SESSION

We are all very familiar with MITRE ATT&CK, which analyze the tactics and techniques of known real-world hacker attacks and provide guidance on methods of detection and mitigation. MITRE started independent evaluation of EDR technologies in 2018. It has helped the technologies improve steadily over the last few years to their current level of high maturity and sophistication. According to the evaluation results, many vendors can now detect 80%, 90% of the steps of simulated attacks, while the best performing vendor can even provide 100% coverage. Does this mean we are very safe against most attacks? Unfortunately the answer is negative because in MITRE’s evaluation of EDR, the steps of simulated attack are provided to the vendors in advance, and there is no noise at all in the evaluation environment. In real-world scenario, the defender will not know what the attackers will do, and when normal employee use computer and network, they become noise that the attackers can leverage to hide their operation. It become very difficult to use EDR to accurately detect the presence of attacker in real-time because the detection mechanism is similar to “looking for a needle in a haystack,” as quoted by MITRE and most EDR vendors. In general, if the activities of the attackers have signatures that EDR can recognize, or if their behaviors are just too obvious, then accurate real-time detection can be achieved, otherwise the huge amount of alerts generated by EDR are mainly used in post-mortem analysis instead of real-time detection. This is the main reason why MITRE is now promoting the new Engage Framework, an active defense thinking to engage with the attackers in real-time, detect their presence at very early stage of the security breach, and then either cut them off or confine them in controlled areas so that the defender can observe and analyze them. This very effective new defense thinking can be used to not only catch the attackers in action to prevent damage to enterprise, but also accumulate understanding and experience against the attackers in order to fortify our defense posture.