For the third year in a row, Microsoft successfully demonstrated industry-leading defense abilities in the independent MITRE Engenuity ATT& CK( Adversarial Tactics, Techniques, and Common Knowledge) Evaluations.

As the attack surface evolves on a near-daily basis, menace performers are creating more advanced techniques targeted across domains such as endpoints, identities, emails, records, and cloud apps, requiring security solutions with the capability to automatically analyze threat data across these realms and build a complete picture of the attacks. The 2020 ATT& CK Evaluations concentrated on advanced menace actors known to the industry as FIN7 and Carbanak( likewise called Carbon Spider ). This year’s rigorous evaluation included new benchmarks of detecting and protecting simulations of more than 174 paces across the attack chain, affecting both Windows client endpoints, servers, and, for the first time, Linux devices.

This cross-platform, sophisticated onslaught simulation significantly elevated the stakes for detection and protection, and we are proud to report that results showed Microsoft Defender for Endpoint effectively identified and prevented malicious activity at every major attack stage. In this evaluation, we were able to put Microsoft Defender for Endpoint’s Linux capabilities to the test. MITRE Engenuity ran the simulated Carbanak and FIN7 attack end-to-end and across multiple assault domains, intending defenders obtained from the added abilities in Microsoft 365 Defender and get visibility beyond only endpoint protection. MITRE Engenuity’s ATT& CK Evaluations makes showed that Microsoft provides 😛 TAGEND

Industry-leading protection: Microsoft’s industry-leading abilities rapidly identified suspicious activity and offered real-time containment to rapidly stop the attack. Superior detection and protection on Linux: Microsoft Defender for Endpoint blocked everything on Linux, exceptional detection, protection, and visibility that comprehensively captured Linux file server activity. Excellent detection and visibility across the attack chain: Our world-class SecOps experience and Microsoft 365 Defender capabilities depicted the full attempt story across domains and rapidly correlated all activity down to two incidents.

Three circular icon graphics depicting that Microsoft offers industry-leading protection, superior detection and protection on Linux, and excellent detection and visibility across the attach chain.

Figure 1. MITRE Engenuity’s ATT& CK Evaluation makes proving that Microsoft provides industry-leading protection, superior detecting and protecting on Linux, and excellent detecting and visibility across the attack chain.

Microsoft participated in the ATT& CK Evaluations because we believe it is the most comprehensive testing environment that most closely reflects real-world attacks. Our mission is to empower world-class champions by ongoing efforts to drive product excellence, listening to patrons, and investing in research to deliver intelligent solutions. We attribute this success to these investments and our customer-first approach.

Microsoft Defender once again prevails over the adversary

Microsoft’s massive depth and width of security rights optics and threat intelligence is integrated into Microsoft Defender products and uniquely enables us to stand out in complex attack scenarios.

Industry-leading protection

Microsoft Defender for Endpoint blocked the two attacks at the earliest stage, furnishing containment in real-time. Defender for Endpoint speedily recognized the suspicious activity and incriminated it as malicious. This prevented the attacker from taking actions that may have had a negative impact on the machine, such as shell execution, breakthrough, persistence, or exfiltration, effectively blocking the simulation and stopping the attack from proceeding.

Defender for Endpoint alert page: SystemPropertiesAdvanced.exe attempts to execute code in the illegitimate srrstr.dll and being blocked by Defender for Endpoint.

Figure 2. Defender for Endpoint alert page: SystemPropertiesAdvanced.exe attempts to execute code in the illegitimate srrstr.dll and is blocked by Defender for Endpoint.

Microsoft Defender for Endpoint furnished extensive visibility and coverage for the attack chain on Linux.

Superior detecting and protection on Linux

Our endpoint security abilities for Linux fit seamlessly into the attack story, and Microsoft Defender for Endpoint was able to provide extensive visibility and coverage for the attack chain, which indicates how essential endpoint detection and response( EDR) detecting, protection, and visibility are for navigating today’s Linux threat landscape. Defender for Endpoint was able to completely capture Linux file server activity, including sign-in, linkages, read and copied files, various discovery activities, and Pass-the-Hash( PtH ). We are proud to offer this kind of coverage on Linux as we continue to extend endpoint security capabilities across all the major platforms( Windows, Linux, macOS, Android, and iOS ).

