In MITRE Engenuity’s recent Carbanak+ FIN7 ATT& CK Evaluation, Microsoft demonstrated that we can stop advanced, real-world attacks by threat actor groups with our industry-leading security capabilities.

In this year’s evaluation, we engaged our unified Microsoft 365 Defender stack, with market-leading capabilities in Microsoft Defender for Endpoint and Microsoft Defender for Identity collaborating to provide 😛 TAGEND

Best overall protection: In the protection test, Microsoft Defender for Endpoint blocked all steps of the two attacks, and did so earliest in the attack chain compared to other vendors. This means that organizations is covered by Microsoft Defender for Endpoint would have been the least affected in a real attack, as the attack would have been blocked at the very beginning. Superior detecting and protection on Linux: Microsoft Defender for Endpoint was one of merely a handful of marketers that seen all the attack stairs on Linux and blocked the attack overall, all while providing exceptional visibility into Linux file server activity. Excellent detection and attempt chain visibility: Microsoft rendered 100 percent coverage of onslaught chain steps, with more than 1,700 detections combined into two comprehensive incidents representing each of the end-to-end attacks. 87 percent of the techniques were covered while maintaining security operation center( SOC) efficiency.

Coordinated detection and visibility across Microsoft 365 Defender working in partnership with automation, prioritization, and prevention were key to stopping these advanced attacks.

It’s important to note that Microsoft operated in the ATT& CK Evaluation precisely as it does in customer environments: with out-of-the-box protection and detecting delivered by automated AI and behavioral algorithms. No special “aggressive mode” was needed , nor were there any performance gaps. And while detecting performance is what’s mainly measured by the evaluation, it’s equally important to see how attack activities–including alertings, techniques, and impacted assets–were correlated together into a coherent end-to-end assault tale. For security squads, the user experience matters since it’s critical for the SOC analyst to have the ability to investigate and is submitted in response to such strikes effectively.

Best protection intends menaces are prevented from affecting your assets

This year’s MITRE Engenuity Carbanak+ FIN7 Evaluation offered a new benchmark: measuring whether participates are able to prevent an advanced attack. We believe empowered protection is more than attack awareness; preventing attempts is critical to successfully fastening the enterprise.

While many vendors chose not to participate in the MITRE Engenuity protection evaluation, Microsoft was positioned at the top of protection exam abilities, as shown in the diagram below, by blocking the attack simulation at the earliest stage on every exam. Microsoft Defender for Endpoint blocked and alerted precisely where the simulated assault could have been completely avoided, provide a clear alert story of the prevented attack.

Number of tests in which the vendor blocked the attack at earliest stage possible. Microsoft successfully blocked at the earliest possible point on six protection tests, more than any other vendor participating in the test.

Figure 1: Number of tests in which the marketer blocked the attack at the earliest stage possible. Microsoft successfully blocked at the earliest possible level on six protection exams, more than any other vendor participating in the test.

Microsoft delivers top-level cross-platform protection and detecting

Microsoft Defender for Endpoint renders out-of-the-box full visibility, protection, and detection across a great variety of platforms, including macOS, multiple Linux flavors, Android, and iOS.

This year, MITRE Engenuity emphasized the importance of cross-platform protection by including an attack on a Linux file server, including advanced techniques such as system discovery, data collection, and lateral movement across Windows and Linux using remote service or pass-the-hash. A protection exam was also simulated for the Linux platform.

Microsoft earned the best coverage ensues in all attack paces on Linux. As the diagram below presents, Microsoft Defender for Endpoint saw 100 percentage of the simulated Linux attack techniques. In the protection test, it blocked the two attacks at the earliest stages of execution, attaining Microsoft one of the four top dealers for Linux protection and detection.

Emulation steps executed on Linux. Each column represents the number of techniques detected by the vendor. The vendors that blocked the attack at the earliest stage are represented in light blue.

Figure 2: Emulation steps executed on Linux. Each editorial represents the number of techniques detected by the vendor. The dealers that blocked the two attacks at the earliest stage are represented in illuminated blue.

