Business & Technology

FortiEDR Blocks 100% of Attacks in MITRE Engenuity ATT&CK® Evaluation for the Second Year in a Row

By Brook Chelmo | March 31, 2022

With cybercriminals continuing to “pound away at organizations (approximately 150,000 individual detections per week) with a variety of new and previously seen ransomware strains,” according to a recent FortiGuard Labs threat report, this year’s MITRE ATT&CK® Evaluations are exceptionally important. MITRE ATT&CK published their Evaluations for Enterprise, and Fortinet FortiEDR endpoint detection and response blocked 100% of the attacks. This is the second year in a row that FortiEDR blocked all attacks, and there was a 32% increase in its ability to detect substeps with nearly 100% of all techniques identified.

The MITRE ATT&CK Evaluations assess the ability of cybersecurity products to detect known adversary behavior. To provide objective insights into product capabilities, MITRE uses their Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) knowledge base to emulate the tactics and techniques observed in real-world hacker behavior.

This round of evaluations focused on the Wizard Spider and Sandworm threat groups. Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since August 2018 against a variety of organizations, ranging from major corporations to hospitals. Sandworm is a destructive threat group known for carrying out notable attacks such as the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks.

The FortiEDR Results

FortiEDR participated in all of the test scenarios, except the single Linux test, which will be performed next year. In the nine scenarios, FortiEDR detected and cataloged 97% of the 90 non-Linux steps used in the test and blocked all attacks. Additionally, 93% of the substeps were detected using “technique,” which connects a technique-level description with the technique under-test for an endpoint detection and response (EDR) solution. Our growth in the ability to diagnose threats using the MITRE framework enables FortiEDR to be a reliable tool for organizations.

As Gartner® notes, “Threat detection is hard. Security and risk management technical professionals must defend their organization against hundreds of known, and possibly even more unknown, threats. The MITRE ATT&CK framework has evolved to provide a common taxonomy for threats and foundation for threat detection."1

By embracing this standard, FortiEDR has become more intuitive to security operators, especially when threat hunting.

The results show how the mature threat hunting, detection, and prevention capabilities in FortiEDR benefit from its onboard artificial intelligence and machine learning technologies. Because FortiEDR doesn't rely on signatures (but still uses them in the cloud), future cyberattacks that utilize tactics and techniques similar to the ones in the evaluation are likely to be blocked, even without pre-existing threat intelligence about them.

Of note, Fortinet recently collaborated via the MITRE Engenuity Center for Threat Informed Defense and found that 90% of all cybercriminal techniques sighted in the last 28 months fell into only 15 categories. So the demonstrated ability to not only understand but also block based on these techniques gives organizations confidence in their ability to protect against even previously unknown ransomware campaigns. (Of note, more than 2/3 of these most common techniques were part of the Round 4 ATT&CK Evaluation.)

FortiEDR has a unique approach to deep system activity monitoring called “code tracing.” The benefits of this patented technology were apparent in the evaluation results. To remain stealthy and unobtrusive, advanced threats often violate one or more legitimate operating system instructions. By correlating the operating system’s outbound communication or file modification instructions with the preceding operating system instruction flow, FortiEDR can detect and prevent malicious actions in real-time.

The MITRE ATT&CK Evaluations demonstrate how well the true single-agent, behavior-based endpoint protection platform (EPP) and EDR approach, along with the code tracing in FortiEDR work to detect and prevent threats.

About FortiEDR

The FortiEDR solution comprehensively secures endpoints in real time, both pre- and post-infection. It delivers real-time, automated endpoint protection with orchestrated incident response across any communication device, all in a single integrated platform. FortiEDR defends everything from workstations and servers with current and legacy operating systems to point-of-sale and manufacturing controllers. Built with native cloud infrastructure, FortiEDR, which is also available in the Google Marketplace, can be deployed in the cloud, on-premises, and as a hybrid deployment.

FortiEDR includes machine learning-based next-generation antivirus, application communication control, automated endpoint detection and response, real-time blocking, threat hunting, incident response, and virtual patching capabilities. FortiEDR also leverages the broader Fortinet Security Fabric architecture by integrating with Security Fabric components such as FortiGateFortiNACFortiSandbox, and FortiSIEM. FortiEDR offers:

● Superior real-time pre- and post-execution protection
● Robust detection of high-value, at-risk activity without overwhelming security teams
● A unified approach to protection, detection, and automated response

Find out how Fortinet remains a global leader in broad, integrated and automated cybersecurity solutions: Fortinet Innovation series.

Visit the MITRE Engenuity site for the full FortiEDR results and more information about the MITRE Evaluations. And for more details about FortiEDR, read "Assess Your Endpoint Security."

[1] Gartner, How to Use MITRE ATT&CK to Improve Threat Detection Capabilities, Joshua Ammons, 30 July 2021, GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.