Hot Topics
Security Bloggers Network 
SBN

21 cybersecurity products to combat APT29: MITRE weighs in

by Dan Virgillito on August 4, 2020

Introduction

MITRE, a not-for-profit organization based in the US, is best known for its globally accessible knowledge base of cyber adversary strategies and techniques popularly referred to as the ATT&CK frame. Recently, the organization conducted an independent set of evaluations on 21 cybersecurity products to help the industry and government make well-informed decisions in the battle against cyber threats. The results of the evaluations have now been released to the general public. 

Assessing cybersecurity products with APT29 simulations

Using its ATT&CK framework, MITRE chose to emulate the methods and tactics of APT29, a hacker group that many industry analysts believe works on the behalf of the Russian government. The evaluations involved 58 adversary techniques in several kill chain categories. Unlike past evaluations where product capabilities are assigned a certain score, these focused on highlighting how detections take place. 

The evaluations, which were sponsored by cybersecurity companies, comprised products from:

  • BlackBerry Cylance 
  • Bitdefender
  • Broadcom (Symantec)
  • CyCraft
  • Cybereason
  • CrowdStrike
  • Elastic (Endgame)
  • FireEye
  • F-Secure
  • GoSecure
  • Kaspersky
  • HanSight
  • McAfee
  • Microsoft 
  • Malwarebytes
  • Secureworks
  • SentinelOne
  • ReaQta
  • Palo Alto Networks
  • VMware (Carbon Black)
  • Trend Micro

Although the focus of this evaluation was endpoint detection and response (EDR), MITRE simulated APT29 end-to-end and across various attack vectors, allowing cybersecurity companies to benefit from visibility beyond endpoint security. 

One of the main reasons behind MITRE’s selection of APT29 is that it offered the opportunity to evaluate the cybersecurity products from different vendors against an adversary that utilizes sophisticated tactics through custom-built malware and alternative executions techniques, like WMI and PowerShell.

How was APT29 emulated?

MITRE shared two scenarios that emulate the ATP29’s publicly reported operational flows.

The first scenario involves the execution of a payload delivered by a spearphishing campaign, which is followed by the gathering and exfiltration of certain file types. Then, after the initial (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dan Virgillito. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/qtrudDm1DTM/

Dan Virgillito