Wizard Spider and Sandworm ATT&CK Evaluation Results: Data Encrypted For Impact (T1486)

The 2022 ATT&CK® Evaluations for Enterprise results are now available on the ATT&CK Evaluations website. This evaluation emulated behaviors inspired by Wizard Spider and Sandworm. A total of 30 vendors participated in this round, which represents an increase from 29 participants from last year’s Carbanak and FIN7 Evaluation. Notably, we experienced a significant uptick in vendors who participated in Protections. While there were 17 Protections participants for the Carbanak and FIN7 round, there were 23 Protections participants in this round. As always, we’ve been extremely fortunate to have collaborated with such a wide range of vendors for this research project. It is clear to us from the results that our participants have grown in the past year and are as excited as us to prioritize threat-informed defense capabilities within their product suite.

With the participants in mind, let’s explore the adversaries we emulated in this round. Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since August 2018 against a variety of organizations, ranging from major corporations to hospitals. Sandworm is a destructive Russian threat group that is known for carrying out notable attacks such as the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks. These two threat actors were chosen based on their complexity, relevancy to the market, and how well MITRE Engenuity’s staff can fittingly emulate the adversary.

For any first-time viewers of our Evaluations, the easiest way to start getting value from our data is to peruse the results of each vendor participant. With any complicated emulation plan comes an equally complicated set of collected data. The results can be intimidating at first glance, but the best resource to get started can be found here. Additionally, you can view some tips and tricks to start leveraging the data more effectively.

For those already eager to sign up for Round 5, we will be opening the Call for Participation in the coming months. For those keeping track, this year also marks the first year we are undertaking 2 new Evaluation types, both of which are already in flight. Our first ever Trials Evaluations will yield similar data for vendors who feature deception capabilities. The final results will be published on April 30 in a format that is relevant to the purple team exercise we conducted for that round. Furthermore, we’ve officially closed the cohort for our first ever Managed Services Evaluations, which we are excited to release more about in the coming weeks.

I also want to highlight the tireless efforts of the team at MITRE Engenuity, who came together to deliver an innovative iteration of an already fantastic Evaluation offering. Again, we would like to thank the 30 vendors who participated in our research project. It is the joint collaboration that makes our Evaluation truly unique and substantive to the information security community at large. We’ve received overwhelmingly positive support from our vendors, and we’d like to highlight some key points as shared by our participants:

“We are delighted with the outcome as it clearly reflects our ceaseless effort to develop better technologies for our customers. By continuously leveraging the ATT&CK Evaluation as an opportunity to test our security capability against advanced threats, we will keep enhancing our security platform and threat response system in accordance with the global standard.” — Eric Jun, CTO, AhnLab

“In a market filled with over-hyped claims, Bitdefender is deeply committed to validating our capabilities through independent third-party testing. We consider the MITRE Engenuity ATT&CK Evaluations as a “gold standard” benchmark for real-world cybersecurity assessments. Our ongoing participation in MITRE Engenuity’s rigorous tests using tactics, techniques and procedures of sophisticated groups like Sandworm and Wizard Spider, demonstrates our continued innovation and excellence in threat prevention, detection and response.” — Dragos Gavrilut, Director, Cyber Threat Intelligence Lab, Bitdefender

“With the attack surface rapidly changing and becoming increasingly complex, organizations must prepare to mitigate various threats from sophisticated threat actors. BlackBerry is committed to mapping to the MITRE ATT&CK framework, providing customers with increased confidence in discovering gaps in processes and defense tools and enhancing overall network defense and protection. We believe that third-party testing is essential to help vendors and end-users better understand their product’s capabilities, and BlackBerry’s vision of stopping tomorrow’s threats, today.” — Billy Ho, Executive Vice President, BlackBerry Spark Group Products

“Sophistication and frequency of attacks increased dramatically over the past year, reaching new peaks. In this reality, organizations should adopt a threat-informed security strategy. MITRE Engenuity ATT&CK® Evaluations help them achieve that by evaluating cybersecurity solutions’ ability to defend against real-world cyberattacks and threat groups. Endpoint security plays a crucial role in protecting the hyper distributed workspace. The latest ATT&CK® Evaluations results highlight Harmony Endpoint leadership once again, for the 2nd consecutive year, as industry-leading threat detection and full attack visibility capabilities. Harmony Endpoint Customers get all the endpoint protection they need against all imminent threats like ransomware, malware, phishing while enjoying robust detection and response capabilities at the best TCO.” — Ofir Israel, Vice President of Threat Prevention, Check Point Software Technologies

