I am excited to share with you that Cisco Secure Endpoint (formerly AMP for Endpoints) has successfully completed the 2020 MITRE Engenuity ATT&CK® Evaluation. This round is particularly rewarding because we had to face the difficult challenge of performing well against a set of simulated attacks from the formidable threat actors Carbanak and FIN7.

I will not go into the details of our performance in the Evaluation – you can learn about them here instead. Rather, I would like to share my perspective as the engineering leader behind the product and our recent ATT&CK Evaluation journey. To do that, I will take a “Q&A” approach to share my thoughts. Let’s start.

What is the MITRE ATT&CK Framework?

It’s essentially an enumeration of tactics and techniques that attackers use to infiltrate systems from reconnaissance all the way to compromise and lateral movement. If you are not familiar with ATT&CK, you can learn more here.

What is the purpose of an ATT&CK Evaluation? How does it work?

The evaluation, performed by MITRE Engenuity, is a test that makes use of the ATT&CK framework to evaluate different attack scenarios against endpoint security products. MITRE Engenuity picks one or two threat actors that have a known set of tactics and techniques, and they mimic them. You’re given some time to install and configure your security solution in their environment as you see fit or as you expect your customers to install it. Then they run through evaluations for both prevention and detection, as well as determining what the product captured in the form of telemetry. Eventually, they go away, and after a while they come back with the result of the evaluation.

What’s the value of an ATT&CK Evaluation?

The data from an ATT&CK Evaluation is valuable to customers because it allows them to learn about what the strengths and weaknesses of the products are. This allows them to plan their defense so that they can augment their current capabilities by acquiring other products or implementing other processes to defend in-depth.

From the vendor perspective, it has a similar value. It allows you to better understand your own product and what gaps and weaknesses there may be. It is good to get that external validation and then plan your roadmap of features so that you can start filling in those gaps.

Why did Secure Endpoint perform so well?

We have been focused on new innovations, including continued investments in our layers of protection mechanisms. These include our enhanced behavioral protection and script protection technologies. This is critical now more than ever as the threat landscape continues to evolve, using sophisticated approaches like Living off the Land (LOL) techniques and exploiting legitimate technologies such as PowerShell.

Behind the curtains, our behavioral protection engine stood out in this particular evaluation. It monitors all user and endpoint activity to protect against malicious behavior in real-time by matching a stream of activity records against a set of attack activity patterns that are dynamically updated as threats evolve. This action accounted for over 38% of our findings during the evaluation. What’s more, we are continually improving this engine and with our learnings from      MITRE Engenuity’s Evaluation you can expect even more enhancements in this area going forward.

Additionally, Cisco Orbital Advanced Search also played a defining role in the evaluation. It provided better visibility into some of the steps in the attack. This is an area that sets us apart from other endpoint security solutions, as our customers can execute over 200 pre-built queries conveniently catalogued into use cases like threat hunting, investigations, IT operations, vulnerability and compliance, and more to gain deep insight to the endpoint in real-time.

So too does the forensic snapshot capability. We can automatically capture snapshots of data from endpoints such as running processes, open network ports and a lot more at the time of detection or on demand. This allows you to know exactly what was happening on your endpoint at that point in time. If there are certain threats that have been detected at an endpoint, it can automatically ask Orbital Advanced Search to create a forensic snapshot to gather information about what’s occurring.

Without the forensic snapshot technology at your fingertips, the amount of effort it takes to get to that level of visibility is huge in terms of research time and overhead. By contrast, a forensic snapshot can be configured to automatically trigger. So, it’s a massive time saver.

Lastly, Secure Endpoint’s strong performance in the 2020 ATT&CK Evaluation closely follows being names a Strategic Leader by AV-Comparatives in its inaugural 2020 Endpoint Prevention and Response (EPR) Comparative Report. The report showed that Secure Endpoint was highly effective in preventing, detecting and responding to threats using a series of tests to emulate multi-stage attacks.

Where does endpoint security go from here?

Today, endpoint security is in a state of transformation. It continues to be an integral component of the modern security stack – the last line of defense against advanced threats for many organizations. More than ever, it is important that endpoint security not be disconnected from other security controls, but rather that it be an integral part of a security platform that helps the SOC to become the highly effective function that it needs to be right now.

The key is to provide customers with an endpoint security solution with a built-in security platform that integrates with a security architecture, that’s easy-to-use, and that’s delivered at scale. 

For more information about Cisco’s performance in MITRE Engenuity’s 2020 ATT&CK evaluation, check the recent blog post.


Elias Levy

Distinguished Engineer, Chief Architect

SecureX & Secure Endpoint