Business & Technology

Reveling in the MITRE ATT&CK Evaluations Results

FortiEDR behavior-based endpoint security demonstrates industry-leading analytic detection capabilities and insight

By Brook Chelmo | September 20, 2023

After Fortinet’s third round of MITRE ATT&CK Evaluations, FortiEDR demonstrated outstanding performance in the latest evaluation. Round 5 examined threat actor Turla, which has been linked to many high-profile attacks that have had an impact on government agencies, media, and energy sector organizations globally. Even in highly monitored environments, adversaries like Turla are successful by flying under the radar for years because of their evasive tactics.

FortiEDR posted a formidable 98% overall visibility rate, 95% analytic detection rate, and maintained a perfect score in the Linux test, and we’re proud of these numbers. For our users, FortiEDR provides comprehensive insight through high-quality detection of advanced cyberattacks to reduce their cyber risk. And achieving these scores without delays highlights the reliability and speed of FortiEDR. But to determine how these figures translate to real-world security for businesses, we need to delve deeper.

98% Visibility: Seeing Beyond the Obvious

In today’s threat landscape, visibility is the bedrock of cybersecurity. A high visibility rate signifies a tool's ability to illuminate potential threats on an organization’s endpoints. In this round of the evaluation, the average solution only detected 83% of the techniques, so FortiEDR stands out with the 98% visibility rate. Businesses can rest assured knowing that even the subtlest of malicious activities on their endpoints won't escape the notice of FortiEDR.

Our comprehensive visibility relies on multiple kernel-level mechanisms that go beyond user space. For example, when adversaries run malicious code, they often use system services to stay undetected and hide the origin of attack, as well as break the chain of events (the previous place they executed from). FortiEDR aggregates the data and provides a detailed and concise view of each operation, such as the actual source process in case of service execution, so the analysts can easily trace the attack origin and respond quickly and effectively.

Look at an attack through the Investigative view with MITRE tagging visible

95% Analytic Detection Rate: Deciphering Sophisticated Threat Actions

The MITRE Engenuity ATT&CK Evaluations, in its fifth cycle, remains an arena where the mettle of an endpoint security solution’s ability to peer into threats was tested. In round four in 2022, the average analytic rate was 75% among all 30 vendors. In round five in 2023, that number suddenly dropped to 73%. This change wasn’t surprising since the evaluation was based on an espionage-focused threat actor.

The FortiEDR 95% analytic detection rate is a testament to our security approach where collection, processing, and detection with MITRE tagging are available to users in real time. This approach provides full visibility of the attack chain and any malicious changes using our patented code tracing, which preserves memory snapshots of in-memory attacks for threat hunting.

In addition, FortiEDR artificial intelligence provides advanced event classification and mapping to the MITRE ATT&CK framework, which provides data enrichment to the events, giving analysts insights into what and how an event was done to possibly derive the attacker’s intention.

100% Linux Insight: A Noteworthy Achievement

Achieving a flawless score due to blocking the attack and fielding a 100% analytic rate in the Linux evaluation is noteworthy. Linux systems are integral to many business operations, and this perfect score is indicative of the FortiEDR kernel-based approach on Linux. As with Windows, FortiEDR provides the strong threat-hunting, forensic, and protection capabilities one would expect. The client also provides these capabilities on modern Linux flavors and legacy instances of Linux as well. Because FortiEDR protects devices across a broad range of operating systems, many manufacturing, healthcare, finance, and education customers rely on our ability to protect their Linux devices.

No Delays, No Compromises

FortiEDR showcased its precision and unparalleled speed, operating without any delays in spite of the high volume of events and data. In the intricate dance of cyber defense, even the slightest delay can open a window wide enough for sophisticated attacks to break through. While other solutions may grapple with tedious adjustments that inadvertently slow down their reaction time, FortiEDR remains steadfast, delivering real-time, unwavering defense mechanisms. In a digital landscape where every second counts, Fortinet ensures that your organization remains shielded without missing a beat.

Fundamental Protection

In round five, the protection tests were broken into 13 parts with only six participants opting out of this part of the evaluation. The average participating vendor’s solution blocked 86% of the attacks, which means that missing two of the attacks was par for the course. Test three was the one that tripped up 58% of vendors, including Fortinet. Yes, our first miss in three years, despite having a 100% protection rate according to SE Labs and the first out-of-the-box solution to stop all the advanced attacks in the University of Piraeus’s famous EDR red team research project (see page 44).

So why did this test trip up over half of the vendors with only five of them having this test as their only miss? Test three was a password-guessing module that required either a highly specific signature or a lower threshold in the time period. Most brute force, password-guessing attacks require an average hundreds of thousands of attempts, not 10, 18, or even 50. The FortiEDR configuration can be adjusted differently to accommodate various environments and real-world deployments. Either way, we are proud to have demonstrated the range of protection technologies, including our patented behavior-based approach to blocking threats post-execution.

Showing why an attack was stopped in the FortiEDR console, clicking the analysis view on the right can show even more details (as seen above).

Look Beyond the Numbers Matter: Gaining Critical Insights into Attacks

For businesses, these accolades aren’t mere digits. They represent tangible indicators of a solution’s proficiency at providing critical insights and real-time blocking to stop attacks dead in their tracks and also understand why. In the high-stakes domain of cybersecurity, these scores can significantly influence an organization's resilience. FortiEDR, with its acclaimed visibility, ensures that stealthy threats are unveiled and separated from the white noise of everyday activity. Paired with its analytic expertise, our solution promises discernment amid a sea of alarms, empowering businesses to act decisively.

FortiEDR stands out in its ability to provide rapid insights. It fuses deep analytic capabilities with a detailed understanding of the MITRE ATT&CK framework. This harmonization empowers organizations to anticipate and tackle threats, such as nation-state threats, which pose severe security concerns for enterprises globally.

By leveraging FortiEDR threat hunting capabilities and its ability to identify behavior along the MITRE ATT&CK framework, organizations can pinpoint related indicators of compromise with unparalleled precision to enable a proactive stance against potential breach attempts. This holistic approach, rooted in insight and foresight, underscores the pivotal role of FortiEDR within an organization’s security strategy.

FortiEDR: Unrivaled Protection

The recent performance of FortiEDR in the MITRE ATT&CK Evaluations underscores its caliber in providing unrivaled protection. For organizations keen on gleaning deep insights into threats, especially on Windows and Linux, while ensuring seamless integration and automation, FortiEDR emerges as the go-to solution. As you evaluate endpoint protection platforms, remember to look beyond numbers and delve into genuine capabilities. Ensure that the chosen solution amplifies, not hampers, your cybersecurity posture.

To see if FortiEDR is a right fit for your organization, schedule a demo or a proof of concept today.


Visit the MITRE Engenuity site for the full FortiEDR results and more information about the MITRE Evaluations.