Sophos excels in the 2024 MITRE ATT&CK® Evaluations: Enterprise
MITRE ATT&CK® Evaluations help organizations better understand how effectively EDR and XDR solutions can protect against sophisticated, multi-stage attacks. In the latest evaluation, Sophos XDR achieved:
- Highest possible (‘Technique’) ratings for 100% of adversary activities in the Windows and Linux ransomware attack scenarios
- Highest possible ('Technique') ratings for 78 out of 80 total adversary activities across all three comprehensive scenarios
MITRE Enterprise 2024
2024 MITRE ATT&CK® Evaluations: Enterprise (Round 6)
MITRE ATT&CK® Evaluations are among the world’s most respected independent security tests. They emulate the tactics, techniques, and procedures (TTPs) leveraged by real-world adversarial groups and evaluate each participating vendor’s ability to detect, analyze, and describe threats, with output aligned to the language and structure of the MITRE ATT&CK® Framework.
Round 6 focused on behaviors inspired by three known threat groups:
- Democratic People's Republic of Korea (DPRK)
The evaluation emulated DPRK’s adversary behaviors targeting macOS via multi-stage operations, including elevating privileges and credential theft. - Ransomware (CL0P and LockBit)
The evaluation emulated behaviors prevalent across campaigns using CL0P and LockBit ransomware, including abusing legitimate tools and disabling critical services.
Evaluation results
Sophos achieved full ‘technique’ level coverage — the highest possible rating — for 78 out of 80 adversary activities (sub-steps) across three comprehensive attack scenarios.
Interpreting the ATT&CK Evaluations results
Understand the ratings and categorizations in this Enterprise round.
Interpreting the ATT&CK Evaluations results
Each adversary activity (called a ‘sub-step’) emulated by MITRE during the evaluation receives one of the following ratings. The rating indicates the solution’s ability to detect, analyze, and describe the adversary activity, with output aligned to the language and structure of the MITRE ATT&CK® Framework.
- Not applicable — a “miss”: The adversary activity was not detected or the evaluation for the sub-step was not completed.
- None: Execution of the sub step was successful; however, evidence provided by the vendor does not meet the documented Detection Criteria, or there was no evidence of Red Team activity provided. There are no modifiers, notes, or screenshots included with a None.
- General: The solution autonomously identified that the malicious/suspicious event(s) occurred and reported the What, Where, When, and Who.
- Tactic: In addition to the criteria for a ‘General’ rating, the solution also provides information on the attacker’s potential intent; the Why, aligned to MITRE ATT&CK Tactics.
- Technique — the highest possible rating: In addition to the criteria for a ‘Tactic’ rating, the solution also provides details on the attacker’s method for achieving a goal; How the action was performed.
Detections classified as General, Tactic, or Technique are grouped under the definition of Analytic Coverage, which measures the solution’s ability to convert telemetry into actionable threat detections.
Sophos achieved full ‘technique’ level coverage— the highest possible rating —for 78 out of 80 adversary activities (sub-steps) in this evaluation.
Learn more about the detection categories on the MITRE website
Detection quality is critical for providing security analysts with the information to investigate and respond quickly and efficiently. This chart compares the number of sub-steps that generated a detection providing rich detail on the adversarial behaviors (analytic coverage) and the number of sub-steps that achieved full 'technique' level coverage, for each participating vendor.
Evaluation attack scenarios
The evaluation comprised 80 adversary events (sub-steps) across three attack scenarios.
Attack scenario 1: DPRK (macOS)
North Korea has emerged as a formidable cyber threat, and by expanding its focus to macOS, they have gained the ability to target and infiltrate additional high-value systems. In this attack scenario, the MITRE team used a backdoor from a supply chain attack, followed by persistence, discovery, and credential access, resulting in the collection and exfiltration of system information and macOS keychain files.
- 4 steps | 21 sub-steps | macOS only
- Sophos XDR detected and provided rich ‘analytic’ coverage for 20 out of 21 (95%1) sub-steps in this scenario
- 19 sub-steps were assigned ‘technique’ level categorization — the highest possible rating
Attack scenario 2: CL0P Ransomware (Windows)
Active since at least 2019, CL0P is a ransomware family affiliated with the TA505 cyber-criminal threat actor (also known as Snakefly) and is widely believed to be operated by Russian-speaking groups. In this attack scenario, the MITRE team used evasion techniques, persistence, and an in-memory payload to perform discovery and exfiltration before executing ransomware.
- 4 steps | 19 sub-steps | Windows only
- Sophos XDR detected and provided full ‘technique’ level coverage of 100% of sub-steps
Attack scenario 3: LockBit Ransomware
(Windows and Linux)
Operating on a Ransomware-as-a-Service (RaaS) basis, LockBit is a notorious ransomware variant that has gained infamy for its sophisticated tools, extortion methods, and high-severity attacks. In this attack scenario, the MITRE team gained access using compromised credentials, ultimately deploying an exfiltration tool and ransomware to stop virtual machines and exfiltrate and encrypt files.
- 8 steps | 40 sub-steps | Windows and Linux
- Sophos XDR detected and provided full ‘technique’ level coverage of 100% of sub-steps
1 Sophos XDR generated alerts for all 80 adversary activities (sub-steps) in the evaluation and achieved an ‘analytic coverage’ rating for 79 out of 80 sub-steps.
The alert generated for one sub-step in the DPRK (macOS) attack scenario did not rise to an 'analytic coverage' detection level based MITRE's detection category definitions.
Why we participate in MITRE ATT&CK® Evaluations
MITRE ATT&CK® Evaluations are among the world’s most respected independent security tests. Sophos is committed to participating in these evaluations alongside some of the best security vendors in the industry. As a community, we are united against a common enemy. These evaluations help make us better, individually and collectively, for the benefit of the organizations we defend.
19 EDR/XDR security vendors participated in this evaluation:
Other MITRE ATT&CK® Evaluations
Sophos participates in ATT&CK® Evaluations for both Enterprise solutions and Managed Services, consistently achieving impressive results that validate our position as an industry-leading cybersecurity vendor.
A market leader in detection and response solutions
Get started with Sophos XDR
See how Sophos can streamline your detection and response and drive superior outcomes for your organization.