{"id":323465,"date":"2024-06-18T06:05:17","date_gmt":"2024-06-18T13:05:17","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=323465"},"modified":"2024-06-19T10:25:12","modified_gmt":"2024-06-19T17:25:12","slug":"unit-42-mdr-in-mitre-managed-services-evaluation","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2024\/06\/unit-42-mdr-in-mitre-managed-services-evaluation\/","title":{"rendered":"Palo Alto Networks Excels in MITRE Managed Services Evaluation"},"content":{"rendered":"<h2><strong>Palo Alto Networks Unit 42 is a leader in MDR, delivering MTTD twice as fast as the average participant and leveraging the industry\u2019s best XDR technology. <\/strong><\/h2>\n<p>Today, MITRE Engenuity unveiled the results of its second-ever <a href=\"https:\/\/start.paloaltonetworks.com\/mitre-attack-evaluation-for-mdr\"><strong>ATT&amp;CK Evaluations for Managed Services<\/strong><\/a>. For the second consecutive year, <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/respond\/managed-detection-response\">Unit 42 Managed Detection and Response (MDR)<\/a> excelled in the evaluation, delivering MTTD <em>twice as fast as the average participant<\/em>. We leveraged Palo Alto Networks industry-leading Cortex XDR,<em> the only product that achieved <\/em><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2023\/09\/mitre-engenuity-attck-evaluations-results\/\">100% protection and 100% detection coverage during the previous round of the MITRE Enterprise Evaluations<\/a>. With Cortex XDR behind Unit 42 MDR, we deliver the industry\u2019s best detection and response to sophisticated cyberthreats.<\/p>\n<h4><strong>Unit 42 MDR sent 37 email alerts during the evaluation. Other vendors sent more than 300 email alerts<\/strong> \u2013 <strong>nearly 10x the amount we sent.<\/strong><\/h4>\n<p>We deliver the most important and actionable information as quickly as possible in order to enable accurate, efficient and confident decisions about next steps. With Unit 42 MDR, customers receive a balanced combination of high-quality information, granularity and speed.<\/p>\n<p><div style=\"max-width:100%\" data-width=\"1026\"><span class=\"ar-custom\" style=\"padding-bottom:51.95%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-323760 aligncenter lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/06\/mitre-blog-image-2.png\" alt=\"Chart of email alerts sent.\" width=\"1026\" height=\"533\" \/><\/span><\/div><\/p>\n<p>As part of the evaluation, we delivered a detailed <a href=\"https:\/\/start.paloaltonetworks.com\/mitre-attack-evaluation-for-mdr\"><strong>threat report<\/strong><\/a> highlighting crucial information for response and remediation. Our executive summary quickly identifies answers to the most important questions facing an organization under attack:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>How important is this threat?<\/li>\n<li>Who is the adversary, and what is their intent?<\/li>\n<li>How was the attack executed (TTPs)?<\/li>\n<li>What is the impact?<\/li>\n<li>How should you respond?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><strong>Background on the test \u2014 MITRE ATT&amp;CK Evaluation Managed Services: menuPass + ALPHV BlackCat.<\/strong> <a href=\"https:\/\/start.paloaltonetworks.com\/mitre-attack-evaluation-for-mdr\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-323684 alignleft lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/06\/word-image-323465-2-2.png\" width=\"376\" height=\"376\" \/><\/a><\/h4>\n<p>Third-party evaluations like MITRE\u2019s shed light on how vendors would realistically perform against real-world, highly sophisticated threats in a customer environment.<\/p>\n<p>This year\u2019s evaluation was a rigorous 5-day test, named <a href=\"https:\/\/attackevals.mitre-engenuity.org\/managed-services\/menupass-blackcat\/\" rel=\"nofollow,noopener\" >MITRE ATT&amp;CK Evaluation Managed Services: menuPass + ALPHV BlackCat.<\/a> The evaluation is closed book; vendors are not given prior information on the adversary or techniques. Vendors provide analysis in the same format they deliver reports to their customers. MITRE Engenuity\u2019s evaluation prohibits prevention or remediation, unlike in real-world scenarios.<\/p>\n<p>According to MITRE, this test included sophisticated techniques, including multi-subsidiary compromise with overlapping operations focusing on defense evasion, exploiting trusted relationships, data encryption and inhibiting system recovery.<\/p>\n<h2><a id=\"post-323465-_p583gyllc2o9\"><\/a>Our Results<\/h2>\n<p>Our <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/respond\/managed-detection-response\">Unit 42 MDR<\/a> team leveraged Cortex XDR, high fidelity threat-intelligence and AI-powered analytics to accurately identify\/attribute the two adversaries as <a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations\/\">APT10<\/a> (aka menuPass) and <a href=\"https:\/\/unit42.paloaltonetworks.com\/blackcat-ransomware\/\">BlackCat<\/a> (aka ALPHV).<\/p>\n<p>We mapped key details of the suspicious activity in the evaluation to MITRE ATT&amp;CK TTPs and identified the threat actors\u2019 maneuvers and intentions. By helping our customers understand adversary tactics and tools, they can better target their defense strategies and improve cyber resilience.