What the 2023 MITRE ATT&CK Evaluation Results Mean for SonicWall Users

Note: Previously, we explained the MITRE ATT&CK framework and how security products are evaluated for detection efficacy and efficiency. Check out these blogs (Part 1 and Part 2) if you haven’t already.

The 2023 MITRE ATT&CK® Evaluations focused on the adversary Turla, a Russia-based threat group active since at least the early 2000s. Turla is known for deploying sophisticated proprietary tools and malware. It has targeted victims in over 45 countries, spanning a range of critical industries and infrastructure such as government agencies, diplomatic missions, military groups, research and education facilities, and media organizations.

But while Turla is unquestionably a formidable adversary, it proved no match for the SentinelOne-powered SonicWall Capture Client, as we’ll explore below.

Understanding MITRE ATT&CK and SonicWall Capture Client

Before we dive in, however, a bit of background on the MITRE ATT&CK evaluations and SonicWall Capture Client is likely to be helpful:

MITRE ATT&CK Evaluations: ATT&CK stands for “Adversarial Tactics, Techniques & Common Knowledge.” It’s designed to be a common language, the components of which are used in endless combinations to describe how threat actors operate. The MITRE Engenuity ATT&CK Evaluations are based on the MITRE ATT&CK knowledge base, a globally accessible repository of threat actor behaviors and techniques observed in real-world cyberattacks. The evaluations provide transparency and insight into how well different cybersecurity solutions can detect and prevent these tactics, as well as how they present relevant information to end users.

SonicWall Capture Client Endpoint Security: SonicWall Capture Client is a cutting-edge endpoint security solution powered by the SentinelOne Singularity platform. It leverages multiple layers of security – including real-time behavior monitoring, anti-ransomware technology and malware prevention – to automatically detect and prevent malicious activity in real time, without relying on signatures, rules or human intervention.

To reduce alert fatigue, Capture Client automatically stitches together related alerts, providing analysts with a full view of detections across all covered attack vectors correlated into several incidents.

Capture Client’s built-in, autonomous EDR provides automation and orchestration capabilities for rapid response and remediation actions. What’s more, Capture Client’s synergy with the rest of the SonicWall platform allows for increased visibility and protection both on and off the network.

The 2023 MITRE ATT&CK Evaluations

The 2023 MITRE ATT&CK Evaluations emulated Turla to test 30 cybersecurity vendors on their ability to detect and respond to an advanced real-world threat. Evaluation results are available on the official website, where you can view and compare the test data of each vendor across 143 sub-steps that represent the attack sequence of Turla. You can also filter the results by different criteria, such as detection type, telemetry type, platform or technique.

The test data consists of three main categories:

  • Visibility: Evaluates whether the vendor was able to detect a specific sub-step of the attack sequence and what type of telemetry (e.g., process, file, registry, network) was used to provide that detection. The higher the visibility score, the more sub-steps were detected by the vendor.
  • Analytic Quality: Evaluates the quality of the detection analytics (e.g., rules, signatures, models) used to identify a specific sub-step of the attack sequence. The analytic quality score ranges from 1 (lowest) to 5 (highest) based on criteria such as specificity, relevance, timeliness, accuracy and completeness. The higher the analytic quality score, the better the detection analytics were at capturing the adversary’s behavior.
  • Configuration Change: Evaluates whether the vendor required any configuration changes (e.g., enabling or disabling features, modifying settings) to achieve a specific detection. The configuration change score ranges from 0 (no change) to 2 (major change) based on criteria such as complexity, impact and documentation. The lower the configuration change score, the fewer changes were needed by the vendor.

SentinelOne: Once Again at the Front of the Pack

SonicWall customers trust our SentinelOne-powered Capture Client to protect them from the most advanced threats. In this year’s Evaluations, the exact agent, platform and features used to safeguard SonicWall users every day detected and blocked every phase of the Turla attack with zero delays and no unrealistic reconfigurations or bolt-on features.

It outperformed all other vendors in terms of detection and prevention capabilities, as well as analytic quality and configuration changes.

Figure 1 shows exactly what Capture Client (SentinelOne) achieved:

Figure 1: SentinelOne MITRE ATT&CK Evaluation results

These results highlight how the SentinelOne Singularity platform maps directly to the MITRE ATT&CK framework to deliver unparalleled detection and prevention of advanced threat actor tactics, techniques and procedures (TTPs). SentinelOne Singularity XDR also provides real-world information to defenders without any configuration changes4 – because there are no re-tests in the real world.

Figure 2: A closer look at SentinelOne evaluation results.

By choosing Capture Client (SentinelOne) for your organization, your organization can benefit from:

  • Autonomous Protection: Automatically detect and prevent malicious activity in real time across all attack surfaces.
  • High-Quality Analytics: Leverage high-quality analytics of threat behavior with specificity, relevance, timeliness, accuracy and completeness.
  • Zero Configuration Changes: Enjoy optimal performance without any configuration changes, reducing complexity and overhead
  • Real-Time Visibility: Gain comprehensive visibility into the attack sequence and timeline, as well as threat intelligence, indicators of compromise (IOCs), root cause analysis and remediation steps.
  • Automation and Orchestration: Automate and orchestrate response and remediation actions with protection that integrates with other security tools and platforms.

