Stopping Carbanak+FIN7: How Microsoft led in the MITRE Engenuity® ATT&CK® Evaluation

2021-05-05T22:00:03
ID MMPC:8CC46BE74AAF7D44E67B0C67075B6661
Type mmpc
Reporter Lauren Goodwin
Modified 2021-05-05T22:00:03

Description

In MITRE Engenuity’s recent Carbanak+FIN7 ATT&CK Evaluation, Microsoft demonstrated that we can stop advanced, real-world attacks by threat actor groups with our industry-leading security capabilities.

In this year’s evaluation, we engaged our unified Microsoft 365 Defender stack, with market-leading capabilities in Microsoft Defender for Endpoint and Microsoft Defender for Identity collaborating to provide:

  • Best overall protection: In the protection test, Microsoft Defender for Endpoint blocked all steps of the attack, and did so earliest in the attack chain compared to other vendors. This means that organizations protected by Microsoft Defender for Endpoint would have been the least affected in a real attack, as the attack would have been blocked at the very beginning.
  • Superior detection and protection on Linux: Microsoft Defender for Endpoint was one of only a handful of vendors that detected all the attack steps on Linux and blocked the attack overall, all while providing exceptional visibility into Linux file server activity.
  • Excellent detection and attack chain visibility: Microsoft provided 100 percent coverage of attack chain steps, with more than 1,700 detections combined into two comprehensive incidents representing each of the end-to-end attacks. 87 percent of the techniques were covered while maintaining security operation center (SOC) efficiency.

Coordinated detection and visibility across Microsoft 365 Defender combined with automation, prioritization, and prevention were key to stopping these advanced attacks.

It’s important to note that Microsoft operated in the ATT&CK Evaluation exactly as it does in customer environments: with out-of-the-box protection and detection delivered by automated AI and behavioral algorithms. No special “aggressive mode” was needed, nor were there any performance gaps. And while detection performance is what’s mainly measured by the evaluation, it’s equally important to see how attack activities—including alerts, techniques, and impacted assets—were correlated together into a coherent end-to-end attack story. For security teams, the user experience matters since it's critical for the SOC analyst to have the ability to investigate and respond to such attacks effectively.

Best protection means threats are prevented from affecting your assets

This year’s MITRE Engenuity Carbanak+FIN7 Evaluation offered a new benchmark: measuring whether participants are able to prevent an advanced attack. We believe empowered protection is more than attack awareness; preventing attacks is critical to successfully securing the enterprise.

While many vendors chose not to participate in the MITRE Engenuity protection evaluation, Microsoft was positioned at the top of protection test capabilities, as shown in the diagram below, by blocking the attack simulation at the earliest stage on every test. Microsoft Defender for Endpoint blocked and alerted precisely where the simulated attack could have been completely prevented, offering a clear alert story of the prevented attack.

Number of tests in which the vendor blocked the attack at earliest stage possible. Microsoft successfully blocked at the earliest possible point on six protection tests, more than any other vendor participating in the test.

_Figure 1: Number of tests in which the vendor blocked the attack at the earliest stage possible. Microsoft successfully blocked at the earliest possible point on six protection tests, more than any other vendor participating in the test. _

Microsoft delivers top-level cross-platform protection and detection

Microsoft Defender for Endpoint provides out-of-the-box full visibility, protection, and detection across a wide variety of platforms, including macOS, multiple Linux flavors, Android, and iOS.

This year, MITRE Engenuity emphasized the importance of cross-platform protection by including an attack on a Linux file server, including advanced techniques such as system discovery, data collection, and lateral movement across Windows and Linux using remote service or pass-the-hash. A protection test was also simulated for the Linux platform.

Microsoft earned the best coverage results in all attack steps on Linux. As the diagram below shows, Microsoft Defender for Endpoint detected 100 percent of the simulated Linux attack techniques. In the protection test, it blocked the attack at the first stage of execution, making Microsoft one of the four top vendors for Linux protection and detection.

Emulation steps executed on Linux. Each column represents the number of techniques detected by the vendor. The vendors that blocked the attack at the earliest stage are represented in light blue.

