Sophos achieves its best-ever leads to the MITRE ATT&CK Enterprise 2025 Analysis – Sophos Information

MITRE ATT&CK® Evaluations are among the many world’s most rigorous impartial safety exams. They emulate the ways, strategies, and procedures (TTPs) utilized by real-world adversaries to evaluate every taking part vendor’s means to detect, analyze, and articulate threats in alignment with the MITRE ATT&CK^® Framework. These evaluations frequently strengthen our capabilities, for the advantage of the organizations we defend.

The outcomes are in — drum roll, please!

MITRE has launched the outcomes of the most recent ATT&CK® Analysis for enterprise safety options, assessing how taking part EDR and XDR merchandise, together with Sophos XDR, detect and report the advanced ways of superior menace teams.

We’re excited to share that we achieved our best-ever outcomes on this analysis spherical. Sophos’ persistently sturdy efficiency in these evaluations — 12 months after 12 months — continues to exhibit the ability and precision of our menace detection and response capabilities. Within the Enterprise 2025 Analysis, Sophos XDR:

• Efficiently detected all 16 assault steps and 90 sub-steps, demonstrating the ability of our open AI-native platform to defend towards refined cyber threats.
• 100% detection¹: Sophos detected and offered actionable menace detections for all adversary actions — zero misses.
• Highest potential scores: Sophos generated full Approach-level detections for 86 of the 90 adversary actions evaluated.

Watch this brief video for an summary of the analysis, then learn on for a better have a look at the outcomes:

Analysis overview

This was the seventh spherical of the “Enterprise” ATT&CK Analysis — MITRE’s product-focused evaluation — designed to assist organizations higher perceive how safety operations options like Sophos EDR and Sophos XDR may help them defend towards refined, multi-stage assaults.

The analysis centered on behaviors impressed by the next menace teams:

• Scattered Spider: A financially motivated cybercriminal collective
  The MITRE workforce emulated this group’s use of social engineering to steal credentials, deploy distant entry instruments, and bypass multi-factor authentication — focusing on cloud sources to ascertain footholds and entry delicate techniques and information. The situation included Home windows and Linux gadgets and, for the primary time, AWS cloud infrastructure.

• Mustang Panda: Individuals’s Republic of China (PRC) espionage group
  A PRC state-sponsored cyber espionage group recognized for utilizing social engineering and bonafide instruments to deploy customized malware. The MITRE workforce emulated its ways and instruments, reflecting behaviors generally seen throughout the broader PRC cyber operations ecosystem.

Leads to extra element

On this analysis, MITRE executed two discrete assault eventualities — one for Scattered Spider and one for Mustang Panda — comprising a complete of 16 steps and 90 sub-steps. Sophos delivered spectacular leads to each eventualities.

Assault situation 1: Scattered Spider

Abstract: A posh hybrid intrusion involving social engineering, cloud exploitation, id abuse, and living-off-the-land strategies. The adversary makes use of spear phishing to steal credentials and achieve distant entry, then performs community discovery, accesses the sufferer’s AWS setting, evades defenses, and exfiltrates information to their very own S3 bucket utilizing native AWS instruments.
This assault situation comprised 7 steps with 62 sub-steps throughout Home windows, Linux, and AWS.

• 100% of sub-steps detected¹. Zero misses.
• Actionable menace detections generated for each sub-step.
• Highest potential Approach-level scores achieved for 61 out of 62 sub-steps.
  

Assault situation 2: Mustang Panda

Abstract: An evasive intrusion demonstrating the adversary’s use of social engineering, reliable instruments, persistence, and customized malware to evade detection. It begins with a phishing e mail carrying a malicious DOCX that gives entry to a Home windows workstation and connects to a C2 server. The attacker discovers key techniques, exfiltrates information, and removes their tooling to cowl their tracks.
This assault situation comprised 9 steps with 28 sub-steps on Home windows gadgets.

• 100% of sub-steps detected¹. Zero misses.
• Actionable menace detections generated for each sub-step.
• Highest potential Approach-level scores achieved for 25 out of 28 sub-steps.

Be taught extra at sophos.com/mitre and discover the complete outcomes on the MITRE web site.

What do the scores imply?

Every adversary exercise (or “sub-step”) emulated throughout the analysis is assigned one of many following scores by MITRE, reflecting the answer’s means to detect, analyze, and describe the conduct utilizing the language and construction of the MITRE ATT&CK® Framework:

• Approach (Highest constancy detection)
  The answer generated an alert that identifies the adversary exercise on the ATT&CK Approach or Sub-Approach stage. The proof consists of particulars on execution, affect, and adversary conduct, offering clear who, what, when, the place, how, and why insights.
  • Sophos achieved this (highest potential) score for 86 out of 90 sub-steps.
• Tactic (Partial detection with context)
  The answer generated an alert that identifies the adversary exercise on the Tactic stage however lacks Approach-level classification. The proof consists of particulars on execution, affect, and adversary conduct, offering clear who, what, when, the place, and why insights.
  • Sophos obtained this score for 1 sub-step.
• Basic
  The answer generated an alert that identifies the adversary exercise as probably suspicious or malicious. The proof consists of particulars on execution, affect, and adversary conduct, offering clear who, what, when, and the place insights.
  • Sophos obtained this score for 3 sub-steps.
• None (No detection, potential visibility)
  Execution of the adversary exercise was profitable; nevertheless, the answer didn’t generate an alert, failing to establish adversary exercise as probably suspicious or malicious.
  • Sophos didn’t obtain this score for any sub-steps. Zero misses.
• Not Assessed (N/A)
  The analysis was not carried out resulting from technical limitations, environmental constraints, or platform exclusions.

Detections labeled as Basic, Tactic, or Approach are grouped underneath the definition of analytic protection, which measures the answer’s means to transform telemetry into actionable menace detections.

Decoding the outcomes

There’s no single strategy to interpret the outcomes of ATT&CK® Evaluations and MITRE doesn’t rank or price members. The evaluations merely current what was noticed — there are not any “winners” or “leaders.”

Every vendor’s method, software design, and presentation of knowledge differ, and your group’s distinctive wants and workflows finally decide the very best match in your workforce.

Detection high quality is vital to giving analysts the perception they should examine and reply shortly. One of the vital invaluable methods to interpret the outcomes of ATT&CK® Evaluations is by reviewing the variety of sub-steps that produced wealthy, detailed detections of adversary conduct (analytic protection) with those who achieved the best constancy “Approach”-level protection.

As soon as once more, Sophos delivered an distinctive efficiency on this analysis.

Sophos’ persistently sturdy efficiency in these rigorous evaluations underscores the ability and precision of our menace detection and response capabilities — and our dedication to stopping the world’s most refined cyberthreats.

When contemplating an EDR or prolonged detection and response (XDR) resolution, bear in mind to assessment the outcomes from MITRE ATT&CK Evaluations alongside different respected impartial proof factors, together with verified buyer evaluations and analyst evaluations.

Latest recognitions for Sophos EDR and Sophos XDR embrace:

Get began with Sophos XDR at this time

Sophos’ constant sturdy outcomes MITRE ATT&CK Evaluations assist to validate our place as an industry-leading supplier of endpoint detection and response (EDR) and prolonged detection and response (XDR) capabilities to over 45,000 organizations worldwide.

To see how Sophos can streamline your safety operations and drive superior outcomes in your group, go to our web site, begin a free trial of Sophos XDR, or communicate with an knowledgeable.

To be taught extra in regards to the outcomes of this analysis, go to sophos.com/mitre.

¹ Within the “Configuration Change” run of the Enterprise 2025 Analysis.