Advancing a Scientific Approach to Security Tool Evaluations with MITRE ATT&CK™

Presented at ShmooCon XV (2019), Jan. 19, 2019, 3 p.m. (30 minutes).

As security practitioners we struggle with what products we should buy and how we can cut through the marketing to figure out what products do. As the community have recognized the need to find adversaries post-compromise, a multitude of Endpoint Detection and Response (EDR) products have popped up on the market, but consumers have had limited information to try to help them decide which is right for them. To help fill this gap, MITRE conducted impartial evaluations of vendor capabilities in an effort to increase transparency and drive the EDR market forward. Using the common lexicon of the ATT&CK knowledge base, MITRE used a purple-teaming approach to evaluate vendor capabilities. In November 2018, we publicly released our methodology and results showing detection capabilities for 90 ATT&CK-based procedures derived from real threat intelligence. This talk will explain the approach the MITRE team used as well as the challenges we faced in articulating how detections happen. The presenter will explain how you can use our publicly-available methodology and results to make decisions about products as well as perform your own evaluations.

Presenters:

  • Francis Duff
    Frank Duff (@FrankDuff) is a Principal Cyber Operations Engineer for The MITRE Corporation and is the ATT&CK based Evaluations Lead. Frank is also the lead for MITRE’s Leveraging External Transformational Solutions research and development effort that works with commercial cybersecurity vendors to accelerate their adoption by the government community. His work has focused on endpoint security, particularly in forming public-private partnerships to drive product improvement. Frank most recently has briefed at “A Conference on Defense” and “SecureWorld Boston” in 2018. He has a BS in Computer Engineering and a MS in Cybersecurity from Syracuse University.

Links:

Similar Presentations: