MITRE NATION-STATE EMULATION TEST

CrowdStrike Products

CrowdStrike Falcon Endpoint Protection Platform Evaluated Against GOTHIC PANDA (APT3)

MITRE TEST DESCRIPTION

CROWDSTRIKE COMMENTARY

THE FALCON PLATFORM RESULTS

The MITRE LETS team evaluated CrowdStrike® Falcon® endpoint protection platform to assess the tool’s ability to detect an Advanced Persistent Threat (APT). We focused on post-exploit detection of attack techniques employed by GOTHIC PANDA, also known as APT3. No weaponized document or actual exploit was used as part of this effort.

CrowdStrike Products

MITRE NATION-STATE EMULATION TEST

The market has long recognized that the decades old legacy antivirus (AV) approach had fundamental limitations that were exploited by persistent adversaries.The CrowdStrike Falcon platform was developed as a next-generation solution that directly addresses the challenges posed by advanced adversaries. But despite the broad recognition of issues with legacy solutions and the increasing adoption of the CrowdStrike next-gen platform, the market has been slower to recognize that for the most part, industry testing methodologies are still stuck in a paradigm of the past.

The MITRE Corporation noticed the gaps inherent in legacy AV testing methodologies and began work on an entirely new testing approach. MITRE had already developed a framework for cataloging attack techniques along with the adversary groups that are known to employ each technique called MITRE ATT&CK. Based in part on this framework, they have now developed a testing methodology to emulate certain adversary groups.

Recognizing that MITRE's testing methodology was exactly what the industry was missing to evaluate and validate its next- generation approach to detecting breaches, CrowdStrike engaged with MITRE to undergo a rigorous adversary emulation evaluation. The results of this test provide insight into how CrowdStrike Falcon achieves its effectiveness in protecting customers from targeted and sophisticated attacks; showing that CrowdStrike Falcon detects a broad spectrum of malicious behavior. The following table is a summary of the results from the test carried out by MITRE, which emulated the actor known as GOTHIC PANDA.

“CrowdStrike uses a collaboration of machine and human, bringing together both proprietary APT detecting software (Falcon InsightTM) and Managed Threat Hunting Service operators (Falcon OverWatchTM) to identify malicious activity. Combining both products, along with CrowdStrike Falcon’s user interface, assisted in the detection and investigation of GOTHIC PANDA attack techniques emulated by the LETS team.”

