MITRE publicly released the results of its most recent ATT&CK Evaluation this week, and Secureworks® is proud to announce that our cloud-native SaaS application, Red Cloak™ Threat Detection and Response (TDR), rapidly and accurately detected the adversary in the first stage of many attacks and continued to deliver visibility and detections throughout 90% of the evaluated ATT&CK techniques. But we’re even more proud to have participated in something that truly raises the bar for the cybersecurity industry, empowering vendors to innovate faster and deliver better protection for customers around the globe.
This month, Secureworks Red Cloak Threat Detection and Response turns one year old, and the six months since we began the MITRE ATT&CK Evaluation have been our most productive yet in terms of improvement and innovation.
As we mentioned in our original post below, we discovered novel opportunities for detections even while preparing for and executing the assessment, including PowerShell Script Block Logging reconstruction and custom Windows Management Instrumentation (WMI) attack detections. During the evaluation, Red Cloak TDR collected the entire PowerShell script as well as the invocation of any functions within it. This tells us what the adversary could do, and what they did do, which is critical to response teams.
Since the evaluation, we’ve continued to innovate. We widened customer visibility with 36 new data source integrations, added advanced analytics detectors, delivered multiple infrastructure enhancements and built on services, including a new MDR Dashboard that provides visibility into how TDR provides value. Advanced search capabilities now aid customers in threat hunting, and customers who need expert analyst support can get it via an in-app chat. We have also deployed to more than 100 customer environments.
Putting our analytics to the test with an independent third party like MITRE gave our technical and research teams a provocative challenge, and new perspective on an old problem: finding advanced threats among the noise in a complex security environment. The evaluation experience validated our belief that security technology is most effective when it is working in concert with people and process. The embedded experience of our 20 years of incident response and threat behavioral research helped generate the right context quickly without drowning responders in excessive noise throughout the ATT&CK Framework.
Secureworks firmly believes that a low false positive rate is essential to risk reduction, and Red Cloak TDR was 100% successful at detecting activity for the Persistence, Privilege Escalation, Discovery and Lateral Movement techniques, underscoring Secureworks’ ability to detect attacks early in the kill chain.
It is a fine balance between alerting on everything versus alerting on key actions to keep responders focused on what really matters. We think our unique combination of technology and expertise got it right. During the evaluation, our platform and countermeasures detected the adversary rapidly and accurately in the first stages of each attack, and we continued to detect the adversary at key stages throughout. You can read our announcement of the results here.
When Secureworks developed Red Cloak, we integrated the MITRE ATT&CK Framework into the application, and then we built a user chat interface so customers could work side by side with expert analysts using the common language of ATT&CK. It is this combination of software, expertise and operational experience, not a single silver bullet, that helps organizations quickly detect, respond to and remediate advanced threats.
As we continue to analyze the full results of the evaluation, we’ll release more tactical guidance for executing against the Framework based on what we learned about detecting and responding to threats like Iron Hemlock, also known as APT29. Look for that additional guidance in a blog and webcast in coming weeks. Better yet, look for us to continue improving and innovating to protect our customers around the globe.