Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&CK® Evaluations

Credit to Author: Paul Oliveria| Date: Thu, 31 Mar 2022 20:27:12 +0000

For the fourth year in a row, the independent MITRE Engenuity Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) Evaluations demonstrated Microsoft’s strong detection and protection capabilities thanks to our multi-platform extended detection and response (XDR) defenses.

The ever-evolving threat landscape continues to deliver adversaries with new techniques, revamped tactics, and more advanced attack capabilities. Such threats demand comprehensive security solutions that provide a holistic view of the attack across endpoints and domains, prevent and block attacks at all stages, and provide security operations (SecOps) with automated tools to remediate complex threats and attackers in the network.

This year’s ATT&CK Evaluations concentrated on advanced threat actors Wizard Spider and Sandworm. These actors are known for deploying sophisticated human-operated ransomware campaigns designed to destabilize infrastructure and institutions. The testing included detection benchmarks and protection simulations across platforms, such as Windows and Linux, of more than 100 steps and 66 unique ATT&CK techniques across the attack chain.  

We’re proud to report that Microsoft 365 Defender successfully detected and prevented malicious activity at every major attack stage, demonstrating comprehensive technique-level coverage across endpoints and identities. Rich threat intelligence synthesized from trillions of security signals on a daily basis proved key to informing both controls to be implemented in a Zero Trust approach and threat hunting. 

MITRE Engenuity’s ATT&CK Evaluations results emphasized that Microsoft’s success in this simulation was largely due to our:

  • Industry-leading XDR. Microsoft 365 Defender simplified thousands of alerts into two incidents and a clear timeline spanning identity and endpoint to enable rapid resolution.
  • Superior EPP and EDR. Microsoft Defender for Endpoint both prevented attacks and quickly identified and contained suspicious activities in the pre- and post-ransom phases to stop attacks.
  • Comprehensive multi-platform protection. Microsoft 365 Defender demonstrated maturity in protecting multi-platform environments. In addition to Windows, Microsoft Defender for Endpoint’s behavioral and machine learning models blocked and detected every major step on Linux for the second year in a row.
Decorative image illustrating Microsoft 365 Defender's staples for protecting against ransomware.
Figure 1. MITRE Engenuity’s ATT&CK Evaluation results demonstrated that Microsoft 365 Defender protects against ransomware with industry-leading XDR, EPP and EDR, and multi-platform protection.

Microsoft defends against human-operated ransomware with industry-leading XDR

One of the most prominent dangers in today’s threat landscape are human-operated ransomware campaigns, which leverage the playbook of advanced nation-state actors, where a threat actor actively targets one or more organizations using custom-built techniques for the target network. These campaigns also often involve encryption and exfiltration of high-value data, making it critical for security solutions to address the threat quickly and aggressively. If successful, human-operated ransomware attacks can cause catastrophic and visible disruption to organizations, their customers, and the rest of their communities. Protecting against these attacks requires a holistic security strategy that can resist a persistent attacker, including the ability to isolate and contain the threat to prevent widespread damage.

As demonstrated in the evaluation, Microsoft 365 Defender protected against these sophisticated attacks with:

  • Prevention at the earliest stages of the attack to stop further attacker activity without hindering productivity
  • Diverse signal capture from devices and identities, with device-to-identity and identity-to-device signal correlation
  • Coverage across device assets, including Windows, Linux, Mac, iOS, and Android
  • Excellent pre-ransom and ransom protection for both automated remediation of the persistent threats and complete eviction of the attacker in network

Integrated identity threat protection proves critical

With human-operated ransomware, threat actors are constantly advancing their techniques. This year’s test included domain trust discovery activity, pass-the-hash, pass-the-ticket, and stealing credentials through Kerberoasting. Microsoft supports billions of identity authentications per day, and Microsoft 365 Defender has deep integration with both on-premises and cloud identities, thus enabling a level of detection and visibility that far exceeds what is possible with endpoint data alone and by fusing endpoint and identity data. Microsoft 365 Defender protects hundreds of millions of customer identities today, and the integration of identity threats into the events timeline was instrumental in detections during evaluation.

Aggregating alerts into prioritized incidents streamlined the investigation experience

Microsoft 365 Defender streamlined the investigation experience by correlating more than a thousand alerts into significant incidents and identified complex, seemingly unrelated links between attacker activities across various domains. Time to remediate is critical in a ransomware attack, and Microsoft 365 Defender’s incidents page simplifies the SecOps experience by providing essential context on active alerts, key devices, and impacted users. It also allows defenders to enable both automatic and manual remediations that offer insightful and actionable alerts, rather than filtering through unrelated events that can add strain on resources, particularly during an existing attack. EDR further enables analysts to approach investigations through multiple vectors, providing detailed behavioral telemetry that includes process information, network activities, kernel and memory manager deep optics, registry and file system changes, and user login activities to determine the start and scale of an attack.

Screenshot of Microsoft 365 Defender UI where the top section shows a notification about a multi-stage incident. The summary page provides visualizations of active alerts and lists of impacted devices and users.
Figure 2. Microsoft 365 Defender’s incidents page correlating all the devices, users, alerts, and evidence that describe the attack simulated by MITRE Engenuity.  

Microsoft 365 Defender delivers mature multi-platform protection

The attack scenario mimicked a threat actor’s ability to target heterogeneous environments and spread across platform ecosystems. We’re proud to state that Microsoft 365 Defender’s security capabilities provided superior detection and protection and complete Linux coverage for the second consecutive year.

Microsoft 365 Defender offers comprehensive capabilities across the popular desktop and mobile operating systems, such as Linux, Mac, Windows, iOS, and Android. These capabilities include next-generation antivirus, EDR, and behavioral and heuristic coverage across numerous versions of Linux. Microsoft has invested heavily in protecting non-Windows platforms in the last four years and, today, offers the extensive capabilities organizations need to protect their networks. 

Microsoft takes a customer-centered approach to tests

The evolving threat landscape demands security solutions with wide-ranging capabilities, and we’re dedicated to helping defenders combat such threats through our industry-leading, cross-domain Microsoft Defender products. Microsoft’s philosophy in this evaluation is to empathize with our customers, so we configured the product as we would expect them to. For example, we didn’t perform any real-time detection tuning that might have increased the product’s sensitivity to find more signals, as it would have further created an untenable number of false positives if in a real-world customer environment.

We thank MITRE Engenuity for the opportunity to contribute to and participate in this year’s evaluation.

Learn more

For more information about human-operated ransomware and how to protect your organization from it, refer to the following articles:

Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&CK® Evaluations appeared first on Microsoft Security Blog.

https://blogs.technet.microsoft.com/mmpc/feed/