The AttackIQ Adversary Research Team has published its first research report, a data analytic study of historic security control failures against top MITRE ATT&CK techniques – and what to do to improve security program performance. The report involved months of analysis and included a review of anonymized 2021 customer data from over 100 of AttackIQ’s software-as-a-service cloud customers.
One key finding rose to the top. On average, the endpoint detection and response (EDR) controls in our anonymized customers’ environments only stopped the top 7 adversary techniques 39 percent of the time in 2021. This is an unacceptable rate of failure and leaves organizations exposed to a high degree of risk. This issue is not the fault of the security providers, however, as their controls stop the top techniques in our laboratory environment. Nor is it the fault of our customers, some of the most advanced security teams in the world. The problem is embedded in the system itself. Absent continuous testing against real-world adversary behaviors, security controls falter.
The researchers say they selected the “Seven Deadly Techniques” for several reasons. They match real-word attacks from concerning actors, like Russia. Their usage is common; they are core functional techniques that help threat actors achieve their goals; laboratory evidence shows that the recommended configuration settings of EDR solutions should be able to prevent these techniques from executing; and customers show that these techniques can be prevented in their environments some of the time, proving the real-world practicality of prevention measurements.
In a related development this week, CISA and a cluster of allied governments released a new alert about Iranian threat actors, and in the alert CISA began to urge organizations to validate their security controls using the MITRE ATT&CK framework by “continually testing your security program, at scale, in a production environment to ensure optimal performance.” The Adversary Research Team says it is working now to generate a new attack graph about the techniques described in the alert.
You can read the full report here
