MITRE to Evaluate Cybersecurity Products Based on APT29/Cozy Bear/The Dukes Threat Group

McLean, Va., and Bedford, Mass., May 1, 2019—MITRE’s ATT&CK™ Evaluations program will assess commercial cybersecurity products based on techniques used by APT29/Cozy Bear/The Dukes. Cybersecurity analysts believe the group operates on behalf of the Russian government, and that it compromised the Democratic National Committee starting in 2015.

Endpoint detection and response (EDR) vendors may apply for an evaluation via The selection of vendors for evaluation is subject to MITRE’s sole discretion. The evaluations are paid for by vendors and are intended to help vendors better understand their product’s capabilities. ATT&CK evaluations do not constitute a score, rank, or endorsement. MITRE also makes evaluation results available to the public, so other organizations may benefit as well as provide their own analysis and interpretation.

The evaluations use the ATT&CK framework, a MITRE-developed knowledge base of adversary tactics, techniques, and procedures that is based on published threat reporting. The framework is freely available, and is used by cyber defenders in areas including finance, healthcare, energy, manufacturing, retail, and government, to understand adversary behavior and tradecraft. 

"Many security vendors have begun using ATT&CK to describe how their product capabilities detect known adversary behaviors,” said Gary Gagnon, MITRE vice president for cybersecurity strategy and chief security officer. “Along with efforts like CVE™and STIX™/TAXII™, it represents MITRE’s continued commitment to help build communities that change the way industry and government approach cybersecurity."

"MITRE chose APT29 as the adversary to emulate for the second round because it complements our APT3 emulations and offers a new perspective on ATT&CK coverage," said Frank Duff, MITRE’s lead engineer for the evaluations program. “While APT3 has focused on noisier, process-level techniques—relying on pre-installed system tools that hide malicious activity within legitimate processes—APT29 offers the chance to measure against an adversary that uses more sophisticated implementations of techniques through custom malware and alternate execution methods, such as PowerShell and WMI. Additionally, their notoriety from recent breaches and its surgical approach to intrusions provides a very compelling story and international relevance."

"ATT&CK Evaluations can help users understand a cybersecurity product’s true product capabilities and how to use them," Duff said. "They’re also driving vendors to improve the capabilities of those products."

MITRE’s initial round of evaluations, which included products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA, and SentinelOne, was based on the threat posed by APT3/Gothic Panda, with results announced in November 2018. Results for Cybereason and FireEye have subsequently been released, and Palo Alto was recently accepted for an evaluation.

(Video) Katie Nickels, MITRE’s ATT&CK threat intelligence lead, talks about what makes MITRE ATT&CK Evaluations different from other cybersecurity scoring systems.

About ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK™ was created by MITRE's independent research program from its own data and operations, and is entirely based on published, open source threat information. Increasingly, ATT&CK is driven by contributions from external sources. For more information on the ATT&CK evaluation effort or to apply to participate, visit or contact The selection of vendors for evaluation is subject to MITRE's sole discretion.


MITRE's mission-driven teams are dedicated to solving problems for a safer world. Through public-private partnerships, as well as the operation of federally funded R&D centers, we work across government to tackle challenges to the safety, stability, and well-being of our nation.

Jeremy Singer,