“Achieving 100% prevention in the fourth round of the MITRE Engenuity ATT&CK Evaluation shows the power of the Falcon platform, which was designed to enable organizations to take a unified approach in detecting and preventing attacks across the endpoint, cloud, identity and data. CrowdStrike is setting the industry standard with a cloud-native security platform that is designed to deliver the most robust protections and stop the most sophisticated threats.” — Michael Sentonas, Chief Technology Officer, CrowdStrike

“These results validate the superior detection capabilities that Cybereason delivers against the most complex attack sequences. The ATT&CK framework is the go-to standard for assessing solution efficacy today, and we are proud of both our outstanding performance in all four years of the evaluations, and of our ongoing collaboration with MITRE CTID to further improve detection based on the most subtle of attacker behaviors. This is how we begin to defend forward as a community, stop relying so much on reactive approaches and take the fight to the adversary through behavior-oriented predictive response.” — Lior Div, CEO and Co-Founder, Cybereason

“CyCraft MDR automates investigations and alert verifications, providing SOC teams with the ground truth to an attack faster and more hands-off than existing solutions. Our fast, accurate, simple, thorough AI-driven approach to cybersecurity has led CyCraft to manage millions of endpoints from both government and enterprise customers in over a dozen countries worldwide.” — Benson Wu, Founder and CEO, CyCraft

“Cynet was pleased to participate in the MITRE ATT&CK Evaluation for the second time. This testing process helps us ensure that we continue to provide maximum protection to our customers. Threat actors are rapidly evolving their tactics, and defenders must make continuous improvement in cybersecurity protections to remain a step ahead. Throughout the process, we had the opportunity to evaluate our XDR platform in combination with our detections. The feedback we receive from the MITRE ATT&CK evaluation has been invaluable to help guide the evolution of our platform.” — Aviad Hasnis, CTO, Cynet

“Deep Instinct is thrilled to have participated, for the first time, in this year’s round of the MITRE Engenuity’s ATT&CK Evaluations emulating advanced threat groups. We are pleased to have demonstrated our deep learning powered, prevention-first approach by achieving excellent results in all tested prevention scenarios and providing analytic-level insight across almost all of our detection coverage. These evaluations provide Deep Instinct and others in the industry with valuable insight needed to continuously improve our offerings and prevent organizations from succumbing to prolific and destructive threats.” — Shimon N. Oren, VP Research & Deep Learning, Deep Instinct.

“The MITRE Engenuity ATT&CK evaluation is an objective and definitive test to assess vendor detections and protections against adversary tradecraft. These tests are invaluable to the security community for their transparency in confirming vendors’ security practices. We are thrilled to have participated in MITRE ATT&CK evaluations every year since their inception.” — Paul Ewing, Threat Researcher and Principal Product Manager, Elastic

“ESET believes in taking a multi-layered, high performance approach to developing our detection technologies. ESET Inspect is the foundation of our extended detection and response (XDR) capabilities and works together with ESET PROTECT to offer a complete security solution that is optimized for ease of use. We have been tracking Sandworm since its inception, being the first to identify the work of its subgroups BlackEnergy and TeleBots and to discover the origin of the NotPetya outbreak. For us, it’s critical to keep ahead of the curve with our telemetry and put our solutions to the test through the expert lens of the MITRE Engenuity team.” — Roman Kováč, Chief Research Officer, ESET

“Cyber security buyers struggle to understand the quality of the products they buy. Security testing is hard, so MITRE Engenuity must be applauded for the objective, realistic tests they perform. We’ve taken part in every ATT&CK Enterprise Evaluation to date, which reflects our commitment to being transparent to our customers. Our results confirm why none of our customers has suffered a serious loss from a cyber-attack.” — Leszek Tasiemski, Head of Products for Business Security, WithSecure

“As cybersecurity threats increase in both number and sophistication, it is essential for organizations to strengthen their prevention and response capabilities. Malwarebytes’ Endpoint Detection and Response platform includes the powerful tools that individuals and enterprises alike need in order to ensure an effective proactive security posture. The results of our ATT&CK evaluations are testament to our leadership and continued growth in this space.” — Barry Mainz, Chief Operating Officer, Malwarebytes

“Achieving 100% prevention and protection in the fourth round of the MITRE Engenuity ATT&CK Evaluation shows the power and maturity of Microsoft 365 Defender, which delivers a unified XDR approach to detecting and preventing ransomware attacks spanning multi-platform endpoints, identities, applications, and multi-cloud environments” — Rob Lefferts, Corporate Vice President, M365 Security, Microsoft

