Using a Commercial Deception Solution to Improve MITRE ATT&CK Test Results for Endpoint Security

As part of its support for ATT&CK®, MITRE recently began evaluating vendor products, as a neutral authority, by testing the ability of specific solutions to detect inbound attacks based on the framework. While MITRE does not rate or recommend tools, the methodology serves as a useful benchmark for comparison. MITRE’s evaluation methodology and evaluation results are all publicly available on the MITRE website.

Using this data, Attivo Networks® conducted a study to evaluate how endpoint security solutions performed within the MITRE evaluations individually and how the performance improved when used in conjunction with the Attivo EDN suite, based on existing capability mappings and the methodology provided. Attivo Networks completed evaluations using the MITRE ATT&CK® DIY Assessment tool for both the APT3 and APT29.

In this report, Dr. Edward Amoroso, CEO of TAG Cyber, outlines the results of a recent round of MITRE ATT&CK® testing performed for four top endpoint security tools. It presents an overview of the MITRE process, along with results for augmenting several endpoint security tools with a commercial deception solution from Attivo Networks, which produced an average increase of 42% in detection rate.