Defender for Endpoint alert page on a Linux device: Lateral movement attack story, from remote system discovery, suspicious login and remote code execution using Python from Linux device to endpoint.

Figure 3. Defender for Endpoint alert page on a Linux device: Lateral motion onslaught tale, from remote system breakthrough, suspicious login, and remote code execution using Python from Linux device to endpoint.

Microsoft 365 Defender dramatically reduced alert noise from over 1,000 alarms down to just two incidents.

Excellent detecting and visibility across the attack chain

The results of the ATT& CK Evaluation highlighted our deep detection capabilities and the comprehensive optics across the attack chain, including 😛 TAGEND

Detecting advanced attack techniques on endpoints: Microsoft Defender for Endpoint recorded and alerted on all malicious activities across the attack chain, including advanced onslaught techniques such as injections, shellcode executing, execution using scheduled undertakings, UAC bypass, web browser and OS credentials collect, screen and keystroke collect, and persistence use application shimming. Provide deep visibility into the timeline of events on machines: Microsoft 365 Defender presented a detailed view of the events taking place on the machine through the machine timeline. The machine timeline likewise provided a new capability to surface attack techniques: a specific sequence of standalone events is combined to build a more meaningful representation of identified attack technique. This recent addition to the device timeline empowers Security Procedure Center( SOC) analysts to glean more insight into the activities on the device, as well as the potential reason for their executing.

Defender for Endpoint device timeline on a Linux device: Lateral movement technique for remote code execution from Linux device to endpoint is highlighted.

Figure 4. Defender for Endpoint device timeline on a Linux device: Lateral movement technique for remote code executing from Linux device to endpoint is highlighted.

Identifying activities associated with compromised identities: Leveraging both machine and identity signals, Microsoft 365 Defender furnished deep visibility and alerting for actions taking place on a device by what’s known as a compromised report. Microsoft 365 Defender utilized sophisticated techniques, such as pass-the-hash and pass-the-ticket. Microsoft Defender for Identity analyzed and saw report compromise at the domain level, tracking and alerting account activity for lateral motion using remote service creation. Having this view beyond endpoint and across other domains, such as identities, is a unique advantage of Microsoft 365 Defender, dedicating customers more robust security against today’s modern, multifaceted menaces.

Defender for Identity alert page: Lateral movement using remote code execution from Windows server to endpoint detected by Defender for Identity as a suspicious identity behavior for user kmitnick.

Figure 5. Defender for Identity alert page: Lateral movement employing remote code execution from Windows server to endpoint detected by Defender for Identity as a suspicious identity behaviour for consumer kmitnick.

With this depth of detection capabilities and breadth of visibility, Microsoft 365 Defender rendered a federated belief of the two attacks and empowered SOCs to respond by delivering 😛 TAGEND

A detailed attack tale of alerted activities is linked together, tagged with the appropriate MITRE ATT& CK techniques, and included every needed part of data. This was achieved through our massive optics and unique native consolidation of signal, sources, and capabilities, enabling the SOC analyst to arrive at an accurate conclusion and act effectively.

Defender for Endpoint alert page: Lateral movement using remote desktop connection, script execution via Registry run key, and suspicious script execution being detected.

Figure 6. Defender for Endpoint alert page: Lateral motion employing remote desktop connection, script executing via Registry run key, and suspicious script execution being detected.

Two meaningful incidents to be derived from over 1,000 alarms, bringing together the rich information and context necessary for SOCs to effectively evaluate the scope of the attack, without the volume of triage and investigation project that are usually needed. With today’s limited time and resources, security squads need tools that rapidly and effectively investigate challenging scenarios, such as lateral motion from Windows to Linux and suspicious behavior across the organization by a compromised identity.

Microsoft 365 Defender incident page correlating all the devices, users, alerts, and evidence that describe the first attack simulated by MITRE Engenuity.

Figure 7. Microsoft 365 Defender incident page correlating all the machines, customers, alarms, and evidence that describe the first attack simulated by MITRE Engenuity.