_Figure 2: Emulation steps executed on Linux. Each column represents the number of techniques detected by the vendor. The vendors that blocked the attack at the earliest stage are represented in light blue. _

An incident-based approach enables real-time threat prioritization and remediation

In the detection test, where protection was intentionally turned off, Microsoft demonstrated exceptional depth of coverage and visibility across all the 20 tested attack stages and across different platforms. Microsoft provided coverage for 87 percent of the techniques tested, representing end-to-end detection across the attack chain, including the most advanced steps.

Emulation steps executed on Linux. The number of techniques detected by vendor in blue, and ability of vendor to block the attack at the earliest stage in green.

_Figure 3: Total detection counts across vendors, showing leading detection coverage from Microsoft. Microsoft also correlated all the alerts into two incidents (representing distinct attacks), reducing alert queue noise and ensuring a more efficient and effective investigation of the attack. _

We know the pain of security teams who must deal with alert load and queue fatigue, so Microsoft Defender for Endpoint uses its deep understanding of attack patterns and progression to correlate alerts, telemetry, and impacted assets and group them into a smaller set of comprehensive incidents. In this evaluation, this correlation resulted in two incidents, one for each attack simulation, reducing the queue to just two work items to investigate. Incidents enable SOC analysts to review the entire scope of the attack, including all alerts, blocking actions, and all supporting evidence, in a single consolidated view.

Microsoft 365 security center showing an incident view for one of the two simulated MITRE attacks

Figure 4: Microsoft 365 security center showing an incident view for one of the two simulated MITRE Engenuity attacks, including all correlated alerts, detections, affected assets, and supporting evidence

Each incident provides a summary of impacted devices and users to help analysts triage and prioritize at a glance. Details of alerted attack stages and related activities are mapped to MITRE ATT&CK tactics and techniques, summarizing in common language “what was done” (techniques) and “why it was done” (tactics), along with all collected evidence. Incidents provide full visibility into telemetry, down to process execution sequences for each stage of the simulated attack scenarios, including initial access, deployment of tools, discovery, persistence, credential access, lateral movement, and exfiltration.

Microsoft delivered 100% technique/tactic coverage of evaluation steps executed by MITRE Engenuity on the first day (Carbanak). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 5: Microsoft delivered 100 percent technique/tactic coverage of evaluation steps executed by MITRE on the first day (Carbanak). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Microsoft delivered 100% technique/tactic coverage of evaluation steps executed by MITRE Engenuity on the second day (FIN7). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 6: Microsoft delivered 100 percent technique/tactic coverage of evaluation steps executed by MITRE on the second day (FIN7). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Microsoft 365 security center showing a series of related endpoint alerts

_Figure 7: Microsoft 365 security center showing a series of related endpoint alerts, demonstrating how Microsoft successfully correlated alerts together across the attack stages and exposed detailed data on each attack step. _

Microsoft 365 security center showing details of one of the endpoint alerts: a suspicious schedule task

_Figure 8: Microsoft 365 security center showing details of one of the endpoint alerts: a suspicious schedule task. This view offers analysts in-context expanded views of task name, technique, and the process involved, in this case, a renamed wscript.exe. _

Microsoft recently expanded the use of MITRE ATT&CK tactics and techniques across its security portfolio, including alerted execution sequences and detailed device timelines, transforming telemetry into logical attacker activities mapped to MITRE ATT&CK techniques. This further improves the investigation and hunting experience for defenders, helping to tell the story of the attack, provide rich context, and drive the response process.

Microsoft 365 security center showing detailed device timeline, exposing events as well as a technique for credential access to enumerate credentials from web browsers

_Figure 9: Microsoft 365 security center showing detailed device timeline, exposing events as well as a technique for credential access to enumerate credentials from web browsers. _

Microsoft Defender Security Center showing second day attack incident page, Evidence tab

Figure 10: Microsoft Defender Security Center showing the second day attack incident page, Evidence tab. SOC analysts can use this view to see and take one-click remedial actions on all the files, processes, IPS, and URLs involved in the attack

Unique cross-domain visibility is critical to defending against modern attacks.

