MITRE ATT&CK Evaluation: Manufacturer vs. Elite Hackers

5. May, 2020

APT29, also known as Cozy Bear, is one of the most organized and technically skilled hacker groups. It has been operating since at least 2008, is associated with the Russian government and has been linked to attacks on Western European governments and foreign-policy lobby groups. In other words, no one wants to end up on the APT29 target list.

Exactly this worst-case scenario was the test setting for the latest MITRE ATT & CK evaluation. [1] The American non-profit organization confronted 21 loaded manufacturers, including IKARUS´ technology partner FireEye, with real attack scenarios from APT29.

Transparent test processes and results

In the first test scenario, data from a large-scale “spray and pray” spear phishing campaign is executed, followed by a rapid “smash and grab” action in which specific file types are collected and exfiltrated. This allows assessing the potential value of the victim`s system and as a result, using a better camouflaged toolkit, which further compromises and searches the network.

The second test scenario describes a targeted, methodical data access. Specially tailored applications check the target system in detail before they are executed. This is followed by a careful gradual takeover of the entire domain. Both test scenarios also include previously established persistence mechanisms, which are called up after a defined period to extend the intrusion’s range.

The test results do not include a ranking or an evaluation. Rather, they are intended to give users and manufacturers insights into which techniques show good results, which additional information is collected and transmitted, how commercial products are used effectively and in which areas can be optimized.

Focus on information instead of rankings

“FireEye achieved the broadest coverage of all participants and also the highest number of cumulative detections,” said Michelle Salvado, Vice President of Engineering and Endpoint GM for FireEye, commenting on the test results. Thanks to detailed background knowledge and Mandiant Services, the security company, which has a strong focus on threat intelligence, was able to achieve comprehensive threat detection.[2]

In the new MSSP (Managed Security Service Provider) category, FireEye also has one of the highest numbers of advanced alerts – a proof of FireEye’s sophisticated hunting and detection techniques. “We know more about the enemy than other security providers. And as attacks evolve, the broader detection and protection that FireEye Endpoint Security and Mandiant Managed Defense can provide becomes more relevant,” said Michelle Salvado.

“APT29’s attack techniques are state of the art and are not only relevant to government-related organizations,” says Andreas Senn, Country Manager Austria at FireEye. “Critical infrastructures and international companies also do well to stay informed about the group’s goals and methods. Nobody is immune to imitators and widespread phishing campaigns”.

International services with local hosting

As a FireEye Platinum Partner, IKARUS Security Software expands its own technical portfolio with FireEye services. Most of the services are integrated into the IKARUS data center in Vienna. IKARUS can thus offer local data processing in Austria exclusively for FireEye products. As system integrator and central, tangible contact, the Austrian security provider provides consulting, coordination and integration as well as technical support for maximum security and best service.

In addition, IKARUS offers the unique opportunity to complement the award-winning antispam solution IKARUS mail.security with the cost-effective ATP add-on from FireEye: Emails that have been classified as neither harmful nor harmless after hundreds of reputation and content-based checks are additionally checked with FireEye’s signature-free sandboxing approach. The targeted use of these advanced analysis methods also gives small and medium-sized companies affordable access to highly professional security precautions and the highest possible level of protection.