MITRE Posts Latest Findings of ATT&CK® Evaluations for Cybersecurity Solutions Against Ransomware

MITRE Posts Latest Findings of ATT&CK^® Evaluations for Cybersecurity Solutions Against Ransomware

MITRE posted the latest findings of its ATT&CK^® Evaluations (ATT&CK Evals), an independent and objective assessment of enterprise cybersecurity solutions. Through the lens of the MITRE ATT&CK knowledge base, the ATT&CK Evaluations Enterprise Round 6 focused on two distinct threat areas for a more targeted evaluation of defensive capabilities:

Windows (featuring Linux) emulations featuring common ransomware behaviors leveraged by cybercriminal groups.
macOS emulation featuring adversary behavior reflecting North Korea’s (DPRK) evolving tactics, including the development of advanced, multistage malware.

“The evidence-based results of the evaluations are a valuable resource for organizations in determining which cybersecurity solutions best address their needs,” said William Booth, general manager, ATT&CK Evals, MITRE. “In this round of our evaluations, we broadened the scope to include macOS and focused on new insights regarding efficiency and false positive rates to more accurately reflect the real-world performance of the solutions.”

Ransomware continues to be one of the most significant global cybercriminal threats across government and industry. Enterprise Round 6 focused on two ransomware variants, LockBit and CL0P, to emulate common behaviors prevalent across the ransomware ecosystem. LockBit, which law enforcement agencies have described as the “most deployed ransomware variant across the world,” is known for its use of sophisticated tools and dual targeting of Windows and Linux systems. CL0P is a ransomware family associated with the TA505 criminal group and leverages the “steal, encrypt, and leak” strategy across a variety of regions and sectors.

North Korea poses a significant cyber threat, targeting the global financial, defense, and technology sectors to fund the advancement of its nuclear capabilities. North Korea has increasingly expanded its targeting of macOS systems, gaining the ability to infiltrate additional high-value systems. The Enterprise Round 6 macOS-focused emulation featured multistage and modular malware that executed operations involving abusing legitimate macOS utilities and collecting and exfiltrating sensitive data.

Round 6 also includes Protection micro emulations. These emulations assess how enterprise cybersecurity solutions can protect against malicious behaviors in a post-compromise environment. Micro emulations involve short sequences of ATT&CK techniques that are frequently used together in real-world attacks.

The participants in this evaluation included:

The evaluations do not rank vendors and their solutions, but instead they provide insights and results that organizations can use to determine which vendors and solutions may best address their cybersecurity gaps and fit their particular business needs. Results are posted at https://evals.mitre.org/.

ABOUT MITRE

MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. www.mitre.org

ABOUT MITRE ATT&CK^® EVALUATIONS

ATT&CK^® Evaluations is built on the backbone of MITRE’s objective insight and conflict-free perspective. Cybersecurity vendors turn to the Evals program to improve their offerings and to provide defenders with insights into their product’s capabilities and performance. Evals enables defenders to make better informed decisions on how to leverage the products that secure their networks. The program follows a rigorous, transparent methodology, using a collaborative, threat-informed, purple-teaming approach that brings together vendors and MITRE experts to evaluate solutions within the context of ATT&CK. All Evals results are public. https://evals.mitre.org/