MITRE Engenuity Carbanak and FIN7 Evaluation details

The 2020 MITRE Engenuity ATT& CK Evaluations reflect an evolution of industry testing that Microsoft supports and is happy to contribute to. Our participation demonstrates our commitment to work with the industry to evaluate our capabilities employing modern approaches that simulate real-world attack scenarios and that allow participants to learn from each other.

In this evaluation, MITRE Engenuity expanded the scope to evaluate protection and detecting capabilities on Linux, as well as Windows, as the Carbanak and FIN7 attacker groups used tools that interacted with both platforms, including point of sale specific technologies. We were aroused to set our Linux capabilities to the test in this evaluation as we’ve continued to extend endpoint security across all the major platforms( Linux, macOS, Android, and iOS ). This time, MITRE Engenuity did not include overseen security service providers( MSSP) in the evaluation. This means that all the protection and detecting value presented by Microsoft Defender for Endpoint is the result of fully automated, AI-driven advanced algorithms meant to protect organizations from advanced attempts with no additional services needed. Finally, for the first time, MITRE Engenuity executed two evaluations. The first was a detection evaluation, which tested our visibility and awareness of an ongoing attack and its techniques. The second was a protection evaluation, which tested our capabilities to block the attack at an early stage.

To amply execute the end-to-end detecting and protecting simulations of Carbanak and FIN7, MITRE Engenuity required participants to provide two different environments 😛 TAGEND

Detection environment: MITRE Engenuity asked participants to turn off all proactive protection and blocking capabilities. For Microsoft Defender for Endpoint and the additional value of Microsoft 365 Defender, this intend all capabilities that are usually block this kind of attack, such as automatic remediation flows, application lonelines, attempt surface reduction, network protection, exploit protection, controlled folder access, and next-gen antivirus prevention were turned off. Protection environment: All proactive protection and blocking capabilities are turned on. Some stairs executed in the detection evaluation were chosen by MITRE Engenuity to be tested in a protection setup. That enabled Microsoft 365 Defender to prove its blocking abilities for a variety of steps, where it prevented and blocked executing at a very early stage of each step.

Real-world testing is critical to detection and prevention

As the security landscape modifications, we are on a mission to help champions solve the toughest and more critical difficulties. Coordinated, targeted, and advanced attempts carried out by sophisticated antagonists are some of the most complex menaces that safety squads encounter. This is why participating in evaluations such as MITRE ATT& CK is so important in ensuring we’re delivering answers that empower defenders to protect their organizations. Our vision with our Microsoft Defender products is to provide industry-leading, best-of-breed, cross-domain security for the modern workplace. Microsoft 365 Defender is designed to provide extended detecting and response( XDR) by combining protection for endpoints( Microsoft Defender for Endpoint ), email and productivity tools( Microsoft Defender for Office 365 ), identities( Microsoft Defender for Identity ), and cloud applications( Microsoft Cloud App Security ). This unique combination helps to stop attempts before they happen, enables a rapid and complete response, and devotes back time to the security team to focus on their more critical priorities.

In response to MITRE Engenuity’s call for community contribution pertaining to the Carbanak and FIN7 performer groups, Microsoft researchers worked to consolidate and share threat intelligence with MITRE Engenuity. Microsoft shared key similarities and differences in focus, tooling, and runnings observed for these two groups, as well as shared evidence for known and new tactics, techniques, and procedures( TTPs ). This year, MITRE Engenuity elevated their assault scenarios, starting from gathering threat intelligence and then through the implementation of sophisticated and realistic onslaught chains. We’re delighted to see that MITRE Engenuity incorporated the feedback Microsoft shared from previous rounds and that this evaluation continues to evolve with every year. This kind of collaboration and continued evolution is of benefit to all in the security community. We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Learn more

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile menace defense. With our answer, menaces are no match. Take advantage of Microsoft’s unrivaled menace optics and proven abilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign on for a trial today.

To learn more about Microsoft Security answers visit our website . Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MITRE Engenuity ATT& CK( r) Evaluation proves Microsoft Defender for Endpoint stops advanced onslaughts across platforms appeared first on Microsoft Security .

Read more: microsoft.com