Last updated at Tue, 25 Apr 2023 19:36:56 GMT

Rapid7 is very excited to share the results of our participation in MITRE Engenuity’s latest ATT&CK Evaluation, which examines how adversaries abuse data encryption to exploit organizations.

With this evaluation, our customers and the broader security community get a deeper understanding of how InsightIDR helps protectors safeguard their organizations from destruction and ransomware techniques, like those used by the Wizard Spider and Sandworm APT groups modeled for this MITRE ATT&CK analysis.

What was tested

At the center of InsightIDR’s XDR approach is the included endpoint agent: the Insight Agent. Rapid7’s universal Insight Agent is a lightweight endpoint software that can be installed on any asset – in the cloud or on-premises – to collect data in any environment. The Insight Agent enables our EDR capabilities that are the focus of this ATT&CK Evaluation.

Across both Wizard Spider and Sandworm attacks, we saw strong results indicative of the high-fidelity endpoint detections you can trust to identify real threats as early as possible.

Building transparency and a foundation for dialogue with MITRE Engenuity ATT&CK evaluations

Since the launch of MITRE ATT&CK in May 2015, security professionals around the globe have leveraged this framework as the “go-to” catalog and reference for cyberattack tactics, techniques, and procedures (TTPs). With this guide in hand, security teams visualize detection coverage and gaps, map out security plans and adversary emulations to strengthen defenses, and quickly understand the criticality of threats based on where in the attack chain they appear. Perhaps most importantly, ATT&CK provides a common language with which to discuss breaches, share known adversary group behaviors, and foster conversation and shared intelligence across the security community.

MITRE Engenuity’s ATT&CK evaluation exercises offer a vehicle for users to “better understand and defend against known adversary behaviors through a transparent evaluation process and publicly available results — leading to a safer world for all.” The 2022 MITRE ATT&CK evaluation round focuses on how groups leverage “Data Encrypted for Impact” (encrypting data on targets to prevent companies from being able to access it) to disrupt and exploit their targets. These techniques have been used in many notorious attacks over the years, notably the 2015 and 2016 attacks on Ukrainian electric companies and the 2017 NotPetya attacks.

How to use MITRE Engenuity evaluations

One of the most compelling parts of the MITRE evaluations is the transparency and rich detail provided in the emulation, the steps of each attack, vendor configurations, and detailed read-outs of what transpired. But remember: These vendor evaluations do not necessarily reflect how a similar attack would play out in your own environment. There are nuances in product configurations, the sequencing of events, and the lack of other technologies or product capabilities that may exist within your organization but didn’t in this scenario.

It's best to use ATT&CK Evaluations to understand how a vendor's product, as configured, performed under specific conditions for the simulated attack. You can analyze how a vendor's offering behaves and what it detects at each step of the attack. This can be a great start to dig in for your own simulation or to discuss further with a current or prospective vendor. Consider your program goals and metrics that you are driving towards. Is more telemetry a priority? Is your team driving toward a mean-time-to-respond (MTTR) benchmark? These and other questions will help provide a more relevant view into these evaluation results in a way that is most relevant and meaningful to your team.

InsightIDR delivers superior signal-to-noise

Since the evolution of InsightIDR, we made customer input our "North Star" in guiding the direction of our product. While the technology and threat landscape continues to evolve, the direction and mission that our customers have set us on has remained constant: In a world of limitless noise and threats, we must make it possible to find and extinguish evil earlier, faster, and easier.

Simple to say, harder to do.

While traditional approaches give customers more buttons and levers to figure it out themselves, Rapid7’s approach is from a different angle. How do we provide sophisticated detection and response without creating more work for an already overworked SOC team? What started as a journey to provide (what was a new category at the time) user and entity behavior analytics (UEBA) evolved into a leading cloud SIEM, and it’s now ushering in the next era of detection and response with XDR.

Key takeaways of the MITRE Engenuity ATT&CK Evaluation

  • Demonstrated strong visibility across ATT&CK, with telemetry, tactic, or technique coverage across 18 of the 19 phases covered across both simulations
  • Consistently indicated threats early in the cyber killchain, with solid detections coverage across Initial Compromise in the Sandworm evaluation and both Initial Compromise and Initial Discovery in the Wizard Spider evaluation
  • Showcased our commitment to providing a strong signal-to-noise ratio within our detections library with targeted and focused detections across each phase of the attack (versus alerting on every small substep)

As our customers know, these endpoint capabilities are just the tip of the spear with InsightIDR. While not within the scope of this evaluation, we also fired several targeted alerts that didn’t map to MITRE-defined subtypes — offering additional coverage beyond the framework. We know that with our other native telemetry capabilities for user behavior analytics, network traffic analysis, and cloud detections, InsightIDR provides relevant signals and valuable context in a real-world scenario — not to mention the additional protection, intelligence, and accelerated response that the broader Insight platform delivers in such a use case.

Thank you!

We want to thank MITRE Engenuity for the opportunity to participate in this evaluation. While we are very proud of our results, we also learned a lot throughout the process and are actively working to implement those learnings to improve our endpoint capabilities for customers. We would also like to thank our customers and partners for their continued feedback. Your insights continue to inspire our team and elevate Rapid7’s products, making more successful detection and response accessible for all.

To learn more about how Rapid7 helps organizations achieve stronger signal-to-noise while still having defense in depth across the attack chain, join our webcast where we’ll be breaking down this evaluation and more.

Additional reading:


Get the latest stories, expertise, and news about security today.