Published on May 11, 2021

MITRE ATT&CK Carbanak+FIN7 Evaluation: ReaQta-Hive Achieves 100% Detection Coverage across the Cyber Kill Chain Autonomously and in Real-Time

For the 2020 MITRE Engenuity evaluations, MITRE chose to evaluate two well-known threat actors: Carbanak and FIN7. While last year’s evaluation, covering APT29, was focused on governmental espionage, this last round was focused on financially-motivated threat actors and it included, for the first time, testing on both Windows and Linux endpoints.

Both threat groups are known for their tradecraft, efficiency and stealth as well as deploying many advanced techniques to exfiltrate valuable data from their victims. 

Banks were the main target for Carbanak, while FIN7 mostly targets the US retail, restaurant and hospitality sector. 

Two sophisticated adversary emulations were set up and executed to test the defenders’ capabilities to identify and track them. Like the previous APT29 edition, ReaQta-Hive displayed its Best-in-Class capabilities and delivered impressive results.

ReaQta’s achievements, on both Windows and Linux, in this year’s evaluation include:

  • 100% detection coverage across the entire cyber kill chain.
  • No configuration changes during the entire evaluation.
  • 100% real-time detections with no delayed detections.

The results demonstrate ReaQta-Hive’s capabilities of providing complete coverage of sophisticated attacks, without human intervention, while producing the minimum amount of high-fidelity alerts with no false positives.

As happened during Round 2 of MITRE evaluation, our NanoOS™, the live hypervisor used to detect high-level malicious behaviours, could not be used due to restrictions in the testing environment. Nonetheless, the platform performed extremely well, even without its core component.

New call-to-action

100% detection coverage across the cyber kill chain

In both Cabarnak and FIN7 scenarios, ReaQta-Hive was able to autonomously detect 100% of the activities across the cyber kill chain and provided high-fidelity alerts with meaningful and actionable information to the user, while clearly defining next steps. 

Why is this important? 

Our customers prefer less alerts that are highly consolidated as compared to multiple and less informative ones. This approach consistently reduces manual workload and provides a clear picture of the events that are unfolding, with no need to chase the attackers over hundreds or even thousands of different security events.

100% fully-autonomous detections

Only a few vendors managed to obtain a 100% detection rate, across the entire cyber-kill chain without configuration changes. ReaQta was one of them. Configuration changes help vendors adjust their detections as the attack progresses. However, in real-life scenarios, a configuration change is usually unrealistic as attackers do not give defenders a second chance to tweak their detections before moving to the next step. At ReaQta, to ensure a fair evaluation of our detection capabilities, we have as intended, decided to not alter the initial configuration of our platform.

Why is this important?

Configuration changes assume prior-knowledge of an attack, which is not the case in most scenarios. If a platform requires several configuration changes to operate at peak efficiency – or even to just detect an active threat – its autonomous detection capabilities are inevitably impaired and so is the ability to respond in real-time. 

100% of detections done in real-time without delays

All ReaQta-Hive detections were entirely real-time, placing ReaQta among the very few vendors capable of doing this.The behavioural analysis engines at the core of ReaQta-Hive made this possible, ensuring that each step of the attack was tracked as-it-happened, minimizing the risk of losing important events while waiting for external components to run their analyses.

Why is this important? 

As attackers innovate, more and more steps are becoming automated. Automation allows attackers to move extremely fast within a network: operations that used to take minutes or hours just a few years ago are now happening in a matter of seconds. An immediate identification and automated response draws the line between a fully compromised infrastructure and an unsuccessful breach.

New call-to-action

Delivering Security without complexity

ReaQta’s active defense intelligence platform, ReaQta-Hive aims to solve for the increasing number of businesses falling victim to malicious activities from cyber criminals and nation states actors. While traditional protection methods fight known threats and stand vulnerable to sophisticated attack techniques, ReaQta’s revolutionary platform stops known and unknown threats in real-time. Through deep learning, the platform constantly improves on defining normal behavior tailored to each business per endpoint, allowing it to block any abnormal behavior.  

Additionally, traditional solutions require internal or external cybersecurity teams to act on any flagged threats. ReaQta’s platform not only detects threats, but also allows for a seamless and automated threat response in real-time. ReaQta was recently named a 2020 Cool Vendor by Gartner in Network and Endpoint Security for this unique approach in tackling cyber threats of all forms.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.