Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:15 PM
Dark Reading
Dark Reading
Products and Releases

Attivo Networks Improves Endpoint Security as Demonstrated by MITRE ATT&CK Evaluations

When used in conjunction with leading EDR solutions, Attivo EDN technology augments the detection rates by an average of 42%.

FREMONT, Calif., June 16, 2020 – Attivo Networks®, an award-winning leader in cyber deception and attacker lateral movement threat detection, today announced the results of MITRE ATT&CK APT29 Adversary Evaluations on its Endpoint Detection Net (EDN) solution. The results demonstrate that when used in conjunction with leading EDR solutions, Attivo EDN technology augments the detection rates by an average of 42%.

To assist organizations in addressing cyber risk, MITRE created the ATT&CK model, which offers a comprehensive framework of possible attack strategies. MITRE recently began evaluating vendor EDR products to test their effectiveness against the ATT&CK framework. While MITRE does not rate or recommend tools, the methodology serves as a useful benchmark for comparison. MITRE’s evaluation methodology and all evaluation results are publicly available (https://attackevals.mitre.org/).

Using the MITRE ’Do It Yourself’ Evaluation Tool , Attivo Networks ran the test against its EDN technology. The test assessed the solution’s effectiveness against APT29 attacks in combination with leading EDR solutions. Attivo Networks used both a weighted scoring system that rewards more points for higher value detections and a flat scoring model that rewards one point for a detection belonging to any category. After being compiled, the scores of the four leading EDR solutions showed an average detection improvement rate of 42% observed. These results demonstrate that the Attivo Networks threat detection solution augmented the leading EDR solutions. MITRE also evaluated against APT3 attacks, with the EDN solution delivering similar results.

“The notion of adding deception to endpoint security is consistent with a layered defense methodology,” said Dr. Ed Amoroso, CEO of leading analyst firm TAG Cyber. “The MITRE ATT&CK evaluation criteria provides a quantitative testbed demonstrating how Attivo Networks augments leading EDR solutions evaluated by MITRE.”

“The MITRE ATT&CK evaluation clearly demonstrates Attivo’s value in detecting lateral movement, which is an important part of the framework,” said Tushar Kothari, Attivo Networks CEO. “Organizations add Attivo EDN to their security solutions to broaden their ability to protect the endpoint from additional attack vectors.”

Key takeaways from this evaluation include:

  • Each endpoint security solution fared well individually in the MITRE evaluations;
  • The EDN solution improved lateral movement detection performance in the middle phases of the ATT&CK matrix;
  • The EDN solution added greater technique visibility to enhance adversary intelligence;
  • The observed improvements were meaningful across both scoring methodologies, eliminating methodological biases;
  • Using an endpoint security solution in conjunction with the Attivo Networks EDN suite improved overall solution performance, noting that the evaluators did not double-count duplicated detections and attributed them to the EDR score.

About the ThreatDefend® Platform and EDN

The ThreatDefend® Deception Platform is a comprehensive detection solution that provides early detection across networks, endpoints, applications, data, and Active Directory. It includes the BOTsink® deception servers for decoys, the Endpoint Detection Net (EDN) suite for endpoint lateral movement detection, and ADSecure™ for Active Directory defense. Altogether, these solutions create a deception fabric that detects in-network attackers across any attack surface, whether on-premises, in the cloud, or at remote locations, regardless of attack vector. The ThreatDefend platform EDN suite strengthens endpoint defensive capabilities by detecting and alerting on attack tactics that attackers use once they manage to compromise a system to spread to other devices on the network.

Additional Resources

Learn more about these results and how Attivo Networks conducted the MITRE ATT&ACK evaluation:

About Attivo Networks
Attivo Networks®, the leader in deception technology, provides an active defense for early detection, forensics, and automated incident response to in-network attacks. The Attivo ThreatDefend® Deception Platform provides a comprehensive and customer-proven platform for proactive security and accurate threat detection within user networks, data centers, clouds, and a wide variety of specialized attack surfaces. The portfolio includes extensive network, endpoint, application, and data deceptions designed to misdirect and reveal attacks efficiently from all threat vectors. Advanced machine-learning makes preparation, deployment, and operations fast and simple to operate for organizations of all sizes. Comprehensive attack analysis and forensics provide actionable alerts and native integrations that automate the blocking, quarantine, and threat hunting of attacks for accelerated incident response. The company has won over 125 awards for its technology innovation and leadership. For more information, visit www.attivonetworks.com.



Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.