For the past several years, the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework has provided an analysis of cybersecurity threat actor tactics, techniques, and procedures and, in the process, measures how well endpoint security solutions detect and prevent cyber threats. Last year’s Round 5 focused on the ability of almost thirty EDR solution providers to detect, analyze, and describe the techniques of threat group Turla through the execution of multiple attack scenarios.
This year’s Round 6 focuses on ransomware emulation and macOS infiltration by a North Korean threat actor profile, including adversary behaviors in abusing legitimate tools and defensive capabilities. The recent round kicked off in late May of this year, and participants included AhnLab, Bitdefender, Check Point, Cisco, Cybereason, Cynet, ESET, HarfangLab, Malwarebytes, Microsoft, Palo Alto Networks, Qualys, SentinelOne, Sophos, TEHTRIS, Trellix, Trend Micro, WatchGuard, and WithSecure.
I won’t attempt to do a full analysis, given the depth and breadth of what the MITRE framework encompasses. Rather, I’ll highlight a few observations from this year’s Round 6:
- A new false positive tracking metric was added to this round’s evaluations. I find that an important addition, especially given the growing volume of alerts that security analysts are inundated with, driven by massive data sets and telemetry feeds.
- Each evaluation was performed in a cloud computing environment containing Windows, Linux, and macOS operating systems. From my perspective, that’s an accurate representation of real-world scenarios, and it broadened the range of endpoint platforms that were included this year. However, overall, the number of participants dropped significantly from 29 in 2023 to 19 in 2024.
- Palo Alto Networks performed exceptionally well compared to other participants this year. The company’s Cortex XDR solution set a record as the first to achieve 100% detection with technique-level detail and no configuration changes for the second year in a row. Additionally, it prevented 8 out of 10 attack steps while maintaining zero false positives with that newly introduced metric. Those are impressive results, and they reinforce my positive impressions of the company’s cybersecurity platform strategy, execution, and Unit 42 Threat Research Center capabilities after my meetings with the executive leadership team this past November.
- CrowdStrike was initially a participant of record dating back to May of this year. Still, the embattled cybersecurity provider did not complete its participation in the evaluation with its Falcon endpoint solution. I wrote about the company’s challenges this past summer with its flubbed EDR update, and its withdrawal is interesting from a timing perspective. However, I would speculate that CrowdStrike is focused on shoring up its developer operations processes and how it delivers future EDR updates to prevent a similar occurrence.
The full MITRE Round 6 cybersecurity evaluations contain a lot to unpack—if you are interested, you can find the entire summary here.
