Cyber strategy

MITRE ATT&CK to evaluate an EDR

MITRE ATT&CK not only provides a framework for evaluating detection capabilities, threat hunting, risk management, threat intelligence... it also provides an evaluation grid to assess EDR and cybersecurity tools capacities.
4 min

How to leverage MITRE ATT&CK Engenuity evaluation to assess an EDR relevance in terms of threat detection, analysis and response, in relation to your needs? 

Here are important aspects to be challenged to ensure the enhancement of your cybersecurity defense with the EDR solution you plan to subscribe to. 

What attacks tactics and technics is the EDR able to detect? 

Evaluate the EDR alignment with the MITRE ATT&CK framework allows to assess how well the solution can identify a diverse array of techniques across different stages of the attack lifecycle, such as: 

  • Weaponization (Reconnaissance, Resource development, Initial access, Execution), 
  • Delivery (Persistance, Privilege escalation), 
  • Exploitation (Defense evasion, Credential access), 
  • Installation (Discovery, Lateral movement), 
  • Command & Control (Collection, Command and control), 
  • Actions on objectives (Exfiltration and impact), 

… and their many sub-techniques. 

Mapping the EDR detection capabilities with MITRE ATT&CK framework enables to identify the solution capacity to deliver the required alerts, and on what specific attackers techniques.  

How does the EDR integrate Threat Intelligence and updates? 

Is the EDR able to integrate external threat intelligence feeds that include MITRE ATT&CK data – notably with connectors? 
It’s an important aspect to assess to improve detection regarding the context of the organization that necessarily changes over time. It’s also relevant in order to contextualize alerts and to be able to define priorities in the event of a security incident 

Also, beyond MITRE ATT&CK framework, the EDR provider’s ability to integrate new tactics or techniques into their detection capabilities is crucial in an ever-evolving threat landscape. This ability to stay up to date also ensures optimal protection of the Information System over time. 

In other words, MITRE ATT&CK is helpful to assess a tool detection capacity, but the solution must also continuously involve R&D in order to stay up to date regarding emerging threats. 

How the EDR displays reports and data? 

Does the EDR include reporting and visualization tools that utilize the MITRE ATT&CK framework?  
Reports and dashboards that follows MITRE ATT&CK’s mapping help to monitor tactics and techniques set out in this framework.  
It enables to prioritize protection against these specific threats, and to identify among them the ones that weigh the more heavily on the organization. 

In that perspective, the more the tool gives access to data, the more security events can be contextualized and prioritized, and the more EDR is relevant to help investigations.  
For example, in the event of an attack, it enables analysts to understand where the attacker went through. Finally, if the data can be linked to MITRE framework, it’s also useful for understanding the course of the attack through this framework. 

 

The priority: make it easier for experts to foil attacks 

MITRE ATT&CK framework is useful for a wide range of cybersecurity players, and MITRE ATT&CK Engenuity evaluation is an internationally famous test serving as a benchmark for professionals and decision-makers in the cybersecurity industry.  
 
Evaluating a cybersecurity solution in the light of this tool helps to ensure advanced detection capabilities. 

Also bear in mind that this framework allows to perform unit tests, and an attack in the field can be far different. 
 
In practical terms, MITRE allows to test a tool’s ability to detect attack techniques, but each technique can be implemented in many different ways, and it’s very hard for any tool to prevent from absolutely all the ways to put this technique into practice.  
This is why, rather than validating a detection list according to a predefined frame of reference, the real stake is rather to be able to detect any suspicious behavior in order to be able to respond. 
 
For example, to break in, a burglar can force the door (that’s their technique), and they can force it with a crowbar, by picking the lock, with a battering ram… So the most important thing is to be able to detect the abnormal behavior or intrusion, beyond the precise detection of the tool used to do so. 

MITRE should therefore be seen as a means of assessing a tool’s ability to correctly detect attack techniques (and just one may be enough) with the right level of criticality that will prompt action to counter the attacker, and not as a list from which 100% of the boxes need to be ticked. 

MITRE thus enables to make a selection of tools on which to spend time with a view to carrying out a POC. During this POC, you can test the EDR in the field in your own context, and for analysts, evaluate its relevance to validate that the solution meets the needs of your organization. 

Key points to evaluate an EDR with MITRE


Find out more about MITRE ATT&CK assessment and framework,
and about the testing process: