Skip to main content
Microsoft Security

Stopping Carbanak+FIN7: How Microsoft led in the MITRE Engenuity® ATT&CK® Evaluation

In MITRE Engenuity’s recent Carbanak+FIN7 ATT&CK Evaluation, Microsoft demonstrated that we can stop advanced, real-world attacks by threat actor groups with our industry-leading security capabilities.

In this year’s evaluation, we engaged our unified Microsoft 365 Defender stack, with market-leading capabilities in Microsoft Defender for Endpoint and Microsoft Defender for Identity collaborating to provide:

Coordinated detection and visibility across Microsoft 365 Defender combined with automation, prioritization, and prevention were key to stopping these advanced attacks.

It’s important to note that Microsoft operated in the ATT&CK Evaluation exactly as it does in customer environments: with out-of-the-box protection and detection delivered by automated AI and behavioral algorithms. No special “aggressive mode” was needed, nor were there any performance gaps. And while detection performance is what’s mainly measured by the evaluation, it’s equally important to see how attack activities—including alerts, techniques, and impacted assets—were correlated together into a coherent end-to-end attack story. For security teams, the user experience matters since it’s critical for the SOC analyst to have the ability to investigate and respond to such attacks effectively.

Best protection means threats are prevented from affecting your assets

This year’s MITRE Engenuity Carbanak+FIN7 Evaluation offered a new benchmark: measuring whether participants are able to prevent an advanced attack. We believe empowered protection is more than attack awareness; preventing attacks is critical to successfully securing the enterprise.

While many vendors chose not to participate in the MITRE Engenuity protection evaluation, Microsoft was positioned at the top of protection test capabilities, as shown in the diagram below, by blocking the attack simulation at the earliest stage on every test. Microsoft Defender for Endpoint blocked and alerted precisely where the simulated attack could have been completely prevented, offering a clear alert story of the prevented attack.

Number of tests in which the vendor blocked the attack at earliest stage possible. Microsoft successfully blocked at the earliest possible point on six protection tests, more than any other vendor participating in the test.

Figure 1: Number of tests in which the vendor blocked the attack at the earliest stage possible. Microsoft successfully blocked at the earliest possible point on six protection tests, more than any other vendor participating in the test. 

Microsoft delivers top-level cross-platform protection and detection

Microsoft Defender for Endpoint provides out-of-the-box full visibility, protection, and detection across a wide variety of platforms, including macOS, multiple Linux flavors, Android, and iOS.

This year, MITRE Engenuity emphasized the importance of cross-platform protection by including an attack on a Linux file server, including advanced techniques such as system discovery, data collection, and lateral movement across Windows and Linux using remote service or pass-the-hash. A protection test was also simulated for the Linux platform.

Microsoft earned the best coverage results in all attack steps on Linux. As the diagram below shows, Microsoft Defender for Endpoint detected 100 percent of the simulated Linux attack techniques. In the protection test, it blocked the attack at the first stage of execution, making Microsoft one of the four top vendors for Linux protection and detection.

Emulation steps executed on Linux. Each column represents the number of techniques detected by the vendor. The vendors that blocked the attack at the earliest stage are represented in light blue.

Figure 2: Emulation steps executed on Linux. Each column represents the number of techniques detected by the vendor. The vendors that blocked the attack at the earliest stage are represented in light blue.

An incident-based approach enables real-time threat prioritization and remediation

In the detection test, where protection was intentionally turned off, Microsoft demonstrated exceptional depth of coverage and visibility across all the 20 tested attack stages and across different platforms. Microsoft provided coverage for 87 percent of the techniques tested, representing end-to-end detection across the attack chain, including the most advanced steps.

Emulation steps executed on Linux. The number of techniques detected by vendor in blue, and ability of vendor to block the attack at the earliest stage in green.

Figure 3: Total detection counts across vendors, showing leading detection coverage from Microsoft. Microsoft also correlated all the alerts into two incidents (representing distinct attacks), reducing alert queue noise and ensuring a more efficient and effective investigation of the attack. 

We know the pain of security teams who must deal with alert load and queue fatigue, so Microsoft Defender for Endpoint uses its deep understanding of attack patterns and progression to correlate alerts, telemetry, and impacted assets and group them into a smaller set of comprehensive incidents. In this evaluation, this correlation resulted in two incidents, one for each attack simulation, reducing the queue to just two work items to investigate. Incidents enable SOC analysts to review the entire scope of the attack, including all alerts, blocking actions, and all supporting evidence, in a single consolidated view.

Microsoft 365 security center showing an incident view for one of the two simulated MITRE attacks

Figure 4: Microsoft 365 security center showing an incident view for one of the two simulated MITRE Engenuity attacks, including all correlated alerts, detections, affected assets, and supporting evidence

Each incident provides a summary of impacted devices and users to help analysts triage and prioritize at a glance. Details of alerted attack stages and related activities are mapped to MITRE ATT&CK tactics and techniques, summarizing in common language “what was done” (techniques) and “why it was done” (tactics), along with all collected evidence. Incidents provide full visibility into telemetry, down to process execution sequences for each stage of the simulated attack scenarios, including initial access, deployment of tools, discovery, persistence, credential access, lateral movement, and exfiltration.

