Released March 31, 2022, the MITRE Engenuity ATT&CK® Evaluations covered 30 vendors and emulated the Wizard Spider and Sandworm threat groups.
Two key measurements that are generated from the testing are Overall Detection and Overall Protection.
About MITRE Engenuity
MITRE Engenuity, a subsidiary of MITRE, is a tech foundation for the public good. MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.
MITRE Engenuity brings MITRE’s deep technical know-how and systems thinking to the private sector to solve complex challenges that government alone cannot solve. MITRE Engenuity catalyzes the collective R&D strength of the broader U.S. federal government, academia, and private sector to tackle national and global challenges, such as protecting critical infrastructure, creating a resilient semiconductor ecosystem, building a genomics center for public good, accelerating use case innovation in 5G, and democratizing threat-informed cyber defense. (yahoo.com)
What are Wizard Spider and Sandworm?
ATT&CK Description
As describe on https://attackevals.mitre-engenuity.org/enterprise/wizard-spider-sandworm/
Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals. [1] [2]
Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks. Sandworm Team has been active since at least 2009. [1] [2] [3] [4]
As one participating vendor, Cynet, explained in a blog post reviewing the results, “Overall Detection (What MITRE refer to as “Visibility”) is the total number of attack steps detected across all 109 sub-steps. Overall Prevention (What MITRE refer to as “Protection”) measures how early in the attack sequence the threat was detected so that subsequent steps could not execute. Both are important measurements and are indicative of a strong endpoint detection solution.”
The ATT&CK® evaluation scenarios this year contained 109 sub-steps, covering a wide range of ATT&CK® tactics and techniques. One of the easiest ways to visualize the tactics and techniques included in the current round of ATT&CK® Evaluations is to use ATT&CK® Navigator – a web-based tool from MITRE for visualizing the ATT&CK® matrix.
Technique Scope
Environment
The evaluations will be performed in the Microsoft Azure Cloud. There will be two organizations with separate networks and domains, with Windows Defender disabled for certain portions of the evaluations. The networks will contain domain joined machines running Windows Server 2019, Windows 10 Pro, and CentOS 7.9. The versions are as follows:
- Windows Server 2019
- Publisher: MicrosoftWindowsServer
- Version: 1809
- SKU: 2019-Datacenter
- Windows 10 Pro
- Publisher: MicrosoftWindowsDesktop
- Version: 20h2
- SKU: 20h2-pro
- CentOS 7.9
- Publisher: Open Logic
- SKU: 7_9
- Kernel: 3.10.0-1160.15.2.el7.x86_6
Results
you can review the full test results of 30 vendors in :
https://attackevals.mitre-engenuity.org/enterprise/wizard-spider-sandworm/#sn-results
SHMUEL H.