Frank Duff, principal cyber operations engineer at Mitre, told Federal News Network in an interview published Friday about the nonprofit corporation’s evaluation of cybersecurity offerings from 21 vendors against cyber threat group APT29.
Mitre assessed the cyber platforms using its ATT&CK knowledge base to emulate the techniques used by APT29, which is believed to be related to the Russian government and involved in the Democratic National Committee compromise.
The vendors submitted endpoint detect and respond systems or endpoint protection platforms for evaluation and Duff said those technologies “would focus on detecting the threat once they’re in.”
Duff explained how those software offerings operate in an individual’s machine and discussed PowerShell logging and Mitre’s observations in those products. PowerShell is a default administrative tool on Windows operating systems and enables users to perform certain types of scripting.
“And it was very good to see that these products were for the majority had visibility in district lock logging, understanding what was in the contents of the script that PowerShell was executing, so that you could extract the behaviors from that and leverage it,” he said.
Duff also shared his insights on the 21 cyber platforms evaluated by Mitre. “These types of products are, from my standpoint, necessary to understand what the adversary is doing to minimize their time with once they get in, how long they’re on your network, the amount of damage that they’re doing all these products, I think what you can say about them is they’re going through this process, our evaluation is threatened formed,” he said. “And so they’re trying to improve themselves based on the real threat."