IBM Security QRadar

 View Only

IBM Security QRadar takes on Turla in latest MITRE Engenuity ATT&CK Evaluations

By Albert Puah posted Wed September 20, 2023 09:00 AM

IBM Security MITRE ATTACK Participation
For the fourth year in a row IBM Security QRadar EDR, formerly known as ReaQta, participated in MITRE Engenuity’s ATT&CK Evaluations.
The annual MITRE Engenuity ATT&CK® Evaluations bring together top cybersecurity solution providers with MITRE experts to evaluate leading technology capabilities. Each evaluation follows a systematic methodology using a threat-informed purple teaming approach to capture critical context around a solution’s ability to detect or protect against known adversary behavior as defined by the ATT&CK knowledge base. Unlike some participants, IBM Security tested its out-of-the-box, real-time capabilities for QRadar EDR without modifying detection strategies during the testing process. Once again, QRadar EDR autonomously detected all critical events without configuration changes or delays.
For this year’s Evaluations, MITRE focused on adversary behavior informed by Turla, a known Russia-based threat group. Turla has been active since at least the early 2000s and has infected victims in 50+ countries. The group adopts novel and sophisticated techniques to maintain operational security, including the use of a distinctive command-and-control network in concert with their repertoire of using open source and in-house tools. Turla is known for their targeted intrusions and innovative stealth.
About the Testing Environment 
Turla MITRE ATTACK Evaluation Environment
Turla Evaluation Environment on Azure
In contrast to MITRE Round 4, Wizard Spider & Sandworm, we have included both Linux and Protections in the Turla evaluations. As part of IBM Security’s commitment to evaluate behavioral technology out-of-the-box, we intentionally disabled the anti-malware (EPP) module and Hive Cloud (Cloud AV), nor did we incorporate other add-on components.
Autonomous detection across all critical events
In this year's evaluation, QRadar EDR achieved 100% visibility across all evaluated stages of the MITRE ATT&CK framework, focusing on what matters most. QRadar EDR autonomously reported and defined critical activity, and provided high-fidelity alerts with meaningful and actionable information. While the testing methodology included an expanded set of detections across the MITRE ATT&CK framework, it’s important to remember that not all ATT&CK techniques carry the same importance. 
IBM Security 100% visibility across all evaluated stages of the MITRE ATT&CK framework
By design, QRadar EDR does not collect low-fidelity events which are evaluated as part of these missed techniques. While other EDR solutions may rely on API hooking, which is visible and easy to circumvent by attackers, QRadar EDR relies on other data sources at different OS layers for our detections. This allows us to only collect useful information that is essential for the analyst to make a difference in investigation and response outcome.
QRadar EDR Behavioral Tree - Turla
QRadar EDR Behavioral Tree Storyline of Turla Evaluation
Bottom line - we catch what matters. Collecting more doesn’t equate to being better. It simply means analysts have more noise (false positives) to investigate. More data also means increased storage, which translates to higher costs of data retention.
Attackers don’t wait for configuration changes

It’s important to note that QRadar EDR achieved 100% of its detections with out-of-the-box configurations. Configuration changes help vendors adjust their detections as the attack progresses. Twenty-three of the 30 participating vendors had to tweak their product ‘antennas’ multiple times before being able to detect alerts, using learnings from Day 1 and Day 2 to accurately detect the threat on Day 3.

In real life, configuration changes are usually unrealistic and reflect hidden resource costs of ownership. The more configurations a solution requires, the more an organization has to invest in its management. Attackers do not give defenders a second chance to tweak their detections.

MITRE ATTACK TURLA Configuration Changes
All detections were made in real time
Using QRadar EDR’s behavioral analysis capabilities, all detections were entirely real-time. Each step of the attack was tracked as-it-happened, minimizing the risk of losing important events instead of waiting for external components to run analyses.
Almost half of participating vendors had delayed detections. This is important because as attackers innovate, automation allows them to move extremely quickly within networks. An immediate identification and automated response draw the line between a fully compromised infrastructure and an unsuccessful breach. Being able to detect threats in real-time reduces the overall Mean Time to Detect and Respond, thereby mitigating the actual risk of a cyber breach, saving time, and reducing costs.
MITRE ATTACK Turla Delayed Detections
MITRE ATTACK Turla Configuration Changes + Delayed Detections
Testing the protections
With the anti-malware (EPP) module, Hive Cloud (Cloud AV) and other add-on components disabled, malwares were allowed to execute and exhibit malicious behaviors post-execution. This allowed QRadar EDR to track its behavior and kill the application when identified as malicious, allowing protection to follow the same pattern of detection, and making it more resilient to the malware code changes. Once executed, QRadar EDR blocked both scenarios as soon as the malicious files were executed, thereby protecting against any possible threats thereafter. This result was achieved leveraging only the behavioral detection and response components, such as the EDR and the Destra (Detection Strategy) capabilities. QRadar EDR customers can also craft their own logic and customized response activities, so it can be tailored to meet organizational requirements.
Thanks to MITRE Engenuity for another opportunity to showcase QRadar EDR’s out-of-the-box capabilities. We invite you to learn more about QRadar EDR to see how it leverages automation and AI to detect and remediate threats in near real-time.