Press release

MITRE to Evaluate Cybersecurity Products Based on APT29/Cozy Bear/The Dukes Threat Group

Sponsored by Businesswire

MITRE’s ATT&CK™ Evaluations program will assess commercial cybersecurity
products based on techniques used by APT29/Cozy Bear/The Dukes.
Cybersecurity analysts believe the group operates on behalf of the
Russian government, and that it compromised the Democratic National
Committee starting in 2015.

Endpoint detection and response (EDR) vendors may apply for an
evaluation via
The selection of vendors for evaluation is subject to MITRE’s sole
discretion. The evaluations are paid for by vendors and are intended to
help vendors better understand their product’s capabilities. ATT&CK
evaluations do not constitute a score, rank, or endorsement. MITRE also
makes evaluation results available to the public, so other organizations
may benefit as well as provide their own analysis and interpretation.

The evaluations use the ATT&CK framework, a MITRE-developed knowledge
base of adversary tactics, techniques, and procedures that is based on
published threat reporting. The framework is freely
, and is used by cyber defenders in areas including
finance, healthcare, energy, manufacturing, retail, and government, to
understand adversary behavior and tradecraft.

“Many security vendors have begun using ATT&CK to describe how their
product capabilities detect known adversary behaviors,” said Gary
Gagnon, MITRE vice president for cybersecurity strategy and chief
security officer. “Along with efforts like CVE™ and STIX™/TAXII™, it
represents MITRE’s continued commitment to help build communities that
change the way industry and government approach cybersecurity.”

“MITRE chose APT29 as the adversary to emulate for the second round
because it complements our APT3 emulations and offers a new perspective
on ATT&CK coverage,” said Frank Duff, MITRE’s lead engineer for the
evaluations program. “While APT3 has focused on noisier, process-level
techniques – relying on pre-installed system tools that hide malicious
activity within legitimate processes – APT29 offers the chance to
measure against an adversary that uses more sophisticated
implementations of techniques through custom malware and alternate
execution methods, such as PowerShell and WM. Additionally, their
notoriety from recent breaches and its surgical approach to intrusions
provides a very compelling story and international relevance.”

“ATT&CK Evaluations can help users understand a cybersecurity product’s
true product capabilities and how to use them,” Duff said. “They’re also
driving vendors to improve the capabilities of those products.”

MITRE’s initial round of evaluations, which included products from
Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA, and
SentinelOne, was based on the threat posed by APT3/Gothic Panda, with
results announced in November
. Results for Cybereason and FireEye have subsequently been
released, and Palo Alto was recently accepted for an evaluation.

About ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary
tactics and techniques based on real-world observations. The ATT&CK
knowledge base is used as a foundation for the development of specific
threat models and methodologies in the private sector, in government,
and in the cybersecurity product and service community. ATT&CK™ was
created by MITRE’s independent
program from its own data and operations, and is entirely
based on published, open source threat information. Increasingly, ATT&CK
is driven by contributions from external sources. For more information
on the ATT&CK evaluation effort or to apply to participate, visit or contact
The selection of vendors for evaluation is subject to MITRE’s sole


MITRE’s mission-driven teams are dedicated to solving problems for a
safer world. Through public-private partnerships, as well as the
operation of federally funded R&D centers, we work across government to
tackle challenges to the safety, stability, and well-being of our nation.

© 2019 The MITRE Corporation. All rights reserved.