Untainted By Design: How Our MITRE ATT&CK Results Demonstrate the Resilience of Carbon Black

ID CARBONBLACK:89EED0E0C5EF08529298051383198149
Type carbonblack
Reporter Chris Prall
Modified 2018-12-20T16:00:52


I started my career in cybersecurity 10 years ago as a Technical Operations Officer in the US Intelligence Community, where I had a first-hand view into the most sophisticated ongoing cyber operations in the world. One thing was always clear: attackers always found ways to stay a step ahead of the defenders. This is why Carbon Black’s approach to continuous recording of unfiltered data is so key.

As the Senior Product Manager for CB ThreatHunter, I’m also ecstatic about our recent MITRE ATT&CK results and how they demonstrate the power of our approach. Carbon Black outperformed all other EDR solutions in the test. Our detections had no delays, and required no human analysts from a vendor to read data, write queries and fire alerts. But one aspect of the evaluation that’s particularly important is what MITRE called tainted detection results — and the fact that Carbon Black had none of them.

Tainted Detections Are More Brittle Than Untainted

One area of the MITRE ATT&CK evaluation that generated a lot of confusion is the term “tainted” detections. What exactly does that mean? And is it a good thing or bad thing for the user?

It’s very simple — tainted detections are more brittle than untainted detections. MITRE defines these tainted detections in their methodology as when a solution “detects the activity based on previously identified suspicious/malicious behavior that is related to or ‘tainted by’ the detection.” If the attacker changes their initial approach even slightly, later detections may not happen and there is no guarantee that the critical telemetry will be recorded. MITRE's lead engineer for the evaluations program clarified this on Twitter.

Tainted Detections Are Unpredictable and Frustrating

It’s that unpredictability that frustrates actual users. They’re relying on these tools to give them information, and they need consistency with regards to what data they have access to. Otherwise, the product leaves them high-and-dry when management comes asking for answers that they don’t have. The more detections that are tainted, the more brittle the solution is overall, meaning the attacker is one tweak away from detection evasion.

Untainted Detections Means Attackers Can’t Hide

We achieved zero tainted results in the MITRE test because of our unfiltered approach to data collection. We don’t make a determination as to whether an event is good or bad when we collect it from the endpoint. That decision isn’t dependent on a prior detection having already happened — meaning that even as attackers change techniques, we’ll still capture telemetry and detect the threat. Attackers can’t hide because we are monitoring every action on the endpoint — good or bad.

Untainted Detections with Correlated Alerts = the Most Resilient EDR

The power of Carbon Black has always been our ability to gather all this unfiltered endpoint data, but then correlate events and prioritize alerts so that users can clearly see what activities are related to each other and can easily address incidents and hunt for threats. Security professionals deciphering the MITRE results need to consider how resilient the detection methodology is, along with how well alerts are correlated and prioritized. With Carbon Black, you get the best of both worlds: untainted detections and intuitive event correlation.

PLUS, Our Results Had No Delays and No Humans In The Loop

It’s also important to note the other powerful attributes of Carbon Black that were demonstrated in the MITRE ATT&CK evaluation:

  • Zero delayed detections — alerts were triggered in real time without delay
  • Zero humans in the loop — we don’t require you to have humans analysts on the back end, because our technology is strong enough to do the job for you.

Along with zero tainted detections, these results clearly show why we outperformed all other EDR solutions in the test.

This powerful combination of unfiltered data and real time insights is exactly what customers continue to expect from us. With our recent announcement of the general availability of CB ThreatHunter on the PSC and the release of our MITRE ATT&CK Threat Feed, Carbon Black continues to rapidly innovate on our approach to endpoint security, paving the way for security professionals to see more attacks and stop more attacks, untainted and in real time.

The post Untainted By Design: How Our MITRE ATT&CK Results Demonstrate the Resilience of Carbon Black appeared first on Carbon Black.