MITRE ATT&CK evaluations

MITRE tested our solutions in the APT29 evaluation. We explain what the test is, why and how it’s conducted, and what the results mean.

MITRE is not just a company that compares security solutions. It is a nonprofit organization whose mission is to create a safer world. Anyone at all familiar with the world of cybersecurity will be aware that it is known primarily for its database of Common Vulnerabilities and Exposures (CVE). Some time ago, the company took a step further and created the MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) threat matrix.


In essence, MITRE ATT&CK is an open knowledge base comprising the techniques used in various actors’ targeted attacks. The data is presented in matrix form, providing an overview of how attackers penetrate and gain a foothold in corporate infrastructure, the tricks they use to stay undetected, and so on. It’s an enterprise-level threat matrix, but MITRE is also working on matrices covering the tactics cybercriminals use for cyberattacks on mobile devices and industrial control systems.

However, MITRE ATT&CK is not solely about collecting information for the sake of knowledge. It is intended to simplify building threat models for various industries and, more important, can be used to determine which known threats a specific solution or combination of solutions can detect. In theory, it goes as follows: A company in search of a solution to protect its infrastructure matches the capabilities of each candidate against the ATT&CK matrix and sees which threats remain. It’s a bit like a game of bingo. In practice, to understand which threats a particular security product identifies, MITRE conducts tests known as ATT&CK evaluations.

ATT&CK evaluations and how they work

MITRE researchers pick a known APT actor and over a period of several days emulate attacks in the test environment whose solution they’re assessing — but they don’t run identical replications of past attacks, of course. Instead, they modify individual attack tools to find out how the solution detects various adversarial techniques during the phases of an attack. Response mechanisms are disabled during the evaluation (otherwise some phases would be impossible to test).

The current round of the test is called the APT29 Evaluation. In this evaluation, the researchers emulate the efforts of the APT29 group, also known as CozyDuke, Cozy Bear, and The Dukes. Here is a detailed article about ATT&CK evaluations

Products tested, and the results

The latest round tested our Kaspersky Endpoint Detection and Response solution and Kaspersky Managed Protection service. You can read about the specific settings in this article.

Our solution demonstrated a high level of key technique detection at crucial stages of modern targeted attacks — in particular, in the Execution, Persistence, Privilege Escalation, and Lateral Movement phases. For detailed evaluation results and other ATT&CK-related materials, see the MITRE ATT&CK area of our corporate website.