CrowdStrike Achieves 99% Detection Coverage in First-Ever MITRE ATT&CK Evaluations for Security Service Providers

November 09, 2022

| | Executive Viewpoint
  • CrowdStrike achieved 99% detection coverage by conclusively reporting 75 of the 76 adversary techniques during the MITRE ATT&CK evaluation.
  • Leveraging the power of the CrowdStrike Falcon® platform with integrated threat intelligence and patented tooling, the CrowdStrike Falcon® Complete and CrowdStrike® Falcon OverWatch™ managed threat hunting teams identified the adversary and associated tradecraft within minutes.
  • Closed-book evaluations such as this provide the most realistic reflection of how a security vendor would perform in a customer environment. CrowdStrike’s combination of market-leading technology and elite human expertise led the evaluation, which is the gold standard in managed detection and response testing.
  • MITRE does not rank or rate participants; the following is CrowdStrike's analysis of the results provided by MITRE Engenuity.

From my perspective, with the CrowdStrike Falcon platform as the most-tested next-generation security platform in the world, I believe independent evaluations are critical in helping customers make the right choice for their security needs. Closed-book testing — where no vendor has advance notice on the adversary, methodology or specific timing — provides the closest reflection of how a security vendor can protect a customer environment in a real-world scenario.

This is why I’m proud to share that CrowdStrike achieved the highest detection coverage in the first-ever closed-book MITRE ATT&CK® Evaluations for Security Service Providers. Out of 16 vendors evaluated, the Falcon platform’s integration of industry-leading technology and human expertise enabled us to deliver complete coverage, detecting 75 of 76 adversary techniques.

We believe the results clearly demonstrate the combination of the market-leading Falcon platform and our elite services stand alone in helping customers stop today’s most sophisticated attacks.

CrowdStrike Managed Detection and Response: Solving the Cybersecurity Skills Gap with Speed and Precision

As cyberattacks become more sophisticated and frequent, the ongoing cybersecurity skills shortage can put organizations at greater risk of experiencing a breach. According to the (ISC)² Cybersecurity Workforce Study, “3.4 million more cybersecurity workers are needed to secure assets effectively.” Managed detection and response (MDR) provides organizations with an effective way to close the skills gap and improve business resiliency.

CrowdStrike delivers trust and outcomes to our customers, empowering them to stop breaches with speed and precision — as demonstrated by our industry-leading detection coverage and adversary identification in this MITRE evaluation.

This is important because speed matters. The mean time to detect and respond is a key metric in stopping breaches. According to the 2022 Falcon OverWatch Threat Hunting Report, the average breakout time — the speed at which an adversary moves from initial compromise to another host within the victim environment — is now just 84 minutes.

With CrowdStrike’s global adversary threat intelligence natively integrated into the Falcon platform, we were able to rapidly correlate the intel to behavioral telemetry in every phase of the evaluation. This enabled our elite Falcon Complete and Falcon OverWatch teams to identify the emulated nation-state adversary as HELIX KITTEN (tracked as OilRig by MITRE) in just minutes. In a real-world scenario, this critical context of objectives and tactics, techniques and procedures (TTPs) empowers threat hunters to stay one step ahead of an attacker.

Our results in the MITRE evaluation speak to the combined power of the cloud-native Falcon platform and Falcon Complete’s MDR service, which offers 24/7 protection. The Falcon Complete team’s demonstrated ability to quickly and effectively identify adversaries and stop breaches is built upon the rigorous Falcon OverWatch threat hunting service, real-time data mining using Falcon indicators of attack (IOAs), machine learning, behavior-based telemetry and up-to-the-minute CrowdStrike threat intelligence, among other sources.

As part of a virtuous cycle that spans technology and human expertise, the Falcon platform continuously learns from our experts and ever-growing intelligence to deepen our understanding of threats, apply expertise at scale and expose the most-sophisticated adversary tactics to drive more effective security outcomes for our customers.

Watch this short video to see how Falcon OverWatch proactively hunts for threats.

About the MITRE ATT&CK Evaluations for Security Service Providers

The new closed-book MITRE ATT&CK Evaluations for Security Service Providers assessed how the people and the technology of service providers can improve an organization’s ability to detect and contextualize an unknown threat, while providing proof and confidence that these capabilities can protect the organizations leveraging them. Testing was carried out over five days, covering 10 steps divided into 76 events, and highlighted the results from 16 participating vendors.

Importantly, MITRE ATT&CK Evaluations for Security Service Providers represents one of the closest emulations of a real-world scenario. The evaluation is designed to assess the ability of a vendor’s managed services to identify a sophisticated adversary with no prior knowledge of the attacker either before the start of the evaluation or during the test attack. As in real life, there are no do-overs. The defenders were not told which techniques were executed until after the evaluation was completed, and there was no opportunity for them to reconfigure the platform and try again if threat activity was missed.

The MITRE ATT&CK Evaluations for Security Service Providers emulated the behavior of a sophisticated nation-state adversary tracked as HELIX KITTEN by CrowdStrike Intelligence (known as OilRig by MITRE). The adversary was chosen based on its evasion and persistence techniques, its complexity and its relevance to industry. HELIX KITTEN has conducted operations relying on social engineering, stolen credentials and supply chain attacks, resulting in the theft of sensitive data from critical infrastructure, financial services, government/military and telecommunication organizations.

The scenario started with a spear-phishing attack against a national organization using malware associated with HELIX KITTEN campaigns that was followed by lateral movement to identify and collect critical information and ended with the final goal of data exfiltration.

As the evaluation started, the Falcon Complete team coupled with Falcon OverWatch’s rigorous threat hunting service leveraged real-time data from the Falcon platform and up-to-the-minute CrowdStrike threat intelligence to create an incident diagram and map out adversary activity throughout the infrastructure (Figure 1).

Figure 1. Incident diagram created by Falcon Complete and Falcon OverWatch teams, mapping adversary technique as the attack unfolded (click to enlarge)

CrowdStrike presented visibility and supporting evidence about the adversary and what they were after by leveraging CrowdStrike’s leading adversary threat intelligence, which is built into the Falcon platform.

CrowdStrike presented visibility and supporting evidence across 75 of the 76 techniques part of the evaluation, from initial compromise to cleanup.

In an on-demand webcast, CrowdStrike experts unpack the MITRE evaluation and share best practices that enable you to accelerate SOC workflows and rapidly execute threat response — all without lifting a finger. Register today.

The industry-leading CrowdStrike Falcon platform sets the new standard in cybersecurity. Watch this demo to see the Falcon platform in action.

Additional Resources

Breaches Stop Here