Swedish Windows Security User Group

The MITRE Center for Threat-Informed Defense, Microsoft, and other industry partners collaborated on a project that created a repeatable methodology for developing a top MITRE ATT&CK® techniques list. The method aims to facilitate navigation of the ATT&CK framework, which could help new defenders focus on critical techniques relevant to their organization’s environment, and aid experienced defenders in prioritizing ATT&CK techniques according to their organization’s needs.

The ATT&CK framework provides an extensive list of specific techniques that may be challenging to navigate in certain situations. This project aims to help defenders who use the framework focus on noteworthy techniques regardless of the attack scenario or environment. For example, using research on 22 ransomware attacks, the repeatable methodology led to the identification of the top 10 ransomware techniques list.

The project also included the development of a customizable, web-based calculator that seeks to prioritize techniques based on a defender’s input, making the methodology even easier to apply to different environments and scenarios. As an example of the insights that can be gained from using this calculator, the project found that the following techniques are present in most attacks and environments:

• Command & Scripting Interpreter (T1059)
• Scheduled Task/Job (T1053)
• Impair Defenses (T1562)
• Remote Services (T1021)
• Create or Modify System Process (T1543)

This methodology considers the continuing evolution of threats, so it supports the creation of criteria that are tailored to an organization’s unique environment. This enables defenders to continuously identify threat trends and decide where to focus resources for detection coverage.

Establishing the top ATT&CK techniques

The methodology for identifying the top ATT&CK techniques factored in three attributes to determine the significance of a technique: prevalence, choke point, and actionability.

Prevalence is the frequency of specific ATT&CK techniques used by attackers over time. A higher frequency of a technique indicates a higher likelihood of it being used in multiple attack scenarios. Therefore, there’s a higher chance of encountering an attack with a high prevalence ranking. Prevalence was determined using the Center’s Sightings Ecosystem project from April 2019 to July 2021, which registered 1.1 million encounters of attacks across the 184 unique ATT&CK techniques. Including prevalence as a criterion aims to cover more attacks with fewer techniques.

Choke points are techniques that disrupt an attacker due to them being a point of convergence or divergence. In real-world incidents, choke points manifest as one-to-many or many-to-one behaviors or steps in the attack. The inclusion of this criterion aims to identify the critical techniques that can help link activity throughout attack chains.

Actionability is the opportunity for a defender to detect or mitigate a technique. This is based on publicly available security controls (such as CIS Critical Security Controls and NIST 800-53 Security Controls) and analytics (Splunk detections, Elastic, and Sigma).

Top 10 techniques in ransomware attacks

Following the creation of the methodology, the top 10 ransomware techniques list was generated to test this new approach in practice. To create this list, Microsoft and the other partners involved in this collaborative effort analyzed prevalent ransomware attacks from the past three years. A total of 22 specific ransomware attacks were studied specifically for their use of ATT&CK techniques. Based on this research, the top 10 techniques in ransomware attacks are:

• Data Encrypted for Impact (T1486)
• Inhibit System Recovery (T1490)
• Obfuscated Files or Information (T1027)
• Windows Management Instrumentation (T1047)
• Masquerading (T1036)
• Command and Scripting Interpreter (T1059)
• Impair Defenses (T1562)
• Modify Registry (T1112)
• User Execution (T1204)
• Process Injection (T1055)

Organization-specific top techniques list via web calculator

This collaborative project also included the creation of a dynamic, user-friendly calculator for a more customizable, tailored top techniques list. This customizability allows organizations to have unique prioritization based on each organization’s size and maturity.

The calculator takes into consideration various inputs, including:

• NIST 800-53 Controls (all NIST controls or specific ones such as AC-2, CA-2, etc.)
• CIS Security Controls (all CIS Controls or specific ones such as 1.1, 2.5, etc.)
• Detection analytics (MITRE Cyber Analytics Repository, Elastic, Sigma, Splunk)
• Operating systems used in the environment
• Monitoring capabilities for network, process, file, and cloud services in the network

With this calculator, an organization can create a tailored technique list based on various aspects like the maturity of their security operations and the tools that they use. This can serve as a great starting point for companies looking to evaluate and improve their detection and protection capabilities regarding ransomware activities and prioritize the TTPs that are the most actionable for them.

