Cortex XDR: Best Combined Prevention and Detection in MITRE Round 3

This post is also available in: 简体中文 (Chinese (Simplified))

In the MITRE ATT&CK round 3 evaluation, Cortex XDR delivered 100% threat protection and 97%+ detection visibility. The MITRE ATT&CK evaluations test the detection capabilities of leading security solutions by emulating the real-world attack sequences of the world’s most sophisticated advanced persistent threat (APT) groups.

Diving Into MITRE ATT&CK Round 3 Results

The 2021 MITRE ATT&CK results are out! Yesterday, MITRE Engenuity published the third round of the MITRE ATT&CK evaluations, which tested 29 participants’ ability to defend against the tactics, techniques and procedures (TTPs) leveraged by the Carbanak and FIN7 threat groups. We are thrilled to announce that Cortex XDR has once again delivered outstanding results in the face of these advanced threat actors.

MITRE ATT&CK Round 3 Detection Scoring

Focused on analyzing how detections occur, rather than assigning scores to vendor capabilities, MITRE categorizes each detection and capture and organizes detections according to each attack technique. Techniques may have more than one detection if a security solution detects a technique in different ways. All observed detections are included in the evaluation results.

Results of Cortex XDR Protecting Against Carbanak and FIN7

Figure 1. Cortex XDR had the highest combined protection and detection results in the evaluation. *Note: Data and charts based on MITRE results minus detections with a “Configuration Change” modifier.
Figure 1. Cortex XDR had the highest combined protection and detection results in the evaluation.
*Note: Data and charts based on MITRE results minus detections with a “Configuration Change” modifier.

We’re proud to build on our pattern of strong results. Highlights of Cortex XDR’s results against TTPs used by Carbanak and FIN7 include:

  • Blocked 100% of attacks in the protection evaluation on both Windows and Linux endpoints.
  • Achieved 97% visibility of attack techniques.
    • The best detection rates of any solution that also got a perfect protection score.
  • Of the attack techniques used, Cortex XDR identified 86% with an analytics detection, defined by MITRE as detections that provide additional context beyond telemetry.
    • 80% of which had an associated technique-level detection, the highest type of detection awarded in this evaluation.
  • Achieved the highest overall combined detection and protection rate in the evaluation.

The ATT&CK results reveal our dedication to preventing every possible threat and keeping our customers safe from the most nefarious adversaries. Because APT groups use existing apps and system tools to carry out their attacks, we have focused on accurately identifying and correlating malicious usage of these apps, without blocking legitimate activity.

Round 3 of the MITRE ATT&CK evaluations brought the optional addition of Linux endpoints and a “Protection” phase of the evaluation in which solutions were evaluated on their ability to block attacks on both Linux and Windows endpoints. Given our track record for excellent threat prevention and our extensive tooling for Linux endpoints, we opted in for both. Cortex XDR blocked all attacks across Linux and Windows while providing the highest detection rate and quality of detections of any vendor to do so.

Figure 2. Cortex XDR blocked 100% of attacks in the protection phase against both Linux and Windows.
Figure 2. Cortex XDR blocked 100% of attacks in the protection phase against both Linux and Windows.
Figure 3. Cortex XDR provided the second highest visibility overall and the highest of any vendor with a perfect protection score.
Figure 3. Cortex XDR provided the second highest visibility overall and the highest of any vendor with a perfect protection score.
Figure 4. 80% of attacks identified with the highest possible technique-level detection score.
Figure 4. 80% of attacks identified with the highest possible technique-level detection score.

Cortex XDR not only blocked all attacks in the first-ever MITRE ATT&CK protection tests, it also integrated log data from Palo Alto Networks Next-Generation Firewalls to increase detection fidelity. Detailed application, user and content information included in firewall logs enriched our analytics capabilities. Because Cortex XDR gathers and integrates network data with endpoint data, it provides deep visibility into application data.

Figure 5. Cortex XDR stitches together network and endpoint data to provide additional details, such as the App-ID “msrpc-base” for a network connection shown above, so that analysts get a complete picture of an attack.
Figure 5. Cortex XDR stitches together network and endpoint data to provide additional details, such as the App-ID “msrpc-base” for a network connection shown above, so that analysts get a complete picture of an attack.

Deep Visibility With Extended Detection and Response

While the latest MITRE ATT&CK evaluation allowed participants to analyze network data, the evaluation focused on endpoint attacks. Real-life attacks often target managed endpoints, but they can also involve unmanaged endpoints, cloud applications or even networking and security equipment. Therefore, security teams should consider a more holistic approach that extends beyond traditional endpoint detection and response (EDR) to provide enterprise-wide visibility.

Cortex XDR enables customers to stop modern attacks by applying AI and analytics to endpoint, network and cloud data. This combination of rich data and behavioral analytics not only contributed to Cortex XDR’s stellar evaluation results, but it also allowed Cortex XDR to block attacks from the SolarStorm group and to detect post-intrusion activity from the HAFNIUM group before the threat actors were publicly disclosed.

If you are interested in learning more about the attack scenarios emulated in this evaluation and the technologies that best protect and detect these techniques, join our upcoming webinar, “Carbanak+FIN7: MITRE ATT&CK Results Unpacked.”

 

testtest12