Business & Technology

FortiEDR Stands Out in MITRE Engenuity’s ATT&CK Evaluations

By David Finger | May 17, 2021

MITRE Engenuity published the ATT&CK Evaluation results in April for our modern endpoint security solution which combines endpoint protection platform (EPP) with endpoint detection and response (EDR) capabilities, FortiEDR. In short, Fortinet’s results demonstrated strong behavior-based detection of the emulated attack techniques and tactics of Carbanak and FIN7 and, more importantly, signature-independent protection that blocked 100% of the test cases. This means that future cyber attacks that utilize similar tactics and techniques will be blocked, even if we have no pre-existing threat intelligence about them.

Since its inception, FortiEDR took a unique approach to deep system activity monitoring. We patented this approach, called “code tracing” and it was on full display in the evaluation results. Early on, our threat researchers recognized that advanced threats will violate one or more legitimate operating system instructions in order to remain stealthy and unobtrusive. Further, by correlating the operating system’s outbound communication or file modification instructions with preceding operating system instruction flow, it is possible to detect and indeed prevent malicious actions in real-time. And to do so with accuracy such that legitimate operation can continue as usual.

As a result, during the MITRE ATT&CK evaluations, FortiEDR was able to watch the emulated tactics and techniques until it reached a confidence level that was high enough to take the active step of blocking activity before the cyber attack reached its intended outcome. Given that sophisticated cyber criminals often take great pains to mimic legitimate system operation to avoid detection, verbose detection that generates a lot of noise and heavy-handed blocking that's performed too early in the attack may earn a high score in the evaluation, but in a production environment, it will also lead to unacceptable affects on both the system and users in terms of false positives. When comparing our evaluation results with those of other vendors who participated, the FortiEDR differentiation became clear. 

FortiEDR Stands Out Among the Rest

As an example of how FortiEDR performed, consider Protection Test 5, which is based on Step 9 and its substeps in the Detection category. In this test:

  • A program, DefenderUpgradeExec.exe, is downloaded and calls SetWindowsHookEx API. As this is activity often exhibited by legitimate operation FortiEDR logs a detection but does not block it.

  • Next, Java-Update.exe injects explorer.exe with CreateRemoteThread, which in turn calls the CreateCompatibleBitmap API. This program creates a screen capture which is saved in the temp file. This action is logged in the Detection category but MITRE did not include it in the Protection Evaluation.
  • From there, explorer.exe reads it over to an external IP 192.168.0.4. A file infosMin48.exe is downloaded from the same IP address. As the file has not exhibited any behavior yet it is allowed to install.
  • This file calls the VaultEnumerateItems API from vaultcli.dll, which attempts to dump credentials out of the directory. It is at this point that the activity is deemed definitively malicious and blocked based on behavior. 
  • Of note, the file would have deleted evidence of the credential theft if it had been allowed to run further.

Interestingly, this particular test case was handled quite differently by other vendors. Without calling out any one vendor in particular, we note that one group of vendors used existing threat intelligence to block the download of the initial tool DefenderUpgradeExec.exe, which would be completely unknown in a realistic 0-Day scenario. We see multiple comments from MITRE- like “infosmin48.exe was quarantined, because it was identified as malicious” or “it was identified as keylogger malware” that make this clear.

The primary down side to this approach is that it requires previous knowledge of the file or file family to stop the attack. For a known campaign like Carbanak that knowledge is expected, but for subsequent campaigns that use the same set of techniques, it wouldn't be as effective. And if you follow the same steps in the Detection Evaluation, you can see that although there is some behavior-based detection for some steps, it is separate from the protection approach.

Another group of vendors that participated in the Protection Evaluation failed to block the attack at all despite having identified the activity using rich insights into tactics and techniques during the Detection Evaluation. This result is common among EDR start-ups that later added what they refer to as protection capabilities. 

We compared the protection results of FortiEDR with two legacy EPP vendors and two EDR start-ups to see what trends emerged. What we found was:

  • One of the major EDR brands actually did apply their behavioral detection capability to the protection tests, but only stopped 70% of the test cases
  • The other EDR start-up blocked 90% of the test cases, but relied heavily on static rather than behavioral analysis
  • Both legacy EPP vendors blocked 100% of the test cases, but did so largely based on known threat intelligence

Only FortiEDR demonstrated the ability to not only block all the cyber attacks emulated in the Protection tests, but also to do it without using any known threat intelligence.

As organizations set out to select new endpoint security solutions, these results highlight the importance of clearly defining their requirements (detection, protection or both) as well as testing them rigorously. It's a reason independent validation like the MITRE Engenuity AT&CK Evaluations is so important.

MITRE ATT&CK Conclusion

In hindsight, assessing our Protection and Detection Evaluation results against both our own expectations and the results from other vendors in the industry, we are more proud than ever of FortiEDR. It is a true single-agent, behavior-based EPP and EDR solution with our patented code tracing innovation that provides:

  • Real-time pre- and post-execution protection 
  • Robust detection of high-value, at-risk activity, without overwhelming security teams
  • A unified approach to protection, detection, and response     

These results should further reinforce customer and prospect confidence in FortiEDR’s ability to identify and ultimately block future cyberattacks that use tactics and techniques similar to those emulated in the MITRE Protection Evaluations tests. We look forward to demonstrating these capabilities in your specific environment.

To further understand how we achieved that perfect Protection Evaluation, see our Evaluation results

 To see FortiEDR at work in our environment or yours, contact us for a demonstration or no-charge proof of value.

Learn more about how FortiEDR has the unique ability to defuse and disarm a threat in real-time, pre- and post-infection.