Ready, Set, Turla | Everything You Need to Know Before the MITRE ATT&CK® 2023 Evaluations

The cybersecurity industry is awaiting the highly anticipated MITRE ATT&CK® Evaluations for 2023, expected to be published next week. In this comprehensive post, we provide all the essential knowledge needed to derive maximum value from the forthcoming test results.

Our journey through MITRE’s evaluations begins with exploring why MITRE embarked on this testing journey. We’ll then delve into a brief history of MITRE’s evaluations, offering insights into the inception and evolution of this industry-recognized comparative assessment.

From there, we’ll explore Turla as a potent threat to understand why MITRE has chosen to make this group its focal point. Finally, we’ll navigate the intricate technical aspects of MITRE’s methodologies, explaining how and why these evaluations provide value to enterprises as they consider their current and future investment in security products.

The Genesis | Setting the Stage

To fully understand the significance of the MITRE ATT&CK® Evaluations, it is helpful to explore their origin. MITRE, a not-for-profit organization, has been at the forefront of fostering innovation and enhancing cybersecurity frameworks. The ATT&CK® evaluations directly result from MITRE’s structured and comprehensive approach to understanding cyber threats. This initiative has witnessed remarkable growth, offering valuable insights and fostering a collaborative spirit within cybersecurity.

A Chronicle of MITRE ATT&CK® Evaluations

Let’s embark on a chronological journey through the annals of MITRE ATT&CK® Evaluations, each contributing significantly to the cybersecurity landscape.

APT3 (2018): The Inaugural Evaluation

The inaugural MITRE evaluation in 2018 cast its spotlight on APT3, also known as Gothic Panda, a China-based threat group.

Attributed to China’s Ministry of State Security, APT3 was renowned for campaigns like Operation Clandestine Fox and Operation Double Tap. Notably, during this period, APT3 transitioned from targeting U.S. victims to focusing on political organizations in Hong Kong.

This evaluation uncovered critical insights into APT3’s modus operandi, revealing a strong reliance on credential harvesting and the use of trusted operating system programs. APT3 preferred to avoid elaborate scripting techniques or leveraging post-initial access exploits. SentinelOne’s performance in this evaluation underscored its effectiveness in detecting and mitigating complex threats.

APT29 (2019): A Deep Dive into Russian Cyber Espionage

In 2019, the MITRE evaluations took a significant leap by examining APT29, a threat group attributed to the Russian government. APT29 gained notoriety for its intrusion into the Democratic National Committee in 2015. This evaluation brought to light APT29’s unwavering commitment to stealth and the use of sophisticated techniques. These included custom malware and alternate execution methods like PowerShell and Windows Management Instrumentation (WMI).

The evaluation results were published in April 2020 and provided a platform for SentinelOne to further solidify its position as a robust cybersecurity solution, effectively countering the advanced techniques employed by APT29.

Carbanak+FIN7 (2021): Unveiling Financial Threats

The 2020 evaluation thrust into the spotlight two prominent threat groups, Carbanak and FIN7, both known for targeting the financial sector, particularly in the U.S. This evaluation meticulously dissected the modus operandi of these groups, revealing their reliance on innovative tradecraft and stealth techniques. Carbanak and FIN7 were notorious for exploiting both sophisticated malware and legitimate administration tools to achieve their objectives.

Once again, SentinelOne demonstrated its impressive capabilities in this evaluation, offering solutions that effectively countered the threats posed by these financially motivated groups.

Wizard Spider & Sandworm (2022): Exploring Diverse Threat Landscapes

The 2022 evaluation constituted a deep dive into the strategies employed by two distinct groups: Wizard Spider, a financially motivated criminal group, and Sandworm, a Russian threat group known for its destructive attacks. This evaluation zoomed in on how these groups leveraged data encryption for different objectives. Wizard Spider’s focus was on ransomware campaigns, while Sandworm’s notoriety lay in data destruction.

SentinelOne’s performance during this evaluation once again demonstrated its resilience and effectiveness in countering the diverse range of threats posed by these groups. It showcased its adaptability and robustness in the face of evolving cyber threats.

Turla (2023): The Upcoming Evaluation

As we gear up for the 2023 MITRE ATT&CK® Evaluation, the spotlight shifts to Turla, a sophisticated Russian-based threat group active since the early 2000s. Turla’s targets include government agencies, diplomatic missions, military groups, research organizations, and media outlets. What sets Turla apart is its unwavering commitment to innovation and operational security.

The upcoming evaluation promises to offer a detailed analysis of Turla’s tactics, including their use of a distinctive command-and-control network and a repertoire of open-source and in-house tools. As we anticipate this evaluation, SentinelOne stands ready to demonstrate its capabilities once again, offering solutions adept at countering the sophisticated techniques employed by the Turla group.

Unraveling the Turla Campaigns: A Closer Look

Turla is not your ordinary cyber threat actor; they stand as a testament to the evolving sophistication of cyber adversaries. Since the early 2000s, this Russian-based group has left an indelible mark on victims spanning over 45 countries. Their targets encompass a wide spectrum, including government agencies, diplomatic missions, military groups, research institutions, and media outlets. However, what distinguishes Turla from the rest is their unwavering commitment to innovation and operational security, making them a formidable force in the cyber realm.

Targeted Intrusions and Innovative Stealth

Turla’s modus operandi revolves around precision and stealth. They begin by establishing a foothold within their target environment. Once inside, they meticulously enumerate victims while leaving a minimal footprint. This often involves the use of in-memory or kernel implants, making detection and attribution a challenging task.

