I started my career in cybersecurity 10 years ago as a Technical Operations Officer in the US Intelligence Community, where I had a first-hand view into the most sophisticated ongoing cyber operations in the world. One thing was always clear: attackers always found ways to stay a step ahead of the defenders. This is why Carbon Black’s approach to continuous recording of unfiltered data is so key.
As the Senior Product Manager for CB ThreatHunter, I’m also ecstatic about our recent MITRE ATT&CK results and how they demonstrate the power of our approach. Carbon Black outperformed all other EDR solutions in the test. Our detections had no delays, and required no human analysts from a vendor to read data, write queries and fire alerts. But one aspect of the evaluation that’s particularly important is what MITRE called tainted detection results — and the fact that Carbon Black had none of them.
One area of the MITRE ATT&CK evaluation that generated a lot of confusion is the term “tainted” detections. What exactly does that mean? And is it a good thing or bad thing for the user?
It’s very simple — tainted detections are more brittle than untainted detections. MITRE defines these tainted detections in their methodology as when a solution “detects the activity based on previously identified suspicious/malicious behavior that is related to or ‘tainted by’ the detection.” If the attacker changes their initial approach even slightly, later detections may not happen and there is no guarantee that the critical telemetry will be recorded. MITRE's lead engineer for the evaluations program clarified this on Twitter.
It’s that unpredictability that frustrates actual users. They’re relying on these tools to give them information, and they need consistency with regards to what data they have access to. Otherwise, the product leaves them high-and-dry when management comes asking for answers that they don’t have. The more detections that are tainted, the more brittle the solution is overall, meaning the attacker is one tweak away from detection evasion.
We achieved zero tainted results in the MITRE test because of our unfiltered approach to data collection. We don’t make a determination as to whether an event is good or bad when we collect it from the endpoint. That decision isn’t dependent on a prior detection having already happened — meaning that even as attackers change techniques, we’ll still capture telemetry and detect the threat. Attackers can’t hide because we are monitoring every action on the endpoint — good or bad.
The power of Carbon Black has always been our ability to gather all this unfiltered endpoint data, but then correlate events and prioritize alerts so that users can clearly see what activities are related to each other and can easily address incidents and hunt for threats. Security professionals deciphering the MITRE results need to consider how resilient the detection methodology is, along with how well alerts are correlated and prioritized. With Carbon Black, you get the best of both worlds: untainted detections and intuitive event correlation.
It’s also important to note the other powerful attributes of Carbon Black that were demonstrated in the MITRE ATT&CK evaluation:
Along with zero tainted detections, these results clearly show why we outperformed all other EDR solutions in the test.
This powerful combination of unfiltered data and real time insights is exactly what customers continue to expect from us. With our recent announcement of the general availability of CB ThreatHunter on the PSC and the release of our MITRE ATT&CK Threat Feed, Carbon Black continues to rapidly innovate on our approach to endpoint security, paving the way for security professionals to see more attacks and stop more attacks, untainted and in real time.
The post Untainted By Design: How Our MITRE ATT&CK Results Demonstrate the Resilience of Carbon Black appeared first on Carbon Black.