MITRE ATT&CK

TEHTRIS complies with the requirements of the MITRE Engenuity ATT&CK Evaluations.

19 steps and 143 sub-steps to evaluate detection capabilities

TEHTRIS has successfully participated in the MITRE Engenuity ATT&CK Evaluations: Enterprise.

The MITRE Engenuity ATT&CK evaluation plan takes place over 4 days:

  • Day 1 – Evaluate the ability to detect and classify threats for the 1st scenario.
  • Day 2 – Evaluate the ability to detect and classify threats in the 2nd scenario.
  • Day 3 – Evaluate anything missed on Days 1 & 2 and test with Configuration Changes. 
  • Day 4 – Evaluate Protections.

This year’s exercise involved simulating the modus operandi of the Turla threat actor.

What is MITRE Engenuity ATT&CK Evaluations: Enterprise?

MITRE Engenuity ATT&CK Evaluations: Enterprise is an independent international exercise forcybersecurity vendors. The goal is to highlight their detection capabilities.

These evaluations are based on MITRE’s objective insight. Cybersecurity providers use the ATT&CK Evaluations program to improve their offerings and provide information on the capabilities and performance of their products.

MITRE Engenuity does not rank the vendors that take part in their evaluations. These evaluations are not competitive analyses, as there is no single solution for our end-users’ environments.

The MITRE ATT&CK results confirm the efficiency of the TEHTRIS XDR Platform

  • Choke points have been detected. Customers are protected and TEHTRIS alerts use the MITRE taxonomy.
  • No delayed alerts: all detections were made in real time and without human action.
  • No configuration changes: TEHTRIS has chosen to carry out its detections with configurations established before the test, to be in line with the reality of an attack.

Detection with zero delay and without human interaction

Nearly half the participants experienced detection delays. This had a direct and significant impact on the defense teams’ Mean Time To Detect (MTTD).

TEHTRIS was able to automatically detect all choke points in real time.

No configuration changes for TEHTRIS

TEHTRIS has chosen to carry out 100% of its detections with configurations established before the test, in orderto demonstrate the efficiency of the TEHTRIS XDR Platform.

From day 3 onwards, configuration changes were authorized by MITRE during the test phases. This enabled software publishers to display better detections on “day 3”, as the attack progressed. However, on a day-to-day basis, attackers don’t wait for cyber defense teams to make configuration changes…

For your information: out of the 30 participants, 23 decided to modify their software configuration several times in order to be able to detect alerts, using the information from days 1 and 2. In real life, such configuration changes aren’t possible for understaffed teams, that are already under pressure. With today’s lightning-fast attacks, our cyber-defense solutions need to already have the right configuration set in the beginning. Only detections made in real time and without human interaction can deliver this type of response.

Evaluation rules: a very limited use of the TEHTRIS XDR Platform

To be in line with the rules established by MITRE Engenuity, TEHTRIS used a small part of its defensive arsenal for this evaluation. Only the EDR and SIEM modules of the TEHTRIS XDR Platform were deployed in the simulated attack environment. Most of our solutions and modules were disabled (CTI, Sandboxes, CYBERIA, EPP, NTA, Honeypots, SOAR).

MITRE Engenuity has forbidden us to neutralize Turla automatically and without human action, in order to allow the emulated attack to continue until its execution.

Despite all these limitations, TEHTRIS passed the MITRE Engenuity evaluation. Threats were detected at critical points as soon as they were executed. If the power of our TEHTRIS XDR Platform would had been exploited without constraints, then the threats would have been neutralized in real time and without human intervention.