Crossing OS Boundaries

Turla is not confined to a single operating system. They are equally adept at targeting both Linux and Windows infrastructure, showcasing their adaptability and versatility. This flexibility enables them to breach a wide range of organizations, regardless of their technology stack.

Open Source and In-House Tools

One of Turla’s distinguishing features is their extensive toolkit. They combine open-source tools with custom, in-house-developed malware, creating a potent arsenal that can bypass traditional security measures. This blend of publicly available utilities and proprietary malware keeps defenders on their toes.

A Unique Command-and-Control Network

Turla employs a distinctive command-and-control (C2) network to maintain control over their operations. This network infrastructure is carefully designed to evade detection and attribution, further emphasizing Turla’s commitment to operational security.

MITRE ATT&CK® Evaluation Methodology

Understanding MITRE’s evaluation methodology is key to deriving meaningful insights from the upcoming test results. MITRE’s evaluations are designed to emulate real-world threat scenarios, providing a controlled environment where cybersecurity solutions are tested. Here’s a brief overview of MITRE’s evaluation process:

ATT&CK® Framework

MITRE’s evaluations are deeply rooted in the ATT&CK® framework, a foundational component that shapes the entire evaluation process. ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a curated knowledge base that categorizes the actions and behaviors exhibited by cyber adversaries. It serves as the bedrock upon which realistic threat scenarios are constructed.

Within the ATT&CK® framework, adversaries’ tactics and techniques are systematically documented. These tactics encompass the overarching objectives cyber adversaries seek to achieve, while the techniques detail the specific methods employed to realize these objectives. Furthermore, the framework includes information on common knowledge—crucial insights into adversaries’ operations. This structured categorization allows for a granular and comprehensive examination of cybersecurity solutions’ capabilities in the face of diverse threats.

Transparent Methodology

MITRE maintains open communication throughout the evaluation process and provides detailed information regarding the techniques and procedures implemented in each scenario.

By divulging the inner workings of the evaluation, MITRE aims to enable vendors and practitioners to gain insights into the evaluative criteria, fostering a more informed and engaged community. Transparency ensures that all parties comprehend the evaluation’s objectives, making the results credible and valuable for improving cybersecurity solutions.

Real-World Relevance

MITRE’s approach to evaluations is rooted in the aspiration to mirror the challenges confronted by real-world cybersecurity professionals. The scenarios and threat actors portrayed in the evaluations are designed to replicate the complex and dynamic nature of actual cyber threats.

This real-world relevance ensures that the evaluation results are not just academic exercises but directly applicable to the ever-evolving threat landscape and enables vendors and practitioners to gauge the practical effectiveness of cybersecurity solutions. The results reflect the solutions’ capabilities in mitigating the types of threats and tactics that organizations face daily. This approach aids organizations in making informed decisions about their cybersecurity posture and technology investments.

Continuous Improvement

MITRE actively seeks feedback and insights to enhance the evaluation process continually. This iterative approach ensures that the evaluations remain relevant, rigorous, and capable of adapting to the ever-shifting cybersecurity landscape.

MITRE ATT&CK® Evaluation Technical Nuances

MITRE’s evaluations delve deep into technical nuances to comprehensively assess cybersecurity solutions. Here are some key technical aspects that deserve attention:

  1. Technique Scope: In each evaluation, MITRE defines the scope of techniques and tactics under examination. This scope is essential for participants and observers to understand the specific areas where cybersecurity solutions will be tested. It delineates the boundaries of the evaluation, providing clarity on the techniques that vendors and practitioners should focus on.
  2. Environment Configuration: MITRE conducts evaluations in a controlled environment, often leveraging cloud services to efficiently provision and manage resources. This environment closely mimics an on-premises setup, ensuring the evaluation results remain relevant to real-world scenarios. The evaluation environment enables participants to showcase how their solutions perform in a simulated but authentic cybersecurity landscape.
  3. Detection and Protection Categories: MITRE classifies detection and protection capabilities into main and modifier categories. These categories play a pivotal role in evaluating cybersecurity solutions. Main categories assess the level of context provided to analysts, while modifier categories offer additional insights that describe the event in more detail. Evaluators use these categories to gauge the effectiveness of protection mechanisms and the depth of information available to analysts. This categorization facilitates a structured and systematic evaluation of each solution’s performance in detecting and mitigating threats.

Understanding these technical nuances provides a solid foundation for comprehending the depth and rigor of MITRE ATT&CK® Evaluations. It showcases the precision and granularity with which cybersecurity solutions are assessed, helping vendors and practitioners navigate the intricate landscape of cybersecurity technology and defense capabilities.

Conclusion

The MITRE ATT&CK® Evaluations have become a cornerstone of the cybersecurity landscape, providing a platform for testing and improving cybersecurity solutions. As we await the results of the 2023 evaluation focusing on Turla, we have explored the history of MITRE’s evaluations, the technical nuances of the testing methodology, and the intricacies of the Turla threat.

Stay vigilant, stay informed, and leverage the forthcoming test results to bolster your organization’s defenses against evolving cyber threats. MITRE’s commitment to transparency and rigor ensures that the insights gained from these evaluations are invaluable in the ongoing battle for cybersecurity.

In the ever-evolving realm of cybersecurity, knowledge is power. Equip yourself with the knowledge that MITRE’s evaluations provide, and let it serve as a beacon of resilience against the ever-persistent forces of cyber adversaries.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.