The powerful capabilities of Microsoft 365 Defender originate from combining unique signals across endpoints, identity, email and data, and cloud apps. This combination of proficiencies delivers coverage where other solutions may lack visibility.

Lateral movement is a key stage in any advanced attack, where the attacker moves from asset to asset with the goal of gaining access to specific valuable information or to as many assets as possible for maximum damage. Identifying and tracking lateral movement is a critical phase in investigating attacks, establishing the scope, and removing the threat. The following are three examples of lateral movement simulated in this evaluation that were detected and exposed by Microsoft using signals from the different workloads, delivering full coverage on different aspects:

  • File transfer over SMB: Microsoft’s unique approach for detecting lateral movement attacks does not solely rely on endpoint-based command-line sequences, PowerShell strings, or file operations heuristics that can be evaded by advanced attackers. Microsoft leverages direct optics into the Domain Controller via Microsoft Defender for Identity and correlates identity signals with device telemetry via Microsoft Defender for Endpoint. Microsoft uses a combination of machine learning and protocol heuristics, looking at anomalies such as forged authorization data, nonexistent account, ticket anomaly, logon anomaly, and time anomaly. These signals are correlated with file, process, and memory operations between different devices. Microsoft 365 Defender is the only product that provided the SOC with context of the source and target machines, resources accessed, and identities involved.

Microsoft 365 Defender alert based on correlated signals using AI across identity and endpoint activity

Figure 11: Microsoft 365 Defender alert based on correlated signals using AI across identity and endpoint activity

  • Remote executions: Microsoft leverages exclusive signals from Microsoft Defender for Identity, which provides visibility and alerts for a large variety of anomalies in user behavior, including unexpected remote execution by a user. In the evaluation, Microsoft monitored user activity across devices and raised an automatic alert when a user was suspiciously logged in using pass-the-hash and ran a service on a new device.

Microsoft Defender for Identity alert on lateral movement by a compromised identity via remote service execution

Figure 12: Microsoft Defender for Identity alert on lateral movement by a compromised identity via remote service execution

  • System discovery: Microsoft Defender for Endpoint uses Anti-Malware Scripting Interface (AMSI) to detect suspicious activity in memory. While many vendors rely on process operations and command-line, in the evaluation, Microsoft identified a system discovery activity running in PowerShell memory via AMSI. Detection algorithms analyzed the script loaded to memory and identified a discovery activity executed by the PowerShell process. The activity was detected, identifying lateral movement at an early stage, when the attacker was still learning the environment, and allowing quick remediation of the attack.

Microsoft 365 security center showing alert on system discovery using WMI. Activity detected by analyzing AMSI content from PowerShell

Figure 13: Microsoft 365 security center showing alert on system discovery using WMI. Activity detected by analyzing AMSI content from PowerShell

Real-life protection delivered, as-is, out of the box

Microsoft believes protection must be provided out of the box as automated AI-driven expert systems built into our security product portfolio. Our products should require minimal to no manual custom tuning or configuration to detect and protect, and they must be optimized to reduce false alerts, which are the main cause of friction and fatigue.

We brought to the MITRE Engenuity simulation environment the exact same product that customers deploy to their production environments with no special or aggressive test-optimized settings that may affect performance or degrade real user productivity. The same level of alert coverage, accuracy (not measured by MITRE Engenuity in the test), visibility, and investigation experience is reflected in production deployments as it was in the test.

A final word

As mentioned in our initial blog on the MITRE Engenuity FIN7+Carbanak Evaluation, we are excited to collaborate and contribute to the evolution of this evaluation from one year to the next. It’s an opportunity for us to test the efficacy of our solutions and contribute to the security community as a whole. This is only one part of the greater collaboration and contribution efforts that Microsoft is focused on in the industry to strengthen defenses and respond to attacks. As we have seen in recent months, with attacks becoming more coordinated and sophisticated, community collaboration and sharing such as this can help us all take the steps needed for a safer world. We again thank MITRE Engenuity for this opportunity and very much look forward to our continued partnership and the next evaluation.

Learn more about Microsoft 365 Defender and Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Stopping Carbanak+FIN7: How Microsoft led in the MITRE Engenuity® ATT&CK® Evaluation appeared first on [Microsoft Security.