— MITRE Corporation

MITRE NATION-STATE EMULATION TEST

CrowdStrike Products

RESULTS AS TESTED IN THE MITRE ATT&CK FRAMEWORK

Persistence Privilege Escalation

Defense Evasion

Credential Access

Discovery Lateral Movement

Execution Collection Exfiltration Command and Control

Accessibility Features

Access Token Manipulation

Access Token Manipulation

Account Manipulation

Account Discovery

Application Deployment Software

Application Shimming

Audio Capture Automated Exfiltration

Commonly Used Port

Applnit DLLs Accessibility Features

Binary Padding Brute Force Application Window Discovery

Exploitation of Vulnerability

Command- Line Interface

Automated Collection

Data Compressed

Communication Through Re-movable Media

Application Shimming

Applnit DLLs Bypass User Account Control

Create Account File and Directory Discovery

Logon Scripts Execution through API

Clipboard Data Data Encrypted Connection Proxy

Component Object Model Hijacking

Application Shimming

Code Signing Credential Dumping

Network Service Scanning

Pass the Hash Execution through Module Load

Data Staged Data Transfer Size Limits

Custom Command and Control Protocol

DLL Search Order Hijacking

Bypass User Account Control

Component Firmware

Credentials in Files

Network Share Discovery

Pass the Ticket Graphical User Interface

Data from Local System

Exfiltration Over Alternative Protocol

Custom Cryptographic Protocol

External Remote Services

DLL Injection Component Object Model Hijacking

Exploitation of Vulnerability

Peripheral Device Discovery

Remote Desktop Protocol

InstallUtil Data from Network Shared Drive

Exfiltration Over Command and Control Channel

Data Encoding

File System Permissions Weakness

DLL Search Order Hijacking

DLL Injection Input Capture Permission Groups Discovery

Remote File Copy

PowerShell Data from Removable Media

Exfiltration Over Other Network Medium

Data Obfuscation

Hidden Files and Directories

Exploitation of Vulnerability

DLL Search Order Hijacking

Network Sniffing Process Discovery

Remote Services

Process Hollowing

Email Collection Input Capture

Exfiltration Over Physical Medium

Fallback Channels

Hypervisor File System Permissions Weakness

Disabling Security Tools

Private Keys Query Registry Replication Through Removable Media

Regsvcs/ Regasm

Screen Capture Scheduled Transfer

Multi- Stage Channels

Local Port Monitor

Local Port Monitor

Exploitation of Vulnerability

Two- Factor Authentication Interception

Remote System Discovery

Shared Webroot Regsvr32 Video Capture Multiband Com-munication

Logon Scripts New Service File Deletion Security Software Discovery

Taint Shared Content

Rundll32 Multilayer Encryption

Modify Existing Service

Path Interception

File System Logical Offsets

System Information Discovery

Third- party Software

Scheduled Task Remote File Copy

New Service Scheduled Task Hidden Files and Directories

System Network Configuration Discovery

Windows Admin Shares

Scripting Standard Application Layer Protocol

Redundant Access

Service Registry Permissions Weakness

Regsvcs/ Regasm

System Network Connections Discovery

Windows Remote Management

Service Execution

Standard Cryptographic Protocol

Registry Run Keys / Start Folder

Valid Accounts Regsvr32 System Owner/ User Discovery

Third- party Software

Standard Non- Application Layer Protocol

Scheduled Task Web Shell Rootkit System Service Discovery

Trusted Developer Utilities

Uncommonly Used Port

Shortcut Modification

Rundll32 Windows Remote Management

System Firmware

Scripting

Valid Accounts Software Packing

Web Shell Timestomp

Windows Man-agement Instru-mentation Event Subscription

Trusted Developer Utilities

Winlogon Helper DLL

Valid Accounts

CrowdStrike Falcon-to-ATT&CK Mapping – colored cells considered relevant for Gothic Panda/APT3:

not tested

tested, detected

tested, detection possible

capability gaps

MITRE NATION-STATE EMULATION TEST

CrowdStrike Products

The colored cells indicate techniques that were tested and the gray cells indicate techniques known to be used by GOTHIC PANDA but not tested by MITRE for this engagement. Green and yellow cells show activity that was captured by CrowdStrike Falcon, the only difference is that the green cells were picked up by MITRE's own analysis team without assistance. It is noteworthy that MITRE's analysts had no prior training or experience with the CrowdStrike Falcon platform, demonstrating that not only is the solution highly effective at detecting adversary behavior, it doesn’t require significant training or expertise to use effectively.

There were many noteworthy results from the test but for the sake of brevity, two are highlighted here. Scheduled tasks are used by adversaries to cause programs to be executed in the future and this method of launching processes obfuscates the source of the activity. The CrowdStrike Falcon platform is able to show the process that originated the command to schedule the

task, or, if the command was invoked from a remote machine, shows the IP address where the command originated. Credential theft is a particular focus of the Falcon platform, given its near ubiquity in targeted attacks. In this test, even when credential theft was carried out stealthily by using legitimate system utilities like PowerShell, the credential theft was immediately detected. While prevention was fully disabled for this test, the CrowdStrike Falcon platform goes beyond behavioral detection and arms its customers with the ability to prevent many forms of credential theft.

CrowdStrike is strongly committed to transparent, repeated, and independent testing that accurately reflects today's real world attacks. MITRE's testing methodology based on the ATT&CK framework is the first such framework that goes beyond the legacy AV testing practices that the industry has quickly outgrown. CrowdStrike's performance in the MITRE ATT&CK emulation speaks for itself, clearly demonstrating the value of the CrowdStrike Falcon solution.

The MITRE Corporation’s mission-driven team is dedicated to solving problems for a safer world. It is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs).

MITRE works across the government, through its FFRDCs and public-private partnerships, to tackle problems that challenge the nation's safety, stability and well-being. Its unique vantage point allows MITRE to provide innovative, practical solutions in the defense and intelligence, aviation, civil systems, homeland security, judiciary, healthcare, and cybersecurity spheres.

MITRE’s Leveraging External Transformational Solutions (LETS) program evaluates the effectiveness of cyber tools being used or considered for use across government. MITRE identifies government users who are evaluating, piloting, or deploying cyber technologies that we believe to be innovative and impactful. Then we provide subject matter expertise to help companies articulate their products’ functionality and effectiveness. Full reports are releasable only to the U.S. Government. This evaluation is for informational purposes only and is not an endorsement.

For more information, please email LETS@mitre.org.

ABOUT MITRE CORPORATION

ABOUT MITRE TESTING

ABOUT CROWDSTRIKE

CrowdStrike is the leader in cloud-

delivered endpoint protection.

Leveraging artificial intelligence

(AI), the CrowdStrike Falcon®

platform offers instant visibility and

protection across the enterprise

and prevents attacks on endpoints

on or off the network. CrowdStrike

Falcon deploys in minutes to

deliver actionable intelligence

and real-time protection from Day

One. It seamlessly unifies next-

generation AV with best-in-class

endpoint detection and response,

backed by 24/7 managed hunting.

Its cloud infrastructure and single-

agent architecture take away

complexity and add scalability,

manageability, and speed.

CrowdStrike Falcon protects

customers against all cyber

attack types, using sophisticated

signatureless AI and Indicator-

of-Attack (IOA) based threat

prevention to stop known and

unknown threats in real time.

Powered by the CrowdStrike

Threat Graph™, Falcon instantly

correlates over 100 billion security

events a day from across the

globe to immediately prevent and

detect threats.