Enterprise Evaluation 2020

结果

ATT&CK 技术范围导航器

层文件Json

  1. {
  2. "name": "Carbanak+FIN7",
  3. "version": "2.2",
  4. "domain": "mitre-enterprise",
  5. "description": "",
  6. "filters": {
  7. "stages": [
  8. "act"
  9. ],
  10. "platforms": [
  11. "Windows",
  12. "Linux",
  13. "macOS"
  14. ]
  15. },
  16. "sorting": 0,
  17. "viewMode": 0,
  18. "hideDisabled": false,
  19. "techniques": [
  20. {
  21. "techniqueID": "T1138",
  22. "tactic": "persistence",
  23. "score": 2,
  24. "color": "",
  25. "comment": "",
  26. "enabled": true,
  27. "metadata": []
  28. },
  29. {
  30. "techniqueID": "T1110",
  31. "tactic": "credential-access",
  32. "score": 1,
  33. "color": "",
  34. "comment": "",
  35. "enabled": true,
  36. "metadata": []
  37. },
  38. {
  39. "techniqueID": "T1088",
  40. "tactic": "privilege-escalation",
  41. "score": 3,
  42. "color": "",
  43. "comment": "",
  44. "enabled": true,
  45. "metadata": []
  46. },
  47. {
  48. "techniqueID": "T1116",
  49. "tactic": "defense-evasion",
  50. "score": 3,
  51. "color": "",
  52. "comment": "",
  53. "enabled": true,
  54. "metadata": []
  55. },
  56. {
  57. "techniqueID": "T1043",
  58. "tactic": "command-and-control",
  59. "score": 3,
  60. "color": "",
  61. "comment": "",
  62. "enabled": true,
  63. "metadata": []
  64. },
  65. {
  66. "techniqueID": "T1175",
  67. "tactic": "