MITRE launched its newest Enterprise MITRE ATT&CK Evaluations in December of 2024. At the moment, we revealed a weblog with a fast overview of the outcomes. At this time, we’re excited to announce that we’ve launched three new items of analysis about this spherical of evaluations:
Evaluation Of The 2024 MITRE Engenuity ATT&CK Analysis — an outline of this spherical’s evaluations with an evidence of the adjustments in methodology and an interpretation of the outcomes.
2024 MITRE Engenuity ATT&CK Enterprise Analysis Outcomes — a report that visualizes some key information from the analysis.
The 2024 MITRE Engenuity ATT&CK Enterprise Analysis Value Calculation Device — a instrument to assist calculate the prices of utilizing every of the seller applied sciences within the analysis to detect the assaults included within the analysis.
These reviews break down the outcomes, give insights into the way to interpret them, and supply methods to quantify the affect of utilizing these instruments. If you’d like a tl;dr model, this weblog covers a couple of issues we discovered from this analysis information.
True correlation stays elusive, if not nonexistent.
The alert quantity generated by among the taking part distributors is ridiculous. A couple of of the distributors had been in a position to cut back the variety of alerts per assault to single digits whereas nonetheless offering full visibility into the assault. That is superb however was extraordinarily uncommon on this analysis.
Most distributors surfaced a detection each single time they recognized a step as doubtlessly malicious, together with people who weren’t correlated into an incident. This inflated their alert quantity numbers considerably, requiring a number of guide effort to correlate.
Excessive alert volumes will create distress for incident responders.
Whereas MITRE is just not evaluating person expertise — and, to be fairly trustworthy, can’t be anticipated to — we at Forrester do consider distributors on their person expertise, amongst different options. Some distributors triggered 1000’s of alerts throughout this analysis, with one vendor triggering over one million alerts. Surfacing so many alerts for simply three situations is ridiculous. Even for those who solely think about the high- and critical-severity alerts, the numbers nonetheless don’t add up. Particular person vendor outcomes range from one vendor with over 5,000 high- and critical-severity alerts to different distributors that had beneath 10.
The true value of extra alerting comes right down to {dollars} and cents.
Let’s assume that your group is bringing related alerts into the safety info and occasion administration (SIEM) platform for extra correlation. Each alert generated by these instruments is an added value (as if the person expertise prices weren’t sufficient). For instance, say that the price to ingest and retailer within the SIEM per GB is $0.30 and that the common endpoint alert is 1 KB. If 10,000 endpoints are hit with LockBit, the price to deliver these alerts into the SIEM ranges from $0.006 with some distributors to $471.192 with others. That’s the price for simply one assault. Think about this value once you’re evaluating instruments or making an attempt to cut back your SIEM funds. Our analysis features a instrument for calculating this value.
Dive deeper.
Forrester purchasers who need deeper steering concerning the analysis and the distributors included can e book an inquiry or steering session with me.
