Skip to Content
Get started
Open search
Sophos AI - Hero Banner - Background Image

Sophos excels in the 2024 MITRE ATT&CK® Evaluations: Enterprise

MITRE ATT&CK® Evaluations help organizations better understand how effectively EDR and XDR solutions can protect against sophisticated, multi-stage attacks. In the Enterprise 2024 evaluation, Sophos XDR achieved:

  • Highest possible ('Technique') ratings for 100% of adversary activities in the Windows and Linux ransomware attack scenarios
  • Highest possible ('Technique') ratings for 78 out of 80 total adversary activities across all three comprehensive scenarios
Download evaluation brief
Learn more about Sophos XDR
MITRE Enterprise 2024 - 1762839112619-rbnkufd
Play

2024 MITRE ATT&CK® Evaluations: Enterprise (Round 6)

MITRE ATT&CK® Evaluations are among the world’s most respected independent security tests. They emulate the tactics, techniques, and procedures (TTPs) leveraged by real-world adversarial groups and evaluate each participating vendor’s ability to detect, analyze, and describe threats, with output aligned to the language and structure of the MITRE ATT&CK® Framework.

Round 6 focused on behaviors inspired by three known threat groups:

  • Democratic People's Republic of Korea (DPRK)

The evaluation emulated DPRK’s adversary behaviors targeting macOS via multi-stage operations, including elevating privileges and credential theft.

  • Ransomware (CL0P and LockBit)

The evaluation emulated behaviors prevalent across campaigns using CL0P and LockBit ransomware, including abusing legitimate tools and disabling critical services.

Evaluation results

Sophos achieved full ‘technique’ level coverage — the highest possible rating — for 78 out of 80 adversary activities (sub-steps) across three comprehensive attack scenarios.

mitre attack evaluation panels
mitre attack evaluation panels lockbit ransomware
mitre attack evaluation panels
Single Card Block BG

 

 

Interpreting the ATT&CK Evaluations results

Understand the ratings and categorizations in this Enterprise round.

Detection quality is critical for providing security analysts with the information to investigate and respond quickly and efficiently. This chart compares the number of sub-steps that generated a detection providing rich detail on the adversarial behaviors (analytic coverage) and the number of sub-steps that achieved full 'technique' level coverage, for each participating vendor.
MITRE scattergraph
MITRE does not rank or rate participants of ATT&CK Evaluations.
Download evaluation brief

Evaluation attack scenarios

The evaluation comprised 80 adversary events (sub-steps) across three attack scenarios.

 


Attack scenario 1: DPRK (macOS)

North Korea has emerged as a formidable cyber threat, and by expanding its focus to macOS, they have gained the ability to target and infiltrate additional high-value systems. In this attack scenario, the MITRE team used a backdoor from a supply chain attack, followed by persistence, discovery, and credential access, resulting in the collection and exfiltration of system information and macOS keychain files.

  • 4 steps | 21 sub-steps | macOS only
  • Sophos XDR detected and provided rich ‘analytic’ coverage for 20 out of 21 (95%1) sub-steps in this scenario
  • 19 sub-steps were assigned ‘technique’ level categorization — the highest possible rating

Attack scenario 2: CL0P Ransomware (Windows)

Active since at least 2019, CL0P is a ransomware family affiliated with the TA505 cyber-criminal threat actor (also known as Snakefly) and is widely believed to be operated by Russian-speaking groups. In this attack scenario, the MITRE team used evasion techniques, persistence, and an in-memory payload to perform discovery and exfiltration before executing ransomware.

  • 4 steps | 19 sub-steps | Windows only
  • Sophos XDR detected and provided full ‘technique’ level coverage of 100% of sub-steps

Attack scenario 3: LockBit Ransomware
(Windows and Linux)

Operating on a Ransomware-as-a-Service (RaaS) basis, LockBit is a notorious ransomware variant that has gained infamy for its sophisticated tools, extortion methods, and high-severity attacks. In this attack scenario, the MITRE team gained access using compromised credentials, ultimately deploying an exfiltration tool and ransomware to stop virtual machines and exfiltrate and encrypt files.

  • 8 steps | 40 sub-steps | Windows and Linux
  • Sophos XDR detected and provided full ‘technique’ level coverage of 100% of sub-steps

 

  1. Sophos XDR generated alerts for all 80 adversary activities (sub-steps) in the evaluation and achieved an ‘analytic coverage’ rating for 79 out of 80 sub-steps.

The alert generated for one sub-step in the DPRK (macOS) attack scenario did not rise to an 'analytic coverage' detection level based MITRE's detection category definitions.

Why we participate in MITRE ATT&CK® Evaluations

MITRE ATT&CK® Evaluations are among the world’s most respected independent security tests. Sophos is committed to participating in these evaluations alongside some of the best security vendors in the industry. As a community, we are united against a common enemy. These evaluations help make us better, individually and collectively, for the benefit of the organizations we defend.


19 EDR/XDR security vendors participated in the 2024 Enterprise evaluation:

vendor logos in a grid layout
Check out the full results on the MITRE website

Consistent strong performance

Sophos participates in ATT&CK® Evaluations for both Enterprise solutions and Managed Services, consistently achieving impressive results that validate our position as an industry-leading cybersecurity vendor.

Full Width CTA - BG

Get started with Sophos XDR

See how Sophos can streamline your detection and response and drive superior outcomes for your organization.