As hackers continue to use native programming tools to blend into target networks, Mitre Corp. is beginning to test vendors’ ability to detect those techniques.
The federally-funded, not-for-profit organization announced Wednesday it would throw the stealthy tactics of an infamous hacking group, the Russian-government-linked APT29, at several threat-detection products.
But the evaluation is about more than one set of adversaries. The “living off the land” techniques, such as hiding in PowerShell scripts, that will be tested are increasingly popular with a variety of hacking groups.
“A lot of these techniques are going to be implemented in similar ways from different adversaries,” said Frank Duff, Mitre’s lead for evaluations that use the organization’s ATT&CK framework.
“PowerShell monitoring is that next thing that everyone recognizes is absolutely necessary,” he added.
Mitre’s last round of testing focused on advanced persistent threats, mimicking the tactics of APT3, a China-based group known for using internet-browser exploits. But the techniques of APT29, best known for being one of two Russian outfits to breach the Democratic National Committee before the 2016 U.S. election, will be a stiffer test, according to Duff.
“Because it’s a more sophisticated adversary, they do a lot more in terms of scripting, a lot more in terms of using built-in Windows [application programming interfaces],” he told CyberScoop. “Unless you have the right sensoring and the right ways of whittling ways through large amounts of noise, it’s going to be a harder thing for these vendors to succeed at.”
The first round of APT3 evaluations tested products made by vendors such as Carbon Black, CrowdStrike, Endgame, and Microsoft. Mitre is hoping for similarly-robust participation this go-round.
Duff said the APT29 test will incorporate a range of data from the group’s activity. After a relative lull in activity, APT29 appeared to rear its head last fall in a spearphishing campaign against U.S. military and defense contractors
Don’t expect the Mitre team to simulate tactics used by every APT group. Instead, evaluators are testing tactics employed by groups that offer valuable defensive lessons to the broader cybersecurity industry, according to Duff.
The inclusion of APT29 techniques in the testing, which will begin this summer, is meant to “really push the boundaries forward” for vendors, he said.