The Enterprise Advanced Security testing programme includes new attack groups.
Our Enterprise Advanced Security (EAS) tests can assess any security software, hardware appliance, cloud service or combination thereof. Always evolving, these tests have expanded to include new attacks.
(These tests were originally called the Breach Response test. We renamed them for a number of reasons.)
Hackers and way they hack
Research on real attacker behaviour is a fundamental element of our EAS testing. Our team looks at the real-world behaviour of advanced threat groups, known as Advanced Persistent Threats (APTs).
While useful, MITRE’s ATT&CK framework does not provide a full list of how the bad guys operate. The Tactics, Techniques and Procedures (TTPs) used by an APT vary widely and we go further than using solely those listed in the ATT&CK database.
To improve the accuracy and relevance of our tests, the team investigates other sources of research, as well as performing their own on malware samples and tools attributed to different APTs. Over time, often years, our knowledge of an APT can change as our research, and the research of others, progresses. The more eyes there are on a threat, the more information comes to light.
Enterprise Advanced Security Threat Series
During a test we choose a range of APTs and create attacks similar to those seen in the real world as used by those attackers. We organise these threats by creating a series, or menu, of different threat groups. We’ve previously written in detail about the first three Threat Series.
Since then we doubled the number of Threat Series to six. Here is a summary of all current Threat Series and the attack groups within each.
Threat Series groups
|Threat Series||APT Groups|
|1||APT29, APT3, OilRig, APT33|
|2||FIN4, FIN7 & Carbanak, FIN10, Silence|
|3||APT19, Deep Panda, Dragonfly & Dragonfly 2.0|
|4 (NEW)||APT29, FIN7 & Carbanak, Dragonfly & Dragonfly 2.0, OilRig|
|5 (NEW)||APT29, OilRig, FIN7 & Carbanak, APT3|
|6 (NEW)||Wizard Spider, Sandworm, Dragonfly & Dragonfly 2.0|
For detailed information on Threat Series 1, 2 and 3 please refer to our previous article.
New Threat Series Details
Threat Series 4
Background: APT29, FIN7 & Carbanak, Dragonfly & Dragonfly 2.0, Oilrig
These groups were combined to form a “Best of” compilation of the previous APTs used in our tests. It has the biggest diversity of TTPs tested at the time, with APT29 and ‘FIN7 & Carbanak’ being the two used in the most recent MITRE Engenuity evaluations.
We topped up the Threat Series with ‘Dragonfly & Dragonfly 2.0’ and OilRig to add a wider range of threats.
Threat Series 5
Background: APT29, FIN7 & Carbanak, Oilrig, APT3
This Threat Series was created for our new Network Detection and Response (NDR) test. These APTs allowed us to better showcase NDR capabilities. The most well-known report is the one we created for VMware. This report goes some way to highlighting the wide range of solutions compatible with our testing.
We are expecting more NDR reports focused on this series later this year.
Threat Series 6
Background: Wizard Spider, Sandworm, Dragonfly & Dragonfly 2.0
The newest addition to our Threat Series contains our take on Wizard Spider and Sandworm from the MITRE Engenuity Evaluation, coupled with the APTs we have in Dragonfly & Dragonfly 2.0. These provide the widest range of techniques of all the groups we include in the tests.
What’s next for the test?
Our first public comparative of endpoint detection and response (EDR) products will take place in Q2 of 2022, with publication expected in June. We will announce a new Threat Series and the exact dates later this month (February 2022). Throughout the year we expect to publish at least one comparative report, multiple NDR reports out and our first extended detection and response (XDR) reports.
Other projects are also in the pipeline and the best way to get advance notice of these is to subscribe to our free newsletter.
Why did we rename ‘Breach Response’ as ‘Enterprise Advanced Security’?
Some people assumed, for historical reasons, that the Breach Response test was suitable for endpoint solutions only. However, its scope was much wider because we test like real attackers, using the full attack chain. As such, we can test most security products in much the same way. To avoid confusion we adopted the simpler name of Enterprise Advanced Security at the end of 2021. We feel that Enterprise Advanced Security better encompasses the wide range of products we can test as well as being more appropriate for the readers of our reports. As a result of this change we have found increased participation from security vendors of different types, including EDR, NDR, XDR and network security appliances such as firewall.
Find out more
See all blog posts relating to test results.