The MITRE ATT&CK® framework is a global knowledge base of threat actors’ tactics and techniques drawn from real-world cyber-attacks. As such, it highlights potential attack vectors and uniformly describes the “how” and “why” of a threat actor’s actions. MITRE provides a common knowledge base and verbiage for describing attacks, ultimately benefiting end users by organizing complex information into an understandable and actionable format.
Cybersecurity vendors likewise benefit by testing their solutions against the framework and measuring the effectiveness of their tools against known attack strategies and adversarial behaviors. MITRE ATT&CK testing is transparent and the evaluation results are available to vendors and end-users alike, without commentary or bias.
The MITRE ATT&CK evaluations are not a competitive system used for selecting “winners” in the cybersecurity industry. It does not pit solutions against each other, quantitatively rate products, or score a vendor’s performance. Test results are recorded in a success matrix that offers readers insight into how each vendor fared against each threat technique or tactic. This report contains our analysis of the MITRE ATT&CK APT29 evaluation data, as MITRE offers no interpretation of test results.
Webinar: MITRE ATT&CK APT29 Evaluation:
A Technical Review of BlackBerry Optics
BlackBerry Excels in the APT29 Evaluation
BlackBerry recently participated in the MITRE ATT&CK APT29 evaluation. BlackBerry® Protect, BlackBerry® Optics, and BlackBerry® Guard were tested against the attack strategies of APT29, a threat group reportedly tied to the Russian government. The APT29 group is known for carrying out high-profile attacks, including the United States Democratic National Committee breach of 2015.
BlackBerry excelled throughout these tests (see the results here), surpassing our own high expectations. MITRE employee and ATT&CK Evaluations lead, Frank Duff said, “Taken as a whole, the results indicate that the participating vendors are beginning to understand how to detect the advanced techniques used by groups like APT29, and develop products that provide actionable data in response for their users.”
The Power of Prevention
The MITRE ATT&CK APT29 evaluation did not include steps to measure a solution’s ability to prevent an attack. Nevertheless, BlackBerry Protect did detect the malicious nature of the infected file dropped during the tests. Had the evaluation represented a real-world attack, BlackBerry Protect would have stopped it as soon as the malicious file arrived on a protected system.
As MITRE mentions on their website: “Also, it should be noted that (BlackBerry) Cylance’s platform would have prevented the attacks that were conducted at many points within the kill chain. From quarantining binaries to preventing successful exploits and scripts from running, however the platform was configured to allow these attacks to occur.“