ATT&CK Evaluations Emulate Wizard Spider and Sandworm Threat Groups
MCLEAN, Va., & BEDFORD, Mass.–(BUSINESS WIRE)–MITRE Engenuity ATT&CK® Evaluations (Evals), a program of MITRE Engenuity™, MITRE’s tech foundation for public good, today released its fourth round of independent ATT&CK Evaluations for enterprise cybersecurity solutions, highlighting results across 30 vendors. MITRE Engenuity helps government and industry combat cybersecurity attacks through threat-informed defense practices.
Through the lens of the MITRE ATT&CK knowledge base, ATT&CK Evals focused on Wizard Spider and Sandworm threat actors. Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since August 2018 against a variety of organizations, ranging from major corporations to hospitals. Sandworm Team is a destructive Russian threat group that is known for carrying out notable attacks such as the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks. These two threat actors were chosen based on their complexity, relevancy to the market, and how well MITRE Engenuity’s staff can fittingly emulate the adversary.
“This latest round indicates significant product growth from our vendor participants. We are seeing greater emphasis in threat-informed defense capabilities, which in turn has developed the infosec community’s emphasis on prioritizing the ATT&CK framework,” said Ashwin Radhakrishnan, acting general manager of ATT&CK Evals, MITRE Engenuity.
These open and fair evaluations, which were paid for by the vendors, include solutions from: AhnLab, Bitdefender, BlackBerry Cylance, Check Point, Cisco, CrowdStrike, Cybereason, CyCraft, Cynet, Deep Instinct, ESET, Elastic, F-Secure, Fidelis, FireEye, Fortinet, Malwarebytes, McAfee, Microsoft, Palo Alto Networks, Qualys, Rapid7, ReaQta, SentinelOne, Somma, Sophos, Symantec, Trend Micro, Uptycs, and VMWare.
The ATT&CK Evals team chose to emulate two threat groups that abuse the Data Encrypted For Impact (T1486) technique. In Wizard Spider’s case, they have leveraged data encryption for ransomware, including the widely known Ryuk malware (S0446). Sandworm, on the other hand, leveraged encryption for the destruction of data, perhaps most notably with their NotPetya malware (S0368) that disguised itself as ransomware. While the common thread to this year’s evaluations is “Data Encrypted for Impact,” both groups have substantial reporting on a broad range of post-exploitation tradecraft.
Previous evaluations pitted cybersecurity products from 29 vendors against the threats from FIN7 and Carbanak, products from 12 vendors against the threat from APT3, and products from 12 vendors against the threat of APT29.
For full results and more information about the evaluations, please visit: https://attackevals.mitre-engenuity.org/enterprise/wizard-spider-and-sandworm/.
About MITRE Engenuity
MITRE Engenuity, a subsidiary of MITRE, is a tech foundation for the public good. MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.
MITRE Engenuity brings MITRE’s deep technical know-how and systems thinking to the private sector to solve complex challenges that government alone cannot solve. MITRE Engenuity catalyzes the collective R&D strength of the broader U.S. federal government, academia, and private sector to tackle national and global challenges, such as protecting critical infrastructure, creating a resilient semiconductor ecosystem, building a genomics center for public good, accelerating use case innovation in 5G, and democratizing threat-informed cyber defense.
About MITRE Engenuity ATT&CK® Evaluations
ATT&CK® Evaluations is built on the backbone of MITRE’s objective insight and conflict-free perspective. Cybersecurity vendors turn to the Evals program to improve their offerings and to provide defenders with insights into their product’s capabilities and performance. Evals enables defenders to make better informed decisions on how to leverage the products that secure their networks. The program follows a rigorous, transparent methodology, using a collaborative, threat-informed, purple-teaming approach that brings together vendors and MITRE experts to evaluate solutions within the context of ATT&CK. In line with MITRE Engenuity’s commitment to serve the public good, Evals results and threat emulation plans are freely accessible.
© 2022 MITRE #22-1017 03-31-2022
Merritt Group for MITRE Engenuity