An incident-based approach enables real-time threat prioritization and remediation

In the detecting test, where protection was intentionally turned off, Microsoft demonstrated exceptional depth of coverage and visibility across all the 20 tested onslaught stages and across different platforms. Microsoft rendered coverage for 87 percent of the method used tested, representing end-to-end detection across the attack chain, including the most advanced steps.

Emulation steps executed on Linux. The number of techniques detected by vendor in blue, and ability of vendor to block the attack at the earliest stage in green.

Figure 3: Total detection countings across vendors, demonstrating producing detection coverage from Microsoft. Microsoft likewise correlated all the alarms into two incidents( representing distinct attacks ), reducing alarm queue noise and ensuring a more efficient and effective investigation of the attack.

We know the pain of security squads who must deal with alert load and queue tirednes, so Microsoft Defender for Endpoint applies its deep understanding of attack patterns and progression to correlate alertings, telemetry, and impacted assets and group them into a smaller fixed of comprehensive incidents. In such an evaluation, this correlation resulted in two incidents, one for each strike simulation, reducing the queue to merely two work items to investigate. Incidents enable SOC analysts to review the entire scope of the two attacks, including all alarms, blocking acts, and all supporting evidence, in a single consolidated view.

Microsoft 365 security center showing an incident view for one of the two simulated MITRE attacks

Figure 4: Microsoft 365 security centre demonstrating an incident view for one of the two simulated MITRE Engenuity strikes, including all correlated alerts, detections, affected assets, and supporting evidence

Each incident provides a summary of impacted machines and users to help analysts triage and prioritize at a glance. Details of alerted attempt stages and related activities are mapped to MITRE ATT& CK tactics and techniques, summarizing in common language “what was done”( techniques) and “why it was done”( tactics ), along with all accumulated indication. Incidents provide full visibility into telemetry, down to process execution sequences for each stage of the simulated onslaught scenarios, including initial access, deployment of tools, discovery, persistence, credential access, lateral movement, and exfiltration.

Microsoft delivered 100% technique/tactic coverage of evaluation steps executed by MITRE Engenuity on the first day (Carbanak). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 5: Microsoft delivered 100 percentage technique/ tactic coverage of evaluation paces executed by MITRE on the first day( Carbanak ). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Microsoft delivered 100% technique/tactic coverage of evaluation steps executed by MITRE Engenuity on the second day (FIN7). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 6: Microsoft delivered 100 percent technique/ tactic coverage of evaluation paces executed by MITRE on the second day( FIN7 ). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Microsoft 365 security center showing a series of related endpoint alerts

Figure 7: Microsoft 365 security centre proving a series of related endpoint alertings, demonstrating how Microsoft successfully correlated alerts together across the attack stages and exposed detailed data on each attack stair.

Microsoft 365 security center showing details of one of the endpoint alerts: a suspicious schedule task

Figure 8: Microsoft 365 security center showing details of one of the endpoint alerts: a suspicious schedule chore. This view offers analysts in-context expanded beliefs of task epithet, technique, and the process involved, in this case, a renamed wscript.exe.

Microsoft recently expanded the use of MITRE ATT& CK tactics and techniques across its security portfolio, including alerted executing sequences and detailed machine timelines, transforming telemetry into logical attacker activities mapped to MITRE ATT& CK techniques. This further improves the investigation and hunting experience for defenders, helping to tell the story of the attack, render rich context, and drive the response process.

Microsoft 365 security center showing detailed device timeline, exposing events as well as a technique for credential access to enumerate credentials from web browsers

Figure 9: Microsoft 365 security center indicating detailed machine timeline, disclosing events as well as a technique for credential access to enumerate credentials from web browsers.

Microsoft Defender Security Center showing second day attack incident page, Evidence tab

Figure 10: Microsoft Defender Security Center reveal the second day onslaught incident page, Evidence tab. SOC analysts can use this view to see and take one-click remedial acts on all the files, procedures, IPS, and URLs involved in the attack

Unique cross-domain visibility is critical to defending against modern assaults.

The powerful capabilities of Microsoft 365 Defender originate from combining unique signals across endpoints, identity, email and data, and cloud apps. This combining of proficiencies delivers coverage where other solutions may absence visibility.