Practical applications and future work

The methodology and insights from the top techniques list has many practical applications, including helping prioritize activities during triage. As it’s applied to more real-world scenarios, we can identify areas of focus and continue to improve our coverage on these TTPs and behaviors of prevalent threat actors. Refining the criteria can further increase results accuracy and make this project more customer-focused and more relevant for their immediate action. Improvements in the following areas can be of particular benefit:

• Fine-tuning the choke point analysis by adding machine learning models to visualize and predict all viable paths an attacker could take, which can be used to create a corresponding attack graph. This attack graph could be tied in with the user-implemented filters to identify relevant paths based on an organization’s current functionality. Future integration with the Attack Flow project might be a step towards this enhanced choke point analysis.
• Developing a metric to identify subjective filters like “Damage Impact” and “Significance” as they are important when making decisions on covering different attacks.
• Performing a comparison of results between this current analysis and global data sets to validate the accuracy of the current findings.
• Enhancing prevalence data to ensure a broad and timely data set is driving the analysis. Community contributions to the Sightings Ecosystem project is critical.

Insights from industry-wide collaborations like this project help enrich the protection that Microsoft provides for customers through solutions like Microsoft 365 Defender and Microsoft Sentinel. These solutions are further informed by trillions of signals that Microsoft processes every day, as well as our expert monitoring of the threat landscape. For example, our comprehensive view and research into the ransomware ecosystem enables us to deliver cross-domain defense against human-operated ransomware, leveraging a Zero Trust approach to limit the attack surface and minimize the chances of ransomware attacks succeeding. 

In the recent MITRE Engenuity ATT&CK® 2022 Evaluations, Microsoft demonstrated complete visibility and analytics on all stages of the attack chain, with 100% protection coverage, blocking all stages in early steps (pre-ransomware phase), including techniques within the top 10 ransomware techniques list that were tested.

This collaboration and innovation benefits everyone in the security community, not only those who use the MITRE ATT&CK framework as part of their products and services, but also our valued ecosystem of partners who build services on top of our platform to meet the unique needs of every organization, to advance threat-informed defense in the public interest. Microsoft is a research sponsor at the Center for Threat-Informed Defense, partnering to advance the state of the art in threat-informed defense in the public interest. One of our core principles at Microsoft is security for all, and we will continue to partner with MITRE and the broader community to collaborate on projects like this and share insights and intelligence.

Gierael Ortega, Alin Nagraj, Devin Parikh
Microsoft 365 Defender Research Team

The post Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&CK® matrix evaluation for defenders appeared first on Microsoft Security Blog.

For the fourth consecutive year, Microsoft 365 Defender demonstrated its industry-leading protection in MITRE Engenuity’s independent ATT&CK® Enterprise Evaluations. Showcasing the value of an integrated XDR based defense that unifies device and identity protection with a Zero Trust approach:

• Complete visibility and analytics to all stages of the attack chain
• 100% protection, blocking all stages in early steps
• Each attack generated a single comprehensive incident for the SOC
• Differentiated XDR capabilities with integrated identity protection
• Protection for Linux across all attack stages
• Deep integrated Windows device sensors
• Leading with product truth and a customer-centric approach

Microsoft 365 Defender XDR solution displayed top-class coverage by successfully surfacing to the security operations center (SOC) a single comprehensive incident per each of the attacks simulated. This comprehensive view provided in each incident detailed suspicious device and identity activities coupled with unparalleled coverage of adversary techniques across the entire attack chain. Microsoft 365 Defender also demonstrated 100% protection by blocking both attacks in early stages.

