Cynet Achieves 100% Visibility and Detection Across All Steps of the MITRE Carbanak+FIN7 ATT&CK Evaluation 

Cynet is proud to announce our participation in the 2020 MITRE Carbanak+FIN7 ATT&CK Evaluation, allowing us to showcase the Cynet 360 platform’s broad range of protective capabilities. In this post, we provide a brief overview of the MITRE ATT&CK approach and discuss Cynet’s performance in the latest evaluation. These are the key takeaways:

  • Cynet achieved 100% visibility and detection across each of the 20 ATT&CK steps evaluated, including 10 on both days of testing.
  • Cynet detected 96% of the techniques presented in the ATT&CK Evaluation, demonstrating the platform’s ability to provide visibility and protection across the entire ATT&CK knowledge base. 
  • Cynet utilized the greatest number of data sources among vendors evaluated, exhibiting our ability to detect and protect attack more attack vectors before damage can be done. 
  • Cynet has achieved a 100% detection and protection rate for the Linux platform. With the widespread and increasing deployment of Linux and Mac operating systems, providing full protection beyond Windows machines is not an option. 

 

2020 MITRE Engenuity ATT&CK Overview

The MITRE ATT&CK Evaluation represents the industry’s most fair and balanced investigation into how endpoint protection solutions react when subjected to multi-stage, real-world cyberthreats. An ATT&CK Evaluation leverages real-world attack steps from the tactics and techniques used by a known adversary to create a realistic test plan designed to emulate this adversary’s behavior. MITRE Engenuity recently released the results of its most recent ATT&CK Evaluation program, testing the detection capabilities of 29 leading security vendors, and the protection capabilities of 17 of those participants. 

This year, MITRE Engenuity emulated an attack sequence inspired by Carbanak, a threat group that mainly targets banks, and FIN7 threat group, which primarily targets the U.S. retail, restaurant, and hospitality sectors. Both groups leverage Carbanak malware. The ATT&CK Evaluations test the vendors’ platforms by emulating the real-world attack sequences covering 174 separate ATT&CK substeps. 

The simulated attack stages ranged from initial compromise via a Powershell attack through exfiltration over a command-and-control channel. The test evaluated each vendor’s ability to detect suspicious and malicious activity for a security analyst and then protect against the identified threat. 

 

Evaluation Results Validate Cynet’s Comprehensive Protection

The MITRE ATT&CK evaluation confirms Cynet’s leading detection and response capabilities. Following is a review of Cynet’s results in the 2020 MITRE Engenuity ATT&CK evaluation. 

The Cynet team bolstered the platform’s alignment with the ATT&CK framework to provide users with a common language to quickly and clearly understand attack information provided. The following screenshot from the Cynet platform alert screen depicts the usage of the nomenclature used in the ATT&CK framework.

 

100% Visibility and Detection Across All Steps

Cynet achieved 100% visibility and detection across each of the 20 MITRE ATT&CK steps, including 100% visibility across the 10 major attack steps on Day 1 (Carbanak), and 100% visibility across the 10 major attack steps on Day 2 (FIN7). This means Cynet was able to ultimately detect and prevent each stage of attack across the ATT&CK chain. Cynet was able to detect 52 of the 54 techniques presented in the MITRE ATT&CK Evaluation, demonstrating the platform’s ability to provide visibility and protection across the entire ATT&CK framework.

Cynet XDR extends visibility beyond traditional EDR approaches by natively including telemetry intelligence for network and user activities to provide holistic, correlated, accurate visibility across your environment. Cynet XDR also includes a robust Deception technology component for an added layer of protection, which was not part of the testing done in this ATT&CK scenario. 

 

The Leader of Data Sources Usage

Beyond detecting 96% of techniques used in the ATT&CK Evaluation, Cynet is also a leading vendor in utilizing data sources. Data source examples include network monitoring, script logs, process monitoring, Sys calls, Windows Registry and many more. According to a MITRE blog from September 2020, “ATT&CK’s data sources provide a way to create a relationship between adversary activity and the telemetry collected in a network environment. This makes data sources one of the most vital aspects when developing detection rules for adversary actions mapped to the framework.” Utilization of these data sources extends Cynet’s visibility across our client’s environments to detect and protect more attack vectors before damage can be done.

100% Linux Detection and Protection

Prior ATT&CK Evaluations only focused on protecting the Windows environment. Even this year’s evaluation was primarily focused on Windows protections. Fortunately, this year MITRE introduced a detection evaluation for the Linux operating system demonstrating Cynet’s superior capabilities protecting both Linux endpoints and servers. Cynet also was able to prevent the attacks detected on the Linux operating system. Cynet was able to mitigate Linux attacks in the earliest stage possible (first step of Test 4).

We’re proud to share that Cynet achieved a 100% detection rate for Linux techniques. As most companies operate in a mixed OS environment, it’s critical to extend protection beyond Windows to both Linux and Mac operating systems. Cynet protection includes Windows, Mac and Linux operating systems and covers more versions of these OSs than most other providers in this space.

The coverage of attacks techniques detected on the Linux operating system which were classified as a “Technique” Detection Category.

The following screenshot highlights Cynet protection for Linux devices by detecting attempts of an attacker to use the Linux machine to pivot to other (Windows) machines on the network. Again, broader visibility across a hybrid environment is critical to detect and prevent threats from successfully achieving a foothold.

Comprehensive Protection

MITRE Engenuity evaluated 10 different attack stages containing multiple substeps inspired by Carbanak+FIN7. Cynet was able to prevent over 60 attacks before further infiltration could take place in the test environment. Among participating companies, Cynet’s prevention capabilities were among the top four (as shown in the chart below)

Cynet A Leader in Detection and Protection Speed

Detecting an attack as early as possible is always preferred. Cynet’s Autonomous Breach Protection focuses on protecting against attacks as quickly as possible along the kill chain with high accuracy and minimal false positive alerts. Cynet was among the fastest in detecting and ultimately preventing attacks. The following chart represents the average number of substeps that were executed until protection took place. Here, the lower the number, the better.

Summary

Cynet’s MITRE Engenuity ATT&CK Evaluation results confirm the powerful protection capabilities of the Cynet XDR platform, including broad visibility and fast detection and prevention. Beyond the protection capabilities demonstrated in the MITRE ATT&CK evaluation, Cynet provides the most extensive set of Response Automation capabilities to fully automate investigation and response actions, including automated root cause analysis and attack scope, followed by extended threat remediation actions across the entire environment.  

Cynet also includes a 24×7 MDR service – at no additional cost – that bolsters the power of the platform with expert human oversight.  Cynet’s MDR service ensures no risky threats are missed, while also providing threat hunting and detailed remediation recommendations and oversight. 

These capabilities together enable any organization to put its cybersecurity on autopilot, streamlining and automating their entire security operations while providing enhanced levels of visibility and protection, regardless of the security team’s size, skill or resources and without the need for a multi-product security stack.

You can learn more about Cynet’s results by registering for our Live Webinar, led by Cynet CTO Aviad Hasnis.