Lateral movement is a key stage in any advanced strike, where the attacker moves from asset to asset with the goal of gained by specific valuable knowledge or to as many assets as is practicable for maximum damage. Identifying and tracking lateral movement is a critical phase in investigating attempts, establishing the scope, and removing the threat. The following are three examples of lateral movement simulated in this evaluation that were detected and exposed by Microsoft utilizing signals from the differences between workloads, delivering full coverage on further aspect 😛 TAGEND

File transfer over SMB: Microsoft’s unique approach for detect lateral movement attacks does not exclusively rely on endpoint-based command-line sequences, PowerShell strings, or file runnings heuristics that can be sidestepped by advanced attackers. Microsoft leveragings aim optics into the Domain Controller via Microsoft Defender for Identity and correlates identity signals with device telemetry via Microsoft Defender for Endpoint . Microsoft utilizes a combination of machine learning and protocol heuristics, looking at anomalies such as forged authorization data , nonexistent account, ticket anomaly, logon anomaly, and period anomaly. These signals are correlated with file, process, and remembrance runnings between different machines. Microsoft 365 Defender is the only product that provided the SOC with context of the source and target machines, resources accessed, and identities involved.

Microsoft 365 Defender alert based on correlated signals using AI across identity and endpoint activity

Figure 11: Microsoft 365 Defender alert based on correlated signals utilizing AI across identity and endpoint activity

Remote executions: Microsoft leveragings exclusive signals from Microsoft Defender for Identity, which provides visibility and alerts for a large variety of anomalies in user behavior, including unexpected remote execution by a user. In the evaluation, Microsoft monitored customer activity across machines and raised an automatic alert when a user was suspiciously logged in using pass-the-hash and ran a service on a new machine.

Microsoft Defender for Identity alert on lateral movement by a compromised identity via remote service execution

Figure 12: Microsoft Defender for Identity alert on lateral motion by a compromised identity via remote service execution

System breakthrough: Microsoft Defender for Endpoint utilizes Anti-Malware Scripting Interface( AMSI) to detect suspicious activity in memory. While many dealers rely on process operations and command-line, in the evaluation, Microsoft identified a system discovery activity running in PowerShell memory via AMSI. Detection algorithms analyzed the script loaded to memory and identified a breakthrough activity executed by the PowerShell process. The activity was detected, recognizing lateral motion at an very early stages, when the attacker was still learning the environment, and allowing quick remediation of the two attacks.

Microsoft 365 security center showing alert on system discovery using WMI. Activity detected by analyzing AMSI content from PowerShell

Figure 13: Microsoft 365 security middle proving alerting on system breakthrough employing WMI. Activity detected by analyzing AMSI content from PowerShell

Real-life protection delivered, as-is, out of the box

Microsoft belief protection must be provided out of the box as automated AI-driven expert systems built into our security product portfolio. Our products should require minimal to no manual custom tuning or configuration to detect and protect, and they must be optimized to reduce false alerts, which are the main cause of friction and fatigue.

We brought to the MITRE Engenuity simulation environment the exact same product that customers deploy to their production environments with no special or aggressive test-optimized fixeds that may affect performance or degrade real customer productivity. The same level of alert coverage, accuracy( not estimated by MITRE Engenuity in the test ), visibility, and investigation experience is reflected in production deployments as it was in the test.

A final word

As mentioned in our initial blog on the MITRE Engenuity FIN7+ Carbanak Evaluation, we are excited to collaborate and contribute to the evolution of this evaluation from one year to the next. It’s an opportunity for us to test the efficacy of our solutions and contribute to the security community as a whole. This is only one part of the greater collaboration and contribution attempts that Microsoft is focused on in the industry to strengthen defenses and is submitted in response to onslaughts. As we have seen in recent months, with onslaughts becoming more coordinated and sophisticated, community collaboration and sharing such as this can help us all take the steps needed for a safer world. We again thank MITRE Engenuity for giving me the opportunity and very much look forward to our continued partnership and the next evaluation.

Learn more about Microsoft 365 Defender and Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detecting and response, and mobile menace defense. With our answer, menaces are no match. Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Stopping Carbanak+ FIN7: How Microsoft produced in the MITRE Engenuity( r) ATT& CK( r) Evaluation showed first on Microsoft Security .

Read more: microsoft.com