<\/p>\n<p>In the first few pages of our threat report, we included a <a href=\"https:\/\/start.paloaltonetworks.com\/mitre-attack-evaluation-for-mdr\"><strong>threat brief<\/strong><\/a> that accurately identified the impacted hosts and usernames on the attack chain. Our report accompanied messages to the customer, delivered via Cortex XDR. Unit 42 MDR is natively integrated into Cortex XDR and all Unit 42 MDR customers have immediate access to all alerts in the Cortex XDR console.<\/p>\n<p>Normally, we would immediately inform the customer upon identifying a verified threat and start remediation actions. However, remediation was not permitted by MITRE in this test, so we provided recommendations for remediation and posture hardening.<\/p>\n<h2><a id=\"post-323465-_hpds2cixfw54\"><\/a>We\u2019re the Only Vendor Backed by the Best XDR on the Market<\/h2>\n<p>Our Unit 42 MDR service is a powerful combination of the industry\u2019s best extended detection and response technology \u2013 Cortex XDR \u2013 and world-renowned Unit 42 expertise and threat intelligence. Unit 42 MDR includes proactive threat hunting to help customers detect the most evasive and sophisticated threats.<\/p>\n<p>Organizations partner with MDR providers to help them more quickly, accurately and effectively address threats 24\/7\/365. According to the <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/unit-42-incident-response-report\">Unit 42 Incident Response Report<\/a>, attacks are happening in just hours, and time to exfiltration is often less than a day. Read our <a href=\"https:\/\/start.paloaltonetworks.com\/mitre-attack-evaluation-for-mdr\">MDR threat report<\/a> and see how Unit 42 can help your organization accurately and quickly understand the most important information related to a threat with actionable, clear recommendations.<\/p>\n<p>We want to thank the MITRE Engenuity team for the effort they put into running this evaluation.<\/p>\n<h4><a id=\"post-323465-_j32h64mzcbct\"><\/a><a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42-mdr.html\">Learn more about Unit 42 Managed Services <\/a>and how we can help your organization better defend against today\u2019s threats.<\/h4>\n<h3><a id=\"post-323465-_xp5corlz0shu\"><\/a><strong>A Note About MTTD<\/strong><\/h3>\n<p>Importantly, in this evaluation MITRE Engenuity defined MTTD in a unique way: <em>\u201cMTTD is the average time between when an attack is run and when the managed service provider triggers an alert on this attack<\/em>. <em>The timestamp on the first email relevant to the step in question was used.<\/em>\u201d You may be confused as usually MTTD is defined as the average time of alert detection within the product. MITRE Engenuity advised they use email timestamps as they\u2019re immutable and cannot be manipulated on the backend.<\/p>\n<p><em>These results continue a trend of industry-leading validation for Cortex XDR and Unit 42 MDR in independent, third-party security assessments, including the <\/em><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2023\/09\/mitre-engenuity-attck-evaluations-results\/\"><em>MITRE Enterprise ATT&amp;CK Evaluations<\/em><\/a><em>, <\/em><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2024\/06\/forrester-names-palo-alto-networks-a-leader-in-xdr\/\"><em>Forrester XDR Wave<\/em><\/a><em> and <\/em><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2024\/03\/unit-42-mdr-a-leader-in-mdr\/\"><em>Frost Radar: Global MDR<\/em><\/a><em>.<\/em><\/p>\n<p><em>MITRE does not rank or rate participants in the evaluation<\/em><\/p>\n<p><em>This blog refers to MITRE Engenuity\u2019s Managed Services Evaluation, which is different to MITRE Engenuity Enterprise Evaluations.<br \/>\nRead our Threat Report <\/em><a href=\"https:\/\/start.paloaltonetworks.com\/mitre-attack-evaluation-for-mdr\"><em>here.<\/em><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unit 42 MDR identified the most important details of the cyberthreat in the MITRE managed services evaluation - learn more.<\/p>\n","protected":false},"author":723,"featured_media":323605,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,6717],"tags":[6737,5804,383,7494,8925,8770],"coauthors":[8923],"class_list":["post-323465","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-products-and-services","tag-cortex-xdr","tag-edr","tag-endpoint-security","tag-managed-services","tag-mitre-engenuity","tag-unit-42-mdr"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/06\/Right-Here-2.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/323465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/723"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=323465"}],"version-history":[{"count":21,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/323465\/revisions"}],"predecessor-version":[{"id":323892,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/323465\/revisions\/323892"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/323605"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=323465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=323465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=323465"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=323465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}