Product Version: 5.8.4
Sensor Version: 220.127.116.11
CounterTack's Endpoint Protection Platform is an enhanced EDR solution; EPP utilizes both behavior-based detection capabilities along with real-time in memory scanning to detect both known and unknown threats within an organization's environment. CounterTack's EPP makes use of Digital DNA technology, along with machine learning to have unparalleled insight into the code a process has loaded into memory; not only does it allow EPP's sensor to make real-time convictions on malware, but it also enable's EPP to predict what the process is capable of and what it might do in the future. CounterTack's EPP also makes use of an extensive behavior-based detection library, well suited to detect the various tactics, techniques, and procedures commonly used by advanced persistent threats.
Sensor Profile: Profile-WINDOWS
Automated Response Policies: Enabled and set to alert only
Additional Notes from MITRE:
CounterTack reported to MITRE that they modified the configuration between scenario one and scenario two. Though configuration changes after the start of the evaluation were not allowed, MITRE assessed this was not made in bad faith but rather was the result of a misunderstanding. MITRE re-tested parts of scenario one and compared the results before and after the configuration change. MITRE assessed that the main difference as a result of the configuration change was in adding what the vendor called “conditions,” which are labels to the data that MITRE used to contribute to Enrichment categories. MITRE also observed that CounterTack added an alert to the capability during the configuration change. MITRE did not observe any differences in the data collected, but rather how it was labeled and alerted upon, so determined results were not significantly affected. MITRE determined the fairest course of action would be to footnote all scenario two detections with the change to make it transparent to users. MITRE also added a “Configuration Change” modifier category to any scenario one or scenario two detection made after the configuration change that MITRE could not assess was present prior to the change.
CounterTack reported to MITRE that the profile used in the evaluation is a customized version of the default profile they ship with the product for Windows (named Profile-WINDOWS). CounterTack modified the profile to remove conditions which provided more abstract detections that were not applicable to the evaluation. CounterTack encourages customers to create a profile based on what they deem as legitimate and anomalous behaviors. Profile-WINDOWS is an xml document that was previously sent to MITRE, and CounterTack customers can achieve the same detection capabilities as the ones used in the testing by using the default Windows profile. Regarding the configuration change discussed above, CounterTack noted that with the configuration changes involve removal of certain rules displaying more generic or general behavior (e.g. Powershell Invoked) to allow more specific rules to trigger (e.g. Powershell: Execution Policy ByPass command ran). CounterTack also reported that they removed behaviors that look for sc.exe and net.exe process creates, in order for behaviors that look for sc.exe process with command line argument of "query" and net.exe process with command line of "use" to trigger instead. CounterTack noted that the less specific behaviors might be valid in some environments (that don't use these processes for any legitimate purposes), but the more specific behaviors may be more useful based on the endpoint type (Workstation, Server, etc) and more likely to be used in a real organization's environment since the tools are typically used for legitimate reasons.