Microsoft delivered 100% technique/tactic coverage of evaluation steps executed by MITRE Engenuity on the first day (Carbanak). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 5: Microsoft delivered 100 percent technique/tactic coverage of evaluation steps executed by MITRE on the first day (Carbanak). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Microsoft delivered 100% technique/tactic coverage of evaluation steps executed by MITRE Engenuity on the second day (FIN7). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Figure 6: Microsoft delivered 100 percent technique/tactic coverage of evaluation steps executed by MITRE on the second day (FIN7). This diagram describes the purpose of the simulation steps and indicates Microsoft coverage for each.

Microsoft 365 security center showing a series of related endpoint alerts

Figure 7: Microsoft 365 security center showing a series of related endpoint alerts, demonstrating how Microsoft successfully correlated alerts together across the attack stages and exposed detailed data on each attack step. 

Microsoft 365 security center showing details of one of the endpoint alerts: a suspicious schedule task

Figure 8: Microsoft 365 security center showing details of one of the endpoint alerts: a suspicious schedule task. This view offers analysts in-context expanded views of task name, technique, and the process involved, in this case, a renamed wscript.exe. 

Microsoft recently expanded the use of MITRE ATT&CK tactics and techniques across its security portfolio, including alerted execution sequences and detailed device timelines, transforming telemetry into logical attacker activities mapped to MITRE ATT&CK techniques. This further improves the investigation and hunting experience for defenders, helping to tell the story of the attack, provide rich context, and drive the response process.

Microsoft 365 security center showing detailed device timeline, exposing events as well as a technique for credential access to enumerate credentials from web browsers

Figure 9: Microsoft 365 security center showing detailed device timeline, exposing events as well as a technique for credential access to enumerate credentials from web browsers. 

Microsoft Defender Security Center showing second day attack incident page, Evidence tab

Figure 10: Microsoft Defender Security Center showing the second day attack incident page, Evidence tab. SOC analysts can use this view to see and take one-click remedial actions on all the files, processes, IPS, and URLs involved in the attack

Unique cross-domain visibility is critical to defending against modern attacks.

The powerful capabilities of Microsoft 365 Defender originate from combining unique signals across endpoints, identity, email and data, and cloud apps. This combination of proficiencies delivers coverage where other solutions may lack visibility.

Lateral movement is a key stage in any advanced attack, where the attacker moves from asset to asset with the goal of gaining access to specific valuable information or to as many assets as possible for maximum damage. Identifying and tracking lateral movement is a critical phase in investigating attacks, establishing the scope, and removing the threat. The following are three examples of lateral movement simulated in this evaluation that were detected and exposed by Microsoft using signals from the different workloads, delivering full coverage on different aspects:

Microsoft 365 Defender alert based on correlated signals using AI across identity and endpoint activity

Figure 11: Microsoft 365 Defender alert based on correlated signals using AI across identity and endpoint activity

Microsoft Defender for Identity alert on lateral movement by a compromised identity via remote service execution

Figure 12: Microsoft Defender for Identity alert on lateral movement by a compromised identity via remote service execution

Microsoft 365 security center showing alert on system discovery using WMI. Activity detected by analyzing AMSI content from PowerShell

Figure 13: Microsoft 365 security center showing alert on system discovery using WMI. Activity detected by analyzing AMSI content from PowerShell

Real-life protection delivered, as-is, out of the box

Microsoft believes protection must be provided out of the box as automated AI-driven expert systems built into our security product portfolio. Our products should require minimal to no manual custom tuning or configuration to detect and protect, and they must be optimized to reduce false alerts, which are the main cause of friction and fatigue.

We brought to the MITRE Engenuity simulation environment the exact same product that customers deploy to their production environments with no special or aggressive test-optimized settings that may affect performance or degrade real user productivity. The same level of alert coverage, accuracy (not measured by MITRE Engenuity in the test), visibility, and investigation experience is reflected in production deployments as it was in the test.

A final word

As mentioned in our initial blog on the MITRE Engenuity FIN7+Carbanak Evaluation, we are excited to collaborate and contribute to the evolution of this evaluation from one year to the next. It’s an opportunity for us to test the efficacy of our solutions and contribute to the security community as a whole. This is only one part of the greater collaboration and contribution efforts that Microsoft is focused on in the industry to strengthen defenses and respond to attacks. As we have seen in recent months, with attacks becoming more coordinated and sophisticated, community collaboration and sharing such as this can help us all take the steps needed for a safer world. We again thank MITRE Engenuity for this opportunity and very much look forward to our continued partnership and the next evaluation.

Learn more about Microsoft 365 Defender and Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. Take advantage of Microsoft’s unrivaled threat optics and proven capabilities. Learn more about Microsoft 365 Defender or Microsoft Defender for Endpoint, and sign up for a trial today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.