Em abril, a MITRE anunciou um novo serviço baseado na sua estrutura ATT & CK (Adversarial Tactics, Techniques e Common Knowledge) para avaliar produtos com base na capacidade de detetar ameaças persistentes avançadas (APTs).
Os primeiros testes da framework ATT & CK realizados pela Mitre avaliaram a capacidade dos produtos Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA e SentinelOne em detectar o APT3.
Os testes concentram-se nas capacidades do produto detectar atividades mal-intencionadas, normalmente realizadas pelos agentes de ameaça, depois de comprometerem o sistema de uma organização. É importante ressaltar que a estrutura MITRE ATT & CK não atribui pontuações a cada produto, não é projetada como uma ferramenta de comparação.
“Direct comparison between vendor capabilities is complicated, and we encourage anyone using our results to consider other factors we didn’t evaluate. Our evaluations are narrowly focused on the technical ability to detect adversary behavior.” Duff wrote in a blog post.
“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”
MITRE trabalhou com fornecedores durante as avaliações e partilhou com eles os resultados.
“We approach the evaluations with a collaborative, “purple-teaming” mindset, and we think this allows us to better articulate what a vendor’s capability can do than if we left them out of the process. During the evaluation, MITRE and the vendor are in open communication.”
“The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”