Update: For more information on the 2021 MITRE ATT&CK evaluations see the blog post: Decoding the MIRE Engeneuity ATT&CK Evaluations 2021 results.
We also review ways the MITRE ATT&CK evaluations can help you reduce cybersecurity operational cost in this post.
- - - - - - - - - - - - - - - - -
Below are the results from the 2020 MITRE Evaluation published in April 2020
Apr 21st saw much anticipated release of the MITRE ATT&CK® Evaluation framework. With many vendors claiming success in MITRE ATT&CK latest Evaluation results, it may be difficult to read between the noise and discover which solution makes most sense for your organization.
While we at Bitdefender also provide focused competitive charts, we also include full competition views, showcasing the superiority of our technologies across the entire vendor landscape, in tests that we considered representative to our market segments.
In the latest ATT&CK Evaluation, Bitdefender shined at actionable detections & alerts across every steps of the entire attack chain, confirming its top fit for resource and skill constrained midsized organizations that are eager to extend their EDR capabilities but are concerned about the complexity of these solutions.
If you are looking to consider Bitdefender as an EDR vendor based on ATT&CK, here are some key categories from ATT&CK which best match the needs for this type of organizations and how Bitdefender stacks up against each of them.
Gain the most complete and meaningful coverage of the attack chain
The best place to start in evaluating ATT&CK results for any company is how well a vendor covered the 19-step attack chain, from initial compromise to final privilege escalation.
ATT&CK results show unequivocally how Bitdefender achieved maximum coverage in the entire attack chain, after not missing a single step. Aside from breadth of coverage, Bitdefender is also surfacing multiple detections in each step for techniques, tactics and general -- the most relevant categories for mid-sized organizations and MSPs who are often resource, skills and time-constraint and are looking for the most accurate processed EDR data, not just telemetry.
The chart below displays a stripped-down view of our core competition in these markets. You can also preview here a full chart against all participant vendors.
Why focus on General, Tactic and Techniques? According to MITRE’s definitions, the final 3 detection categories are the most contextual ones. While Telemetry requires internal security expertise that will search through historical data, and MSSP are indicators provided by external managed detection and response services, the final three categories are those than provide most intuitive detection delivered directly by the product, for internal security operating teams.
For example, while a telemetry detection would look tell you at a command line output that a certain command was run by a workstation by a given username, a technique detection would tell you that a process tried to perform an unauthorized lateral movement (in Bitdefender’s case, as part of a visually rich representation).
Increase chances of pinpointing sophisticated attacks. Receive the most contextual detections across the entire attack chain
Bitdefender not only covers all attack chain steps with high-quality detection categories, but it also provides a high number of techniques, tactics and general detections across the entire key chain.
Bitdefender was able to produce a total of 97 detections across the entire 19 attack steps. Since these numbers are also focused on the top 3 most context-rich detections according to MITRE, organizations that are looking for breadth of visibility will receive from Bitdefender the indicators of suspicious activities across the entire attack chain.
This confirms that security admins will have the best chances of spotting suspicious activities indicating a sophisticated undergoing attack, as well as multiple chances to immediately pinpoint and stop the attack chain before information is exfiltrated.
These scores can be obtained easily just by deselecting first three categories from the MITRE ATT&CK representation. It will showcase how each vendor does in providing meaningful detections across every step an attack takes, from the initial compromise all the way the exfiltration and covering traces. The greener the data representation is, the more insightful it becomes for a security team.
Screenshot from MITRE ATT&CK Evaluation of APT29 showcasing Bitdefender detects every step of the entire attack with meaningful detections, excluding raw categories (telemetry and MSSP) and none.
Note: Clean Up step presented in the chart is no longer taken into account by MITRE
Actual MITRE definitions from their website:
Telemetry. Minimally processed data collected by the capability showing that event(s) occurred specific to the behavior under test. (i.e. showing the procedure/command that was executed).
Techniques. Processed data specifying ATT&CK Technique or equivalent level of enrichment to the data collected by the capability.
Full definitions can be accessed here.
The chart below displays a stripped-down view of our core competition for the contextual attack detections produced. You can also preview here a full chart against all participant vendors.
The most actionable EDR on the market. The highest number of attack technique detections of any vendor
Equally relevant to the breadth of Bitdefender’s detection across the entire attack chain is its clear focus to prioritizing attack techniques to every other detection type, a key element in helping organizations of any size to correctly decipher malicious activities of highly versed attackers.
The MITRE’s website snapshot not only indicates Bitdefender will trigger relevant and fully contextualized detections in every step of the attack chain, but also provide most in the form of attack techniques, the easiest-to-interpret and most actionable EDR detections for resource and skill-constrained security teams.
Bitdefender dominates MITRE ATT&CK Evaluation charts with the 68 techniques alerts, and a staggering 15 distance from the next in line competitor (FireEye), and an even larger difference to other core competitors.
The chart below displays a stripped-down view of our core competition for attack techniques. You can also preview here a full chart against all participant vendors.
To get a sense of the value in providing detection as attack technique and the richness of context for smaller security teams, below are several examples from Bitdefender’s console, showcasing both how our detections are mapped against MITRE ATT&CK framework, as well as the breadth of detailed information provided in the detection tab.
The first case showcases step 8 of the APT29 attack chain, with the console clearly specifying Powershell is attempting a lateral movement.
Another good example to showcase is that of the initial collection and exfiltration by APT29 of the attack data (step 7, sub-step 7.B.4 – technique result T1048). As seen in the screenshot below, Bitdefender captured as an attack technique and announced in the admin that ‘a compressed file was transferred over the network’, providing a clear and actionable alert, together with a full list of markers for further investigations.
Both examples showcase the breadth of Bitdefender’s detections across various stages of the APT attack chain, including relevant and fully contextualized alerts, and a powerful ratio of attack techniques.
MITRE ATT&CK Evaluation Is A More Complex Tool For Practitioners. Other Evaluations Speak For Themselves
MITRE is not meant to be a pinpoint winners or rank vendors against each other, but to be a powerful tool for security practitioners looking to pinpoint the best EDR solution for their teams. But there are other independent testing organisations focused on decision makers, which also provide high level analysis of their results and pinpoint vendors.
Through the successful completion of the ATT&CK evaluation testing and excellent results in identifying and alerting across the entire attack chain , Bitdefender has once confirmed its strong EDR offering, following up on the excellent results in Forrester Wave™ for EDR (March 2020) where is was nominated ‘the biggest EDR vendor you haven’t considered but should have’.
Bitdefender is also an NSS Labs A+ Recommended Vendor (February 2020), winner of AV-Test Best Protection Award (February 2020) and a 100% scored vendor in AV-Comparatives first testing against advanced attacks (December 2019).
If you are looking to secure your infrastructure, get a free, 90-day full product evaluation for GravityZone Ultra Plus, a unique, limited-time offer in the market.
If you are a service provider, get a free full-featured trial of the multitenant security suite, Bitdefender Cloud Security for MSP.
Bitdefender is a technology provider of choice, with 38% of cybersecurity vendors worldwide using one or more Bitdefender technologies. To maintain the high quality and accuracy of its detection, Bitdefender remains committed to developing technologies in house, and to maintaining over 50% of its workforce in R&D teams.
Why is every competitor claiming success with MITRE?
MITRE ATT&CK Evaluation consists of very rigorous vendor scoring, but it does not nominate winners or even create vendor ranking.
Learn how to navigate success claims from different security vendors and how to use MITRE ATT&CKs against your organization’s profile, according to MITRE’s guidelines and definitions in their APT29 Evaluation.