crowdstrike products...mitre nation-state emulation test crowdstrike products the colored cells...
TRANSCRIPT
![Page 1: CrowdStrike Products...MITRE NATION-STATE EMULATION TEST CrowdStrike Products The colored cells indicate techniques that were tested and the gray cells indicate techniques known to](https://reader031.vdocuments.site/reader031/viewer/2022041100/5ed7022c62136e72fb7ba937/html5/thumbnails/1.jpg)
MITRE NATION-STATE EMULATION TEST
CrowdStrike Products
CrowdStrike Falcon Endpoint Protection Platform Evaluated Against GOTHIC PANDA (APT3)
![Page 2: CrowdStrike Products...MITRE NATION-STATE EMULATION TEST CrowdStrike Products The colored cells indicate techniques that were tested and the gray cells indicate techniques known to](https://reader031.vdocuments.site/reader031/viewer/2022041100/5ed7022c62136e72fb7ba937/html5/thumbnails/2.jpg)
MITRE TEST DESCRIPTION
CROWDSTRIKE COMMENTARY
THE FALCON PLATFORM RESULTS
The MITRE LETS team evaluated CrowdStrike® Falcon® endpoint protection platform to assess the tool’s ability to detect an Advanced Persistent Threat (APT). We focused on post-exploit detection of attack techniques employed by GOTHIC PANDA, also known as APT3. No weaponized document or actual exploit was used as part of this effort.
CrowdStrike Products
MITRE NATION-STATE EMULATION TEST
The market has long recognized that the decades old legacy antivirus (AV) approach had fundamental limitations that were exploited by persistent adversaries.The CrowdStrike Falcon platform was developed as a next-generation solution that directly addresses the challenges posed by advanced adversaries. But despite the broad recognition of issues with legacy solutions and the increasing adoption of the CrowdStrike next-gen platform, the market has been slower to recognize that for the most part, industry testing methodologies are still stuck in a paradigm of the past.
The MITRE Corporation noticed the gaps inherent in legacy AV testing methodologies and began work on an entirely new testing approach. MITRE had already developed a framework for cataloging attack techniques along with the adversary groups that are known to employ each technique called MITRE ATT&CK. Based in part on this framework, they have now developed a testing methodology to emulate certain adversary groups.
Recognizing that MITRE's testing methodology was exactly what the industry was missing to evaluate and validate its next- generation approach to detecting breaches, CrowdStrike engaged with MITRE to undergo a rigorous adversary emulation evaluation. The results of this test provide insight into how CrowdStrike Falcon achieves its effectiveness in protecting customers from targeted and sophisticated attacks; showing that CrowdStrike Falcon detects a broad spectrum of malicious behavior. The following table is a summary of the results from the test carried out by MITRE, which emulated the actor known as GOTHIC PANDA.
“CrowdStrike uses a collaboration of machine and human, bringing together both proprietary APT detecting software (Falcon InsightTM) and Managed Threat Hunting Service operators (Falcon OverWatchTM) to identify malicious activity. Combining both products, along with CrowdStrike Falcon’s user interface, assisted in the detection and investigation of GOTHIC PANDA attack techniques emulated by the LETS team.”
— MITRE Corporation
![Page 3: CrowdStrike Products...MITRE NATION-STATE EMULATION TEST CrowdStrike Products The colored cells indicate techniques that were tested and the gray cells indicate techniques known to](https://reader031.vdocuments.site/reader031/viewer/2022041100/5ed7022c62136e72fb7ba937/html5/thumbnails/3.jpg)
MITRE NATION-STATE EMULATION TEST
CrowdStrike Products
RESULTS AS TESTED IN THE MITRE ATT&CK FRAMEWORK
Persistence Privilege Escalation
Defense Evasion
Credential Access
Discovery Lateral Movement
Execution Collection Exfiltration Command and Control
Accessibility Features
Access Token Manipulation
Access Token Manipulation
Account Manipulation
Account Discovery
Application Deployment Software
Application Shimming
Audio Capture Automated Exfiltration
Commonly Used Port
Applnit DLLs Accessibility Features
Binary Padding Brute Force Application Window Discovery
Exploitation of Vulnerability
Command- Line Interface
Automated Collection
Data Compressed
Communication Through Re-movable Media
Application Shimming
Applnit DLLs Bypass User Account Control
Create Account File and Directory Discovery
Logon Scripts Execution through API
Clipboard Data Data Encrypted Connection Proxy
Component Object Model Hijacking
Application Shimming
Code Signing Credential Dumping
Network Service Scanning
Pass the Hash Execution through Module Load
Data Staged Data Transfer Size Limits
Custom Command and Control Protocol
DLL Search Order Hijacking
Bypass User Account Control
Component Firmware
Credentials in Files
Network Share Discovery
Pass the Ticket Graphical User Interface
Data from Local System
Exfiltration Over Alternative Protocol
Custom Cryptographic Protocol
External Remote Services
DLL Injection Component Object Model Hijacking
Exploitation of Vulnerability
Peripheral Device Discovery
Remote Desktop Protocol
InstallUtil Data from Network Shared Drive
Exfiltration Over Command and Control Channel
Data Encoding
File System Permissions Weakness
DLL Search Order Hijacking
DLL Injection Input Capture Permission Groups Discovery
Remote File Copy
PowerShell Data from Removable Media
Exfiltration Over Other Network Medium
Data Obfuscation
Hidden Files and Directories
Exploitation of Vulnerability
DLL Search Order Hijacking
Network Sniffing Process Discovery
Remote Services
Process Hollowing
Email Collection Input Capture
Exfiltration Over Physical Medium
Fallback Channels
Hypervisor File System Permissions Weakness
Disabling Security Tools
Private Keys Query Registry Replication Through Removable Media
Regsvcs/ Regasm
Screen Capture Scheduled Transfer
Multi- Stage Channels
Local Port Monitor
Local Port Monitor
Exploitation of Vulnerability
