MITRE ATT&CK Framework: 5 Questions to Ask NDR Providers about their Coverage

If you’re in the market for an endpoint detection and response (EDR) solution, you can use results from the MITRE Engenuity ATT&CK® Evaluations to understand the extent to which participating EDR providers can detect and protect against attack techniques associated with specific threat actors.

However, if you’re considering a network detection and response (NDR) solution and you want to see how different NDR providers stack up against the MITRE ATT&CK Matrix for Enterprise, you’ll need to carefully validate the claims NDR providers make about their coverage. Since MITRE Engenuity doesn’t currently evaluate NDR providers, there’s no single, independent, industry-standard methodology for validating the ATT&CK techniques that NDR solutions cover. This creates all kinds of confusion in the market.

When evaluating NDR providers’ MITRE ATT&CK coverage, keep the following considerations in mind:

1. How does the vendor define or scope its coverage? The ATT&CK Matrix for Enterprise currently consists of 201 documented attack techniques. Of those 201 techniques, MITRE considers 52% of them, or 106, “network-addressable,” meaning they can be detected via the network. Certain “pre-compromise” techniques, like Gather Victim Host Information (T1592), Compromise Accounts (T1586), and Stage Capabilities (T1608), will never be detected by an NDR tool (or even an EDR tool for that matter).

So if a vendor claims its product covers, say, 92% of the ATT&CK framework, ask them if that means 92% of the 201 techniques, or 92% of the 106 techniques that MITRE deems network-addressable, or something else. If they say they cover 92% of all 201 techniques, be very, very wary.

2. Does the vendor provide the coverage out of the box directly through their NDR tool, or does it require extensive integrations? Some vendors will pad their ATT&CK framework coverage by including tactics and techniques that their integration partners address or that their other, non-NDR products cover, which can be misleading. Be sure you understand the specific techniques NDR products can detect natively, without any integrations.

3. How strong are the detections powering the vendor’s native ATT&CK framework coverage? ATT&CK framework coverage isn’t just a numbers game. When evaluating NDR solutions against the ATT&CK framework, it’s important to consider the robustness of detections alongside the number of techniques the product is capable of detecting. For example, RevealX has 15 ways to detect the use of encrypted channels to conceal C2 communications (T1573) and 10 ways to detect phishing (T1566), use of external remote services to gain initial access (T1133), exploitation of remote services, and more.

4. How do they count techniques: Do they count them individually or collectively across tactics? Some ATT&CK techniques apply to more than one tactic, the high-level categories that describe attackers’ objectives (e.g., reconnaissance, initial access, execution, persistence, exfiltration, impact, etc.) For example, T1037 (Boot or Logon Initialization Scripts) is a technique attackers can use to establish persistence or escalate their privileges. Similarly, T1197 (BITS Jobs) can be used to establish persistence or evade an organization’s defenses. So a vendor may choose to count the individual techniques their product addresses, or they may add up all the techniques they address across each tactic, which can result in a higher number when the same technique is used across multiple tactics.

Third-Party Validation of RevealX Coverage Against MITRE ATT&CK

In an effort to dispel some of the confusion around MITRE ATT&CK coverage in the NDR market, ExtraHop hired TechTarget’s Enterprise Strategy Group (ESG) to conduct a technical validation of the ATT&CK techniques RevealX detects.

Through their analysis, ESG validated that out of the box, RevealX provides coverage for a total of 106 individual ATT&CK techniques, including 55 of the 60 techniques that MITRE ATT&CK considers network-addressable. The five network-addressable techniques that RevealX doesn’t cover have either never been observed in use or are so rare they’re essentially theoretical.

Notably, 20 of the 106 techniques that RevealX detects can be used across multiple ATT&CK tactics. So if you add up all the techniques RevealX detects by tactic, you get 126 techniques. But again, that’s because some of the techniques apply to more than one tactic. If you count the techniques individually, it’s 106.

ESG also validated that RevealX can reduce time to detect and respond by providing contextual information about detected attacks to support investigations and by providing simplified workflows. This is not the first time a third-party validated the outcomes RevealX provides for customers: In “The Total Economic Impact™ of ExtraHop Reveal(x) 360,” a commissioned study, Forrester Consulting found that a composite organization based on interviews Forrester conducted with a sample of RevealX 360 customers decreased time to detect threats by 83% and time to resolve threats by 87% through a commissioned study.

RevealX Differentiators Fuel Broad MITRE ATT&CK Framework Coverage

RevealX is able to provide broad coverage against the MITRE ATT&CK framework because of the following capabilities that differentiate RevealX from competing NDR solutions:

Full packet capture: RevealX captures full packets across the data link, network, transport, session, presentation, and application OSI layers (OSI layers 2-7), and does it at scale and at line rate speed. Full packet capture enables RevealX to gather richer context about what’s happening on an organization’s network. With RevealX, organizations can tell what every packet is doing anywhere on their network, at any given time. ** ** Other NDR providers only analyze partial packets or netflow, or they do deep packet inspection, which can easily be circumvented, or they only inspect traffic in the network and transport layers (OSI layers 3 and 4).

Protocol fluency: RevealX decodes more than 70 application, database, network, and internet protocols at the application layer and in real time, including the following Microsoft protocols: Kerberos, MSRPC, LDAP, WINRM, SMBv3, and NTLM. Microsoft protocol fluency is particularly important because attacks targeting Active Directory, the Kerberos authentication protocol, and PowerShell have increased dramatically in recent years, leading to compromises at thousands of organizations.

Decryption: The superior decryption capabilities built into RevealX allow organizations to detect living off the land techniques and attacks hiding in encrypted traffic. RevealX decrypts SSL and TLS 1.3 encryption passively and in real time, without employing “man-in-the-middle” or “break-and-inspect” decryption approaches, and RevealX does it at speeds up to 100 Gbps, which enables organizations to maintain visibility even while leveraging the latest encryption standards. In contrast, our competitors top out at speeds of about 40 Gbps. Also, encrypted traffic analysis, the capability offered in competing solutions, can’t detect encrypted Microsoft protocol attacks or other living off the land techniques. RevealX can.

Machine learning: RevealX performs metric- and behavioral-based detections driven by machine analysis of more than 5,000 attributes. This allows RevealX to detect multiple variations of techniques and advanced attacks, like those that rely on abuse of valid credentials, faster and with higher fidelity than competing solutions. ExtraHop holds 70 patents in AI, and RevealX leverages five forms of artificial intelligence, including predictive models, graph algorithms, deep learning, clustering, and clustering link prediction.

To learn more about the ATT&CK techniques that RevealX helps organizations detect and investigate, download a complimentary copy of the ESG technical validation and be sure to explore our technical paper, RevealX and the MITRE ATT&CK Framework.