This is the third year in which Microsoft 365 Defender showcases the power of the combined XDR suite demonstrating coverage across devices, identities, and cloud applications.

Demonstrated complete visibility and analytics across all stages of the attack chain

Microsoft 365 Defender demonstrated complete technique-level coverage across all the attack stages of Wizard Spider and Sandworm, leveraging our artificial intelligence-driven adaptive protection.

Defending against human-operated ransomware requires a defense in-depth approach that continuously evaluates device, user, network, and organization risk and then leverages these signals to alert on potential threats across the entire attack chain. Providing detection and visibility enables defenders to evict the attackers from the network during the pre-ransom phase. It also minimizes the impact of encryption or extortion through data exfiltration activities.

Technique-level detection coverage in real time without delays

Human-operated ransomware attacks evolve within minutes, and the time it takes for defenders to respond and prevent attackers from performing destructive actions—such as encrypting devices or exfiltrating information for extortion—is crucial. Organizations need real-time detections with no delays  to ensure they can rapidly evict attackers before they have a chance to continue to move laterally through the infrastructure. Microsoft 365 Defender was able to provide technique-level coverage at every attack stage in real time without any delayed detections.

100% protection coverage, blocking all stages in early steps

Microsoft 365 Defender provided superior coverage and blocked 100% of the attack stages, offering excellent coverage across Windows and Linux platforms. Moreover, its next-generation protection capabilities were able to proceed without hindering productivity by blocking benign activities or a need for user consent.  

In real world scenarios, blocking ransomware activities early—that is, in the pre-ransom stage across all of platforms and assets—is crucial in protecting customers and mitigating the downstream extortion and disruption attack impact.

Each attack generated a single comprehensive incident for the SOC

Unlike many other vendors surfacing multiple alerts and multiple incidents, Microsoft 365 Defender, surfaced exactly one incident per attack, combining all events across device and identity into a single comprehensive view of each attack.

Microsoft 365 Defender’s unique incident correlation technology is tremendously valuable for SOC analysts in dealing with alert fatigue, it significantly improves the efficiency in responding to threats, saving time they might have otherwise spent in manual correlations or dealing with individual alerts. It makes triage and investigation easier and faster with a view of the full attack graph.  

Unique and durable detections from the integrated Microsoft Defender for Identity

Microsoft 365 Defender’s integrated identity protection capabilities uncover and block identity-related attacks in durable fashion regardless of the specific attacker technique implemented on a device, making it practically impossible for attackers for evade. Furthermore, building these protections at the identity fabric provides in-depth, context-rich signals for security teams to investigate and respond effectively. Other vendors leveraging endpoint only signal may be more susceptible for evasion and their detections typically have less context.

Here are some examples representing Microsoft 365 Defender’s unique identity protection capabilities in the evaluation:

• Step 5.A.4 – query to security account manager (SAM) database was uncovered using Active Directory signals with detailed context on user enumeration activity. This identity-based detection approach prevents attacker evasion and provides rich investigation context for security teams. Some other vendors in the test relied on process creation telemetry to get similar visibility but lack context and can be easily bypassed.

• Step 6.A.2 – resource-access activity on a domain controller was also uncovered using our identity sensors, with details of the exposed service principal name (SPN) and the compromised related resource name. Here too this approach provides similar detection durability and investigation details advantages.

Protection for Linux across all attack stages

Microsoft 365 Defender continues to demonstrate excellent protection coverage on all platforms with top-level coverage on Windows and Linux. It covered all Linux-related stages via technique-level analytics, context-rich alerts, and in-depth investigation signals.

Customers face threats from various entry points across devices, and device discovery and lateral movement to identify high-value assets are table stakes for advanced attacks like human-operated ransomware. Therefore, having excellent coverage across all platforms is crucial to protect organizations against attacks.

For example, as seen in Figure 10 below, Defender for Endpoint on a Linux device alerted of a suspicious behavior by a web server process. The alert allowed for the blocking of sensitive file read and preventing further file read. The attacker then attempted to download and run a backdoor on the device. However, that was also blocked behaviorally, thus preventing subsequent compromise.

Unique and durable detections from Windows deep native sensors  

While most attack steps on devices could be observed by inspecting process and script activities, solely relying on this type of telemetry can be challenging in several aspects.

From a detection durability standpoint, attackers could easily avoid detection by obfuscating or pivoting to alternative methods. Furthermore, in terms of detection quality, relying solely on “surface-level” telemetry could potentially produce a higher number of false positives and overhead for security teams. Finally, this type of telemetry lacks the needed context to enable effective investigation and response.

Microsoft 365 Defender unique platform-native deep device sensors introduced signal depth, unlike other solutions, providing durable, context-rich signals for security teams to identify, investigate and respond to. Here are some examples, as seen during the evaluation:

• Steps 1.A.6 and 19.A.11 were uncovered via enhanced Windows Management Instrumentation (WMI) sensors, providing visibility to evasive attacker activities without relying on a process or script execution telemetry.

• Step 3.A.4 was uncovered via COM sensors, providing visibility to the Microsoft Outlook COM interface and detecting an attacker’s search for unsecured passwords in Outlook without relying on process command lines that attackers can easily evade by using COM interfaces directly.

• Step 17.A.2 was uncovered via Data Protection API (DPAPI) sensors, providing visibility to credential access—an extremely important activity. Other solutions monitor web browser folders for file access which is extremely prone to false positives in real-world environments.

A final word: Leading with product truth and a customer-centric approach

As in previous years, Microsoft’s philosophy in this evaluation was to empathize with our customers—the “protection that works for customers in the real world” approach. We participated in the evaluation with product capabilities and configuration that we expect customers to use.

As you review evaluation results, you should consider additional important aspects including depth and durability of protection, completeness of signals and actionable insights, and quality aspects such as device performance impact and false positive rates, all of which are critical to reliable operation of the solution and translate directly to protection that works in real customer production environments..

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

The post Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations appeared first on Microsoft Security Blog.

For the fourth year in a row, the independent MITRE Engenuity Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) Evaluations demonstrated Microsoft’s strong detection and protection capabilities thanks to our multi-platform extended detection and response (XDR) defenses.

The ever-evolving threat landscape continues to deliver adversaries with new techniques, revamped tactics, and more advanced attack capabilities. Such threats demand comprehensive security solutions that provide a holistic view of the attack across endpoints and domains, prevent and block attacks at all stages, and provide security operations (SecOps) with automated tools to remediate complex threats and attackers in the network.

This year’s ATT&CK Evaluations concentrated on advanced threat actors Wizard Spider and Sandworm. These actors are known for deploying sophisticated human-operated ransomware campaigns designed to destabilize infrastructure and institutions. The testing included detection benchmarks and protection simulations across platforms, such as Windows and Linux, of more than 100 steps and 66 unique ATT&CK techniques across the attack chain.  

We’re proud to report that Microsoft 365 Defender successfully detected and prevented malicious activity at every major attack stage, demonstrating comprehensive technique-level coverage across endpoints and identities. Rich threat intelligence synthesized from trillions of security signals on a daily basis proved key to informing both controls to be implemented in a Zero Trust approach and threat hunting. 

MITRE Engenuity’s ATT&CK Evaluations results emphasized that Microsoft’s success in this simulation was largely due to our:

• Industry-leading XDR. Microsoft 365 Defender simplified thousands of alerts into two incidents and a clear timeline spanning identity and endpoint to enable rapid resolution.
• Superior EPP and EDR. Microsoft Defender for Endpoint both prevented attacks and quickly identified and contained suspicious activities in the pre- and post-ransom phases to stop attacks.
• Comprehensive multi-platform protection. Microsoft 365 Defender demonstrated maturity in protecting multi-platform environments. In addition to Windows, Microsoft Defender for Endpoint’s behavioral and machine learning models blocked and detected every major step on Linux for the second year in a row.

Microsoft defends against human-operated ransomware with industry-leading XDR

One of the most prominent dangers in today’s threat landscape are human-operated ransomware campaigns, which leverage the playbook of advanced nation-state actors, where a threat actor actively targets one or more organizations using custom-built techniques for the target network. These campaigns also often involve encryption and exfiltration of high-value data, making it critical for security solutions to address the threat quickly and aggressively. If successful, human-operated ransomware attacks can cause catastrophic and visible disruption to organizations, their customers, and the rest of their communities. Protecting against these attacks requires a holistic security strategy that can resist a persistent attacker, including the ability to isolate and contain the threat to prevent widespread damage.

As demonstrated in the evaluation, Microsoft 365 Defender protected against these sophisticated attacks with:

• Prevention at the earliest stages of the attack to stop further attacker activity without hindering productivity
• Diverse signal capture from devices and identities, with device-to-identity and identity-to-device signal correlation
• Coverage across device assets, including Windows, Linux, Mac, iOS, and Android
• Excellent pre-ransom and ransom protection for both automated remediation of the persistent threats and complete eviction of the attacker in network

Integrated identity threat protection proves critical

With human-operated ransomware, threat actors are constantly advancing their techniques. This year’s test included domain trust discovery activity, pass-the-hash, pass-the-ticket, and stealing credentials through Kerberoasting. Microsoft supports billions of identity authentications per day, and Microsoft 365 Defender has deep integration with both on-premises and cloud identities, thus enabling a level of detection and visibility that far exceeds what is possible with endpoint data alone and by fusing endpoint and identity data. Microsoft 365 Defender protects hundreds of millions of customer identities today, and the integration of identity threats into the events timeline was instrumental in detections during evaluation.

Aggregating alerts into prioritized incidents streamlined the investigation experience

Microsoft 365 Defender streamlined the investigation experience by correlating more than a thousand alerts into significant incidents and identified complex, seemingly unrelated links between attacker activities across various domains. Time to remediate is critical in a ransomware attack, and Microsoft 365 Defender’s incidents page simplifies the SecOps experience by providing essential context on active alerts, key devices, and impacted users. It also allows defenders to enable both automatic and manual remediations that offer insightful and actionable alerts, rather than filtering through unrelated events that can add strain on resources, particularly during an existing attack. EDR further enables analysts to approach investigations through multiple vectors, providing detailed behavioral telemetry that includes process information, network activities, kernel and memory manager deep optics, registry and file system changes, and user login activities to determine the start and scale of an attack.

Microsoft 365 Defender delivers mature multi-platform protection

The attack scenario mimicked a threat actor’s ability to target heterogeneous environments and spread across platform ecosystems. We’re proud to state that Microsoft 365 Defender’s security capabilities provided superior detection and protection and complete Linux coverage for the second consecutive year.

Microsoft 365 Defender offers comprehensive capabilities across the popular desktop and mobile operating systems, such as Linux, Mac, Windows, iOS, and Android. These capabilities include next-generation antivirus, EDR, and behavioral and heuristic coverage across numerous versions of Linux. Microsoft has invested heavily in protecting non-Windows platforms in the last four years and, today, offers the extensive capabilities organizations need to protect their networks. 

Microsoft takes a customer-centered approach to tests

The evolving threat landscape demands security solutions with wide-ranging capabilities, and we’re dedicated to helping defenders combat such threats through our industry-leading, cross-domain Microsoft Defender products. Microsoft’s philosophy in this evaluation is to empathize with our customers, so we configured the product as we would expect them to. For example, we didn’t perform any real-time detection tuning that might have increased the product’s sensitivity to find more signals, as it would have further created an untenable number of false positives if in a real-world customer environment.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Learn more

For more information about human-operated ransomware and how to protect your organization from it, refer to the following articles:

• Human-operated ransomware
• Rapidly protect against ransomware and extortion

Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&CK® Evaluations appeared first on Microsoft Security Blog.