“MITRE Engenuity results are the best measure of security product effectiveness for today’s threats and an important vendor evaluation criteria for customers. Our performance is a testament to the continuing innovation we bring to Cortex XDR and proof of our ability to provide customers with outstanding protection. We value the threat-informed approach MITRE takes that helps drive the industry forward, making it a safer, more secure world.” — Gonen Fink, Senior Vice President, Cortex Products, Palo Alto Networks

“The MITRE ATT&CK framework has become the industry standard that provides common language around adversarial behaviors — ultimately allowing security teams to create and implement a top-notch threat informed defense. As a contributor to ATT&CK, Qualys is thrilled to have participated in the 2022 MITRE ATT&CK Evaluations. Just one year following the launch of Qualys’ Multi-Vector EDR, the company is proud to stand shoulder to shoulder with some of the industry’s best. Our solution demonstrates the dedication and collaboration of our engineering and research teams, and their overall mission to deliver visibility, protection against threats, and provide detection of malicious behaviors to our customers.” — Travis Smith, Vice President, Malware Threat Research, Qualys

“MITRE’s ATT&CK framework and evaluations continue to elevate threat-informed defense planning, discussions, and response across our industry. Rapid7 appreciates the opportunity to participate in this evaluation; it’s one very important way we learn and get better. We are excited to give our customers and the security community greater visibility into our endpoint capabilities and strengthened signal-to-noise that is possible with InsightIDR.” — Sam Adams, Vice President of Detection and Response, Rapid7

“ReaQta applauds and appreciates the work of MITRE Engenuity ATT&CK evaluations in helping organizations to make transparent and informed decisions that can help them become more cyber resilient. This is the 3rd time ReaQta has participated in the evaluations and we are always impressed by the professionalism and dedication of the MITRE Engenuity team.” — Alberto Pelliccione, CEO, ReaQta, an IBM company

“One of the biggest cybersecurity challenges for organizations is buying and implementing the right tool to protect the organization while empowering its security teams. MITRE Engenuity ATT&CK is one of the most objective and definitive tests to measure EDR and XDR capability, bringing much-needed visibility in helping practitioners sort through a complex vendor landscape. SentinelOne is proud to partner with the MITRE community, actively contributing to adversary behavior research so that blue teams can better detect, protect against, and ultimately prevent these kinds of sophisticated attacks.” — Jared Phipps, Senior Vice President, Worldwide Sales Engineering, SentinelOne

“SOMMA considers secure visibility, threat behavior detection with data analysis and its root cause tracking as the most valuable in cyber breach circumstances. The MITRE ATT&CK evaluation is quite effective to evaluate and prove our value and aim. We are convinced that MITRE Engenuity is doing great things to counteract effectively in today’s evolved cyber threat environment.” — Mr. Yong-Hwan Roh, CEO and Founder, SOMMA, Inc.

“The challenge of protecting your organization against real-world cyberthreats is a demanding effort in precision and scale. Providing the highest level of context to a defender is key to improving the speed at which you can identify and respond to attacker tactics, techniques, and procedures (TTPs). Adversaries continuously adapt and evolve their toolsets and activity to seize new opportunities, evade detection and try to stay one step ahead of security teams. For that reason, we’re proud to be recognised in the MITRE Engenuity evaluations, which focus on the actual TTPs of two assertive and modern-day attackers.” — Joe Levy, Chief Technology and Product Officer, Sophos

“We are constantly innovating to stay ahead of attackers, and the results in this latest evaluation demonstrate our success in doing so. We believe participation in these evaluations, as well as contributions to the MITRE ATT&CK frameworks, help us and our customers in stopping complex attacks. We are committed to mapping to the ATT&CK framework throughout our solutions so SOC analysts can better understand the tactics and techniques being targeted in their environments.” — Wendy Moore, Vice President of Product Marketing, Trend Micro

“MITRE’s rigorous testing reflects the type of threats that our customers are seeing in the real world, where there are no redos. With highly effective detection and prevention, our results demonstrate the power of VMware’s comprehensive endpoint and network visibility, which not only works out of the box, but also works the first time.” — Scott Lundgren, Chief Technology Officer, VMware Security Business Unit

“Ransomware is a growing scourge for all types of organizations and the focus of these MITRE Engenuity ATT&CK evaluations could not come at a more appropriate time. Security teams can use these evaluation results to identify gaps in their detection coverage. Our strong performance in both the Windows and Linux portions of the evaluation demonstrate how Uptycs helps these Security teams to detect even advanced ransomware actors, in addition to the hardening needed to minimize the risk of ransomware in the first place.” — Ganesh Pai, Co-Founder and CEO, Uptycs

© 2022 MITRE Engenuity LLC. Approved for Public Release. Document number AT0029