CrowdStrike Achieves 100% Protection, 100% Visibility, 100% Analytic Detection in MITRE Engenuity ATT&CK® Evaluations: Enterprise

September 20, 2023

| | Executive Viewpoint
  • The CrowdStrike Falcon® platform achieves 100% protection, 100% visibility and 100% analytic detection across all steps in the MITRE Engenuity ATT&CK® Evaluations: Enterprise.
  • CrowdStrike’s results demonstrate the adaptability, visibility and real-world effectiveness of the Falcon platform, which prevented 13/13 protection scenarios across every stage of an attack to stop sophisticated adversary VENOMOUS BEAR (Turla).
  • The CrowdStrike Falcon® platform shuts down advanced attacks with innovative capabilities including memory scanning, machine learning, industry-leading XDR, identity protection and automated orchestration delivered through a unified cloud-native platform.
  • MITRE Engenuity does not rank or rate participants; the following is CrowdStrike’s analysis of the results provided by MITRE Engenuity.

CrowdStrike’s AI-powered Falcon platform has achieved flawless 100% protection, 100% visibility and 100% analytic detection coverage in Round 5 of the MITRE Engenuity ATT&CK® Evaluations: Enterprise

The Falcon platform stopped 13 of 13 protection scenarios spanning every stage of an attack, without relying on prior knowledge or legacy signatures. We believe these results demonstrate the superior security outcomes and power of a unified platform that is purpose-built to stop breaches. This year’s emulated tradecraft underscored the value of our ongoing innovations, including:

  • CrowdStrike Falcon® Insight XDR for comprehensive, cross-domain visibility
  • AI-powered indicators of attack (IOAs) for advanced behavioral analysis
  • Integrated on-sensor memory scanning and CrowdStrike Falcon® Sandbox memory analysis for sophisticated tradecraft detection
  • CrowdStrike Falcon® Identity Protection for detecting lateral movement
  • CrowdStrike Falcon Intelligence Sandbox and CrowdStrike Falcon® Fusion security automation orchestration and response (SOAR) for automated sandbox analysis

Throughout the detection scenarios, the Falcon platform also achieved 100% Tactic and Technique coverage across all 19 detection scenarios and 143 steps. Tactic and Technique are the most valuable and high-quality detection category labels used in the MITRE Engenuity ATT&CK Evaluations, and CrowdStrike achieved >95% Technique and ~4% Tactic (based on calculating the results of all scenarios). By our assessment, these results are able to demonstrate the what and how behind threat activity, providing full context into observed adversary behavior.

The CrowdStrike Falcon platform delivers industry-leading AI-powered protection, deep visibility and fast, accurate detection. When faced with these capabilities, even the stealthiest adversaries have nowhere to hide.

Confronting Advanced Tradecraft in MITRE Engenuity ATT&CK Evaluations: Enterprise

This year’s evaluation emulated the tactics, techniques and procedures (TTPs) of VENOMOUS BEAR, a highly sophisticated nation-state adversary assessed to be attributable to the Federal Security Service (FSB) of the Russian Federation. VENOMOUS BEAR, as tracked by CrowdStrike and referred to as Turla during the MITRE Engenuity ATT&CK Evaluations, typically performs cyber-espionage and intelligence gathering that contributes to internal decision-making of the Russian government. The adversary has been known to employ complex tradecraft with activity going back more than 20 years, enabling MITRE Engenuity to achieve its goal of building a realistic test exemplifying its stealth and skill.

The emulated tradecraft for VENOMOUS BEAR involved advanced TTPs and capabilities ranging from complex fileless attacks to rootkits, vulnerable drivers, steganography, complex lateral movement and encrypted command-and-control (C2) communication. This adversary is capable of establishing post-exploitation persistence with a minimal footprint through in-memory or kernel implants, evading detection and exfiltrating data from Windows and Linux systems.

The Power of the CrowdStrike Falcon Platform

Falcon Insight XDR provided full attack visibility in a high-fidelity graph, enabling analysts to view all of the adversary’s actions and identify each compromised asset and service in a single place. This comprehensive view across the entire attack surface enables analysts to take quick, decisive action.