Two- Factor Authentication Interception
Remote System Discovery
Shared Webroot Regsvr32 Video Capture Multiband Com-munication
Logon Scripts New Service File Deletion Security Software Discovery
Taint Shared Content
Rundll32 Multilayer Encryption
Modify Existing Service
Path Interception
File System Logical Offsets
System Information Discovery
Third- party Software
Scheduled Task Remote File Copy
New Service Scheduled Task Hidden Files and Directories
System Network Configuration Discovery
Windows Admin Shares
Scripting Standard Application Layer Protocol
Redundant Access
Service Registry Permissions Weakness
Regsvcs/ Regasm
System Network Connections Discovery
Windows Remote Management
Service Execution
Standard Cryptographic Protocol
Registry Run Keys / Start Folder
Valid Accounts Regsvr32 System Owner/ User Discovery
Third- party Software
Standard Non- Application Layer Protocol
Scheduled Task Web Shell Rootkit System Service Discovery
Trusted Developer Utilities
Uncommonly Used Port
Shortcut Modification
Rundll32 Windows Remote Management
System Firmware
Scripting
Valid Accounts Software Packing
Web Shell Timestomp
Windows Man-agement Instru-mentation Event Subscription
Trusted Developer Utilities
Winlogon Helper DLL
Valid Accounts
CrowdStrike Falcon-to-ATT&CK Mapping – colored cells considered relevant for Gothic Panda/APT3:
not tested
tested, detected
tested, detection possible
capability gaps
![Page 4: CrowdStrike Products...MITRE NATION-STATE EMULATION TEST CrowdStrike Products The colored cells indicate techniques that were tested and the gray cells indicate techniques known to](https://reader031.vdocuments.site/reader031/viewer/2022041100/5ed7022c62136e72fb7ba937/html5/thumbnails/4.jpg)
MITRE NATION-STATE EMULATION TEST
CrowdStrike Products
The colored cells indicate techniques that were tested and the gray cells indicate techniques known to be used by GOTHIC PANDA but not tested by MITRE for this engagement. Green and yellow cells show activity that was captured by CrowdStrike Falcon, the only difference is that the green cells were picked up by MITRE's own analysis team without assistance. It is noteworthy that MITRE's analysts had no prior training or experience with the CrowdStrike Falcon platform, demonstrating that not only is the solution highly effective at detecting adversary behavior, it doesn’t require significant training or expertise to use effectively.
There were many noteworthy results from the test but for the sake of brevity, two are highlighted here. Scheduled tasks are used by adversaries to cause programs to be executed in the future and this method of launching processes obfuscates the source of the activity. The CrowdStrike Falcon platform is able to show the process that originated the command to schedule the
task, or, if the command was invoked from a remote machine, shows the IP address where the command originated. Credential theft is a particular focus of the Falcon platform, given its near ubiquity in targeted attacks. In this test, even when credential theft was carried out stealthily by using legitimate system utilities like PowerShell, the credential theft was immediately detected. While prevention was fully disabled for this test, the CrowdStrike Falcon platform goes beyond behavioral detection and arms its customers with the ability to prevent many forms of credential theft.
CrowdStrike is strongly committed to transparent, repeated, and independent testing that accurately reflects today's real world attacks. MITRE's testing methodology based on the ATT&CK framework is the first such framework that goes beyond the legacy AV testing practices that the industry has quickly outgrown. CrowdStrike's performance in the MITRE ATT&CK emulation speaks for itself, clearly demonstrating the value of the CrowdStrike Falcon solution.
The MITRE Corporation’s mission-driven team is dedicated to solving problems for a safer world. It is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs).
MITRE works across the government, through its FFRDCs and public-private partnerships, to tackle problems that challenge the nation's safety, stability and well-being. Its unique vantage point allows MITRE to provide innovative, practical solutions in the defense and intelligence, aviation, civil systems, homeland security, judiciary, healthcare, and cybersecurity spheres.
MITRE’s Leveraging External Transformational Solutions (LETS) program evaluates the effectiveness of cyber tools being used or considered for use across government. MITRE identifies government users who are evaluating, piloting, or deploying cyber technologies that we believe to be innovative and impactful. Then we provide subject matter expertise to help companies articulate their products’ functionality and effectiveness. Full reports are releasable only to the U.S. Government. This evaluation is for informational purposes only and is not an endorsement.
For more information, please email [email protected].
ABOUT MITRE CORPORATION
ABOUT MITRE TESTING
ABOUT CROWDSTRIKE
CrowdStrike is the leader in cloud-
delivered endpoint protection.
Leveraging artificial intelligence
(AI), the CrowdStrike Falcon®
platform offers instant visibility and
protection across the enterprise
and prevents attacks on endpoints
on or off the network. CrowdStrike
Falcon deploys in minutes to
deliver actionable intelligence
and real-time protection from Day
One. It seamlessly unifies next-
generation AV with best-in-class
endpoint detection and response,
backed by 24/7 managed hunting.
Its cloud infrastructure and single-
agent architecture take away
complexity and add scalability,
manageability, and speed.
CrowdStrike Falcon protects
customers against all cyber
attack types, using sophisticated
signatureless AI and Indicator-
of-Attack (IOA) based threat
prevention to stop known and
unknown threats in real time.
Powered by the CrowdStrike
Threat Graph™, Falcon instantly
correlates over 100 billion security
events a day from across the
globe to immediately prevent and
detect threats.