretation.

The evaluations use the ATT&CK framework, a MITRE-developed knowledge base of adversary tactics, techniques, and procedures that is based on published threat reporting. The framework is freely available, and is used by cyber defenders in areas including finance, healthcare, energy, manufacturing, retail, and government, to understand adversary behavior and tradecraft.

“Many security vendors have begun using ATT&CK to describe how their product capabilities detect known adversary behaviors,” said Gary Gagnon, MITRE vice president for cybersecurity strategy and chief security officer.

“Along with efforts like CVE and STIX/TAXII, it represents MITRE’s continued commitment to help build communities that change the way industry and government approach cybersecurity.”

“MITRE chose APT29 as the adversary to emulate for the second round because it complements our APT3 emulations and offers a new perspective on ATT&CK coverage,” said Frank Duff, MITRE’s lead engineer for the evaluations program.

“While APT3 has focused on noisier, process-level techniques – relying on pre-installed system tools that hide malicious activity within legitimate processes – APT29 offers the chance to measure against an adversary that uses more sophisticated implementations of techniques through custom malware and alternate execution methods, such as PowerShell and WMI. Additionally, their notoriety from recent breaches and its surgical approach to intrusions provides a very compelling story and international relevance.”

“ATT&CK Evaluations can help users understand a cybersecurity product’s true product capabilities and how to use them,” Duff said. “They’re also driving vendors to improve the capabilities of those products.”

MITRE’s initial round of evaluations, which included products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA, and SentinelOne, was based on the threat posed by APT3/Gothic Panda, with results announced in November 2018. Results for Cybereason and FireEye have subsequently been released, and Palo Alto was recently accepted for an evaluation.