Figure 1. Falcon platform’s XDR capabilities presenting the Day One attack summary graph (click to enlarge)

 

The best defense is able to stop an attack before it even starts. Falcon Identity Protection was able to determine that the MITRE evaluators were leveraging compromised accounts and prevented the simulated adversary from gaining access to the environment.

Figure 2. Falcon Identity Protection detection of a high-severity compromised password (click to enlarge)

 

CrowdStrike’s machine learning and AI-powered IOAs were also instrumental in blocking malicious activity in the early stages of the 13 protection scenarios executed during the last day of the MITRE Engenuity ATT&CK Evaluations. Unlike the signature systems of legacy endpoint security vendors, AI and ML technologies are highly proactive, detecting threats with no prior knowledge. The Falcon platform achieved full 100% protection across all steps, effectively shutting down the adversary and making it impossible to progress throughout the scenarios.

Figure 3. The CrowdStrike Falcon platform achieves 100% protection during the protection evaluation (click to enlarge)

Inside the MITRE ATT&CK Evaluation Scenarios

Round 5 of the MITRE Engenuity ATT&CK Evaluations: Enterprise is an opportunity to see the power of the Falcon platform as it defends against the tradecraft of adversaries like VENOMOUS BEAR. Below are some examples from the evaluation that demonstrate the kind of capabilities that give CrowdStrike the confidence to say, “We stop breaches.”

Proactive Defense against Sophisticated Techniques

An advanced VENOMOUS BEAR technique emulated during the two-day detection evaluation was the usage of a kernel rootkit (T1014) to hide the adversary’s presence to the operating system. In detail, the adversary installed a malicious driver after Modifying the Signing Policy (T1553.006), by leveraging a Bring Your Own Vulnerable Driver (BYOVD) attack. This is a technique in which the adversary installs and exploits a vulnerable driver to achieve kernel-level code execution and manipulate operating system structures.

The adversary abused the vulnerable driver to disable the Driver Signature Enforcement (DSE) protection — implemented by Windows to ensure that only valid signed drivers are loaded — and install their malicious rootkit driver. Falcon was able to detect and prevent the BYOVD attacks with indicators of attack and machine learning, proactively identifying the adversary activity with a resilient capability that is hard to bypass. Furthermore, Falcon® Intelligence Sandbox identified what the rootkit was doing, giving defenders key insights to defend against a persistent adversary.

 

Figure 4. Falcon sensor detection of the malicious vulnerable driver (click to enlarge)

Can’t Hide from Falcon in Memory

Memory manipulation tradecraft was also extensively used during the evaluation. During the initial access phase of the detection evaluation, a malicious payload was used to inject a code into the explorer process. This, in turn, performed another file-less injection into the Microsoft Edge browser, which was subsequently abused to perform several other activities over a significant number of steps.

On-sensor memory scanning visibility enabled us to identify malicious encryption activities on a typically benign process like the Microsoft Edge browser, as highlighted in the image below.

 

Figure 5. Falcon platform EAM query output revealing on-sensor detection of malicious memory manipulation (click to enlarge)

 

CrowdStrike’s memory scanning technology expands the detection capabilities of the Falcon sensor, including the ability to search for malicious memory artifacts whenever a process of interest is identified, whether triggered by observed behaviors or suspicious patterns.

Stop Lateral Movement with Identity-based Defenses

CrowdStrike Counter Adversary Operations has identified the average breakout time as 79 minutes, but has been observed to be as low as 7 minutes. One of the techniques driving adversaries’ growing speed is the increased use of compromised credentials. Falcon’s industry-leading Identity Protection can shut down an adversary and burn their assets, stopping an attack in its infancy.

 

The ATT&CK Round 5 evaluation demonstrated this with VENOMOUS BEAR’s use of a remote file transfer from a compromised machine to a remote system — Lateral Movement - Lateral Tool Transfer (T1570). This technique was used to stage tools between systems in the compromised environment, to support a “stealthier” lateral movement for accessing and controlling remote systems on a network. Identity protection capabilities can be critical in these scenarios, allowing customers to define watch lists to trigger multi-factor authentication (MFA) or deny access to critical resources, preventing an adversary from using valid credentials to compromise systems. In the evaluation, Falcon Identity Protection identified unusual logons, putting the account on the watchlist and stopping the adversary from using the compromised credential.

