Why Protection Matters

It’s always been hard to understand the effectiveness of a security product beyond the ability to identify and block malicious executables.  It’s difficult to test. Never more so than now when targeted attackers rely so heavily of Living-off-the-Land style techniques.  That’s why, as we announced last month, Symantec decided to participate in the latest MITRE ATT&CK® Evaluation. This evaluation is about the ability to detect tactics and techniques.  And it’s important to remember that it is not a test.  It does not certify or grade.  But it can provide insights not just to detection but also protection.  And protection matters.  Good protection comes from detection, prevention and remediation as early as possible. We felt this evaluation would help customers understand where Symantec products stood in delivering protection.  We were right.

Seventeen years after introducing network protection technologies into our endpoint protection product we are still often called an “AV company”.  We thought that this test might show we offer much more than that.  We were right.

The results of the evaluation are now public.  We encourage you to take a close look. But we wanted to take this chance to highlight some of the protection capability the results highlight.  Sure, it’s a source of pride for us.  But what’s important is it shows the ability of our product to detect threats and prevent them from getting on a machine.   Preventing attacks upfront reduces the number of incidents for a SOC to respond to. There is clear benefit in reducing the load on the SOC and in reducing IR costs.  And while breach detection is important, breach prevention is the first priority.  Keeping a threat out is always better than discovering the threat inside your organization.  This is why protection is important.

This is in no way to say that it is not important to have effective tools for threat hunting and to find threats that have infiltrated an organization.  Our tools for this were also evaluated and we’ll dive into how we did there in a follow-up blog.

MITRE used its ATT&CK knowledge base to examine the ability to detect the tactics and techniques used by APT29, a group commonly believed to operate on behalf of the Russian government and responsible for the compromise of the Democratic National Committee in 2015.

APT29 is one of over two hundred targeted attack groups Symantec monitors.  Over the years we’ve created file-based detections for threats and their variants created by this group.  But that is reactive.  What’s possible with Symantec technologies like IPS and Behavior Analysis is that we can convert detections into policies that our products can use to prevent threats we have not seen.

Let’s drill down to some specific examples from the evaluation. As a reminder, ATT&CK Evaluation was an emulation of an advanced attacker for an environment with no prevention whatsoever. Any one of the examples below would have stopped the attacker, not allowing them to use this technique to infiltrate further.

Step 1.A.1 User Pam executed payload rcs.3aka3.doc

In this test a user has been tricked into opening a file pretending to be a doc file.  In the test Symantec’s SONAR technology recognized that this behavior was suspicious and alerted accordingly.  In real world usage the technology would not only have alerted but would have blocked the execution of the file.  No infection would have occurred.  

Step 14.A.2 Executed elevated PowerShell payload

In this test an attacker once established on the machine attempts to elevate their permissions, allowing them to run additional tools to dump credentials. Symantec’s SONAR technology recognized the elevation attempt and alerted accordingly.  In real world usage the technology would not only have alerted but would have blocked the elevation. 

Steps 1.A.3 and 3.B.3 Established C2 channels

In this test an attacker attempts to create a communication channel to outside the organization for receiving commands and exfiltrating data.  In real world usage the technology would not only have alerted but would have stopped the communications completely.  No further instructions would be received from the attacker, no data would be exfiltrated.

All this could be looked at as a worst-case scenario.  The MITRE ATT&CK Evaluation reports what products can detect and alert on.  At no point are things stopped. So an attack detected early in the attack chain while alerted on is not stopped from progressing through the organization.  It’s measuring all the spots in the attack chain you would be alerted about a potential threat.  This is valuable information.  But so is knowing if protection is possible at all these spots.  And in the real world it’s critical.  We’ve just shown three examples of protection.  There are a lot more in the full evaluation, available here.

We look forward to sharing more details with you in our next blog.