Figure 3: Capture Client provides real-time visibility with Attack Storyline, which displays an attack in its entirety and combines alerts and individual events into a single, comprehensive view.


The MITRE ATT&CK Evaluation provides transparent and objective data, which allows vendors and users the ability to compare different cybersecurity solutions based on their ability to detect and prevent real-world threats. For those looking to purchase a reliable and effective cybersecurity solution, these results can help determine which one best suits their needs and goals.

For four consecutive years, SonicWall Capture Client has proven its industry-leading detection and protection capabilities in the MITRE ATT&CK Enterprise Evaluations. You can request a demo or a free trial of Capture Client, or compare SonicWall Capture Client (SentinelOne) with other vendors on MITRE Engenuity’s website.

Understanding the MITRE ATT&CK Framework and Evaluations – Part 1

The world as we know it is changing around us. The pandemic has acted as a major driver for digital adoption, and the need to increase the risk barrier has kept security teams on their toes. As traditional security techniques and methods evolve, there is a need to re-evaluate the way we think about detecting and reacting to a security incident.

At SonicWall, we are enthusiastic supporters of the work on the MITRE Engenuity ATT&CK framework, which seeks to define and continually expand a common cybersecurity language that describes how adversaries operate. This matters to you because ATT&CK Evaluations are both a unifier and a force multiplier for the people on security’s front line.

What Is the ATT&CK Framework?

The cyber adversaries we deal with today exhibit complex behaviors while trying to evade the defenses we have implemented. They develop increasingly sophisticated methodologies and approaches to achieve their objectives. They weave legitimate and atypical behaviors into different attack tapestries. And they all know what they’re after.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). MITRE Engenuity ATT&CK is a globally accessible knowledge base of cybercriminal behavior based on real-world observations. Its purpose is to be a common language whose components are used in endless combinations to describe how threat actors operate.

Consider this generic example for an attack methodology targeting exfiltration:

represent the “why” of an ATT&CK technique or sub-technique. We can describe the attack methodology as employing five Tactics — step 1: initial access through to step 5: exfiltration. The MITRE Engenuity ATT&CK framework currently consists of 14 tactics as seen in the Enterprise navigator tool.

The second key concept is the Techniques or Sub-Techniques employed within each tactical phase. For example, to achieve initial access, the adversary may send a phishing email with a link to a compromised website that takes advantage of an unpatched browser flaw. The ATT&CK framework currently consists of 200+ techniques and sub-techniques organized under the 14 tactics.

Procedures are the specific ways the adversary implements the techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed-in-the-wild use of techniques. The ATT&CK framework has a documented list of 129 threat actor groups that cover a very broad set of procedures (using software or otherwise).

For more details, we recommend you take the guided tour from the ATT&CK website.

Why Do MITRE Engenuity ATT&CK Evaluations Matter?

MITRE Engenuity ATT&CK Evaluations emulations are constructed to mimic an adversary’s known TTPs. The emulations are conducted in a controlled lab environment to determine each participating vendor’s product efficacy. The aim is to put together a complete, logical attack simulation that moves through all the stages of a comprehensive, successful attack — from initial compromise to persistence, lateral movement, data exfiltration and so on.

Doing so offers three main benefits:

  1. We gain insight into the adversary’s game plan in terms of combinations of tactics and techniques.
  2. We can clearly communicate the exact nature of a threat and respond faster with greater insight.
  3. When we understand who our typical adversaries are and how they attack us, we can proactively design defenses to blunt them.

MITRE Engenuity points out that it is a “mid-level adversary model,” meaning that it is not too generalized and not too specific. High-level models like the Lockheed Martin Cyber Kill Chain illustrate adversary goals, but aren’t specific about how the goals are achieved. Conversely, exploit and malware databases specifically define IoC “jigsaw pieces” in a giant puzzle but aren’t necessarily connected to how the bad guys use them, nor do they typically identify who the bad guys are.


ATT&CK Evaluations focus on how detections occurred as each test moves through its steps. In its evaluation guide, MITRE Engenuity points out that not every detection is of the same quality. It’s pretty clear that, while a “Telemetry” detection is minimally processed data related to an adversary behavior, a “Technique” detection sits at the other end of the quality spectrum — it’s information-rich and orients the analyst at a glance. Consistent technique-driven detections are ideal for organizations that want more out of their tools.

In general, vendor tools ideally should automate real-time context creation related to adversary moves and bubble that up into the tool with as few alerts as possible. The more Techniques a tool can automatically provide and then aggregate into single incident alerts, the more the tool is automating the security function. This is critical for driving mean time to respond to as close to zero as possible.

In Part 2, we’ll take a look at the value the ATT&CK framework delivers to security leaders and decision-makers, and how SonicWall’s Capture Client powered by SentinelOne’s technology delivers capabilities that epitomize the ATT&CK framework.