Uncovering Command and Control

An interesting C2 tactic involved the use of Traffic Signaling (T1205), which was implemented by the adversary in the Penquin Linux malware. This is a technique used by the malware to hide its presence and set backdoor capabilities by connecting to a remote C2 only after sniffing a "magic packet" value in TCP or UDP network packets that matched specific conditions.

The adversary does this by attaching a Berkeley Packet Filter (BPF) to a network socket (using the setsockopt syscall), which was applied to a specific network interface and started to sniff network traffic on the interface. When the attacker sent the malware a “magic” network packet, crafted to match the specified filter that acts as a “trigger” to activate the backdoor, it started the C2 connection to the attacker’s server.

The Falcon platform was able to detect these conditions and show the content of the Filter applied (EAM query, below):

 

 

Figure 6. Falcon platform notification for Non Standard Port being detected (click to enlarge)
Figure 7. Falcon platform EAM query output revealing network traffic signaling (click to enlarge)

 

One of the most interesting tradecraft observed was the emulation of LightNeuron, a complex malware developed by VENOMOUS BEAR that implants a backdoor on Exchange Servers by installing a malicious mail transport agent (MTA). The backdoor can be used as a stealth C2 mechanism (T1071.003) and to perform Exfiltration activities (T1041). An MTA is a DotNET module that, once installed, will be loaded by the EdgeTransport.exe process of the Exchange suite.

 

The MTA backdoor is able to receive events from the mail server by using standard Microsoft Exchange classes, and as a result, it is able to read email content. Also, the malicious MTA leverages a C++ module by using P/Invoke, a technology that allows access functions in unmanaged libraries from managed code and performs malicious action, according to its configuration.

 

Such malicious action includes executing commands on the victim, Email Manipulation (T1564.008), and Exfiltration. The backdoor implements a high level of OpSec and Evasion techniques, like Encoding (T1132.001), Encryption (T1573.001) and Steganography (T1001.002) capabilities.

 

Falcon Intelligence Sandbox and the Falcon sensor, which leverage the new memory analysis capabilities, were able to identify the malicious behaviors deployed by the MTA. This critical information enables the SoC analyst to take expedient action.

With the Falcon Platform, Adversaries Have Nowhere to Hide

No matter what the adversary was doing, the Falcon platform was able to achieve 100% protection, visibility and analytic detection, and quickly adapt to adversary tradecraft with minimum configuration changes, making sure there was nowhere to hide.

CrowdStrike’s XDR capabilities enabled us to gain enhanced visibility across assets and services used during the MITRE Engenuity ATT&CK Evaluations: Enterprise by centralizing security telemetry from endpoints, cloud workloads, network and more, enabling comprehensive attack surface visibility and in-depth context into the adversary’s behavior.

The Falcon platform’s machine learning, IOAs and AI-powered IOA capabilities were instrumental in achieving perfect results during the protection evaluation, demonstrating the platform’s ability to use AI-powered protection and industry-leading detection to stop breaches with far less time and effort. Various adversary actions across Initial Access, Execution and C2 were detected using CrowdStrike on-sensor and cloud-based machine learning, while AI-powered IOAs successfully protected against Lateral Tool Transfer and Remote Services techniques.

Falcon Intelligence Sandbox integration and on-sensor memory scanning were meaningful capabilities that went to bat against this adversary. Falcon Fusion workflows coupled with sandbox orchestration enabled us to push retrospective IOC detections back to the Falcon sensor, effectively detecting malicious activity to stop breaches — much like in real-world scenarios.

 

At CrowdStrike, we strongly believe in the value of rigorous independent testing as a means to offer customers transparency and insight into the critical security capabilities protecting them against today’s adversaries. We relentlessly innovate to deliver new capabilities that automatically detect and prevent advanced tradecraft across the entire ATT&CK space to protect our customers and stop breaches. The views and opinions expressed in this are those of CrowdStrike and do not necessarily reflect the views or positions of any entities they represent.

Additional Resources

Breaches Stop Here