Rapid7, Inc., a global provider of security analytics and automation, has announced the results of its completed 2022 MITRE Engenuity ATT&CK Evaluation of Rapid7 InsightIDR and the Insight Agent. This round of independent ATT&CK Evaluations for enterprise cyber security solutions emulated the Wizard Spider and Sandworm threat groups.
Rapid7’s InsightIDR and Insight Agent demonstrated strong signal-to-noise across the attack chain during these simulations.
InsightIDR
InsightIDR is Rapid7’s industry-renowned cloud SIEM and Extended Detection and Response (XDR) offering, and the included Insight Agent provides coverage across assets - in the Coud or on-premises, and powers InsightIDR’s endpoint detection and response (EDR) capabilities. The MITRE ATT&CK evaluation results showcase high-fidelity detections unlocked with InsightIDR and the Insight Agent.
InsightIDR demonstrated consistent ability to detect threats early in the cyber kill-chain
InsightIDR demonstrated consistent ability to detect threats early in the cyber kill-chain, strong signal-to-noise, and solid visibility across the ATT&CK Framework, identifying telemetry, tactics, or techniques across 18 of the 19 phases presented in the attack simulations.
Native telemetry and high-fidelity detections
The detections in this evaluation represent a small segment of the InsightIDR detections library, which provides native telemetry and high-fidelity detections across networks, users, and clouds, in addition to endpoints - all vetted in the field by Rapid7’s managed detection and response (MDR) security operations centre analysts, in order to ensure relevancy and actionability for InsightIDR customers.
MITRE ATT&CK Evaluations prioritise threats that offer unique impact to businesses and governments worldwide. Through the lens of the ATT&CK knowledge base, the 2022 MITRE ATT&CK evaluations focused on two threat actors: Wizard Spider and Sandworm.
Wizard Spider
Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since August 2018 against a variety of organisations, ranging from major corporations to hospitals. Sandworm is a destructive Russian threat group that is known for carrying out notable cyber-attacks, such as the 2015 and 2016 targeting of Ukrainian electrical companies, and NotPetya attacks in 2017.
MITRE chose Wizard Spider and Sandworm threat actors, based on their complexity, relevancy to the market, and MITRE Engenuity’s ability to emulate the adversary.
MITRE ATT&CK Evaluations
This MITRE ATT&CK evaluation demonstrates the high-fidelity detections that customers value with InsightIDR"
“This MITRE ATT&CK evaluation demonstrates the high-fidelity detections that customers value with InsightIDR,” said Sam Adams, the Vice President of Detection and Response at Rapid7, Inc.
Sam Adams adds, “From our own MDR service, we understand first-hand the importance of having a comprehensive, relevant, and reliable detection set that customers can trust. InsightIDR’s native EDR capabilities highlighted in this evaluation are just one example of how we help customers get there.”
“This latest round indicates significant product growth from our vendor participants. We are seeing greater emphasis in threat-informed defence capabilities, which in turn has developed the infosec community’s emphasis on prioritising the ATT&CK Framework,” said Ashwin Radhakrishnan, the Acting General Manager of ATT&CK Evaluations, at MITRE Engenuity.
New era of detection and response solutions
Rapid7 believes an open security community, data-sharing projects, research, and testing are fundamental to driving continuous improvement. All of these helped InsightIDR and the Insight Agent that powers its EDR capabilities - evolve into a major cloud-based SIEM, and is now ushering in the next era of detection and response with XDR.
With InsightIDR’s endpoint capabilities security professionals can:
- Unlock real-time monitoring for both on-premises and remote endpoints, and a vast library of critical attacker behavior and endpoint detections—all mapped in detail to the MITRE ATT&CK framework,
- Bait attackers and address areas of exposure with honey credentials deployed by the agent, helping identify intruders on- or off-network,
- Access enhanced endpoint telemetry—for custom detection, investigations, threat hunting, and
- Achieve faster mean-time-to-respond (MTTR) with automated containment leveraging the Insight Agent with InsightIDR and its security orchestration, automation and response (SOAR) capabilities.
‘Data Encrypted For Impact’ technique
The Evals team chose to emulate two threat groups that abuse the ‘Data Encrypted For Impact’ (T1486) technique. In Wizard Spider’s case, they have leveraged data encryption for ransomware, including the widely known Ryuk malware (S0446).
Sandworm, on the other hand, leveraged encryption for the destruction of data, perhaps most notably with their NotPetya malware (S0368) that disguised itself as ransomware. While the common thread to this year’s evaluations is ‘Data Encrypted for Impact,’ both groups have substantial reporting on a broad range of post-exploitation tradecraft.
- Network / IP
- Electronic security systems
- Office security systems
- Office security
- Application security
- Physical security
- Commercial security
- Perimeter security
- Security management
- Security devices
- Security installation
- Security access systems
- Asset tracking
- Electronic access control
- Identity management
- Building security
- Facility security
- Security training
- Door access control
- Security software
- Security service
- Green security
- Physical Security Information Management (PSIM)
- IP security solutions
- Security communication
- Testing & Approvals
- Integration software
- Perimeter protection
- Research & Testing
- Cyber security
- Mobile communications
- Internet of Things (IoT)
- Corporate Security
- Data Security
- Incident Management
- Security Assessments
- Cloud security
- Artificial intelligence (AI)
- Mobile access
- Machine Learning
- Touchless Security
