Threat actor groups like Wizard Spider and Sandworm have been wreaking havoc over the past few years – developing and deploying cybercrime tools like Conti, Trickbot, and Ryuk ransomware. Recently, Sandworm (suspected Russian cyber-military group) launched cyberattacks on Ukranian infrastructure targets.
To ensure that cybersecurity vendors are ready for battle, MITRE Engenuity employs real-life attack scenarios and tactics used by threat groups in order to evaluate security vendor’s ability to defend against attacks. This is the MITRE ATT&CK Assessment. Each vendor’s detections and capabilities are assessed within the context of the MITRE ATT&CK Framework.
They used techniques from Wizard Spider’s and Sandworms to evaluate their simulations. These vendors were not easy targets for MITRE Engenuity. As mentioned before – the stakes are too high, and risk is growing.
The 2022 results overview
To think about it simply, this MITRE ATT&CK Evaluation measured protection capabilities of 30 endpoint protection solutions. Two key measurements that are generated from the testing are Overall Detection and Overall Protection.
As one participating vendor, Cynet, explained in a blog post reviewing the results, “Overall Detection (What MITRE refer to as “Visibility”) is the total number of attack steps detected across all 109 sub-steps. Overall Prevention (What MITRE refer to as “Protection”) measures how early in the attack sequence the threat was detected so that subsequent steps could not execute. Both are important measurements and are indicative of a strong endpoint detection solution. “
The graph below shows the 2022 participating vendors’ overall detection and protection performance:
Here are the final results as a table :
How it works
MITRE ATT&CK uses a unique approach, testing 30 security vendors this year for their ability to protect against attacks that are currently happening in the wild. This is done by running the vendors in controlled environments. It creates an impartial assessment of their platform, capabilities and ability to respond to threat.
The results of these evaluations are released at the end of every March and are intended to be used by security teams looking to bolster their security program, which often entails identifying a cybersecurity provider. MITRE ATT&CK Evaluation evaluates specific capabilities through a publicly-facing method and gives an objective evaluation without ranking vendors’ performance.
The interpretation and determination of which vendor did the best job is up to you, the reader. And that’s where things get tricky.
The MITRE ATT&CK Evaluation results are meant to be a helpful resource, and it behooves security leaders and executives to learn how to leverage these results. It is difficult to understand what the results are in relation to other vendors’ performance.
The 2022 MITRE ATT&CK Evaluation Results Webinar
As security professionals will attest, it is not easy to interpret this data. Cynet, one of the vendors that participated in this year’s evaluation aims to bring some clarity to the confusion. The goal is to help organizations looking for a security provider use these results to assess which participating vendor’s capabilities best align with their needs.
Cynet’s CTO, Aviad Hasnis, will host this webinar series, starting on April 7, 2022. He’ll explain how you can use the MITRE ATT&CK Evaluation results as a tool in your search for a security vendor in addition to sharing details specific to Cynet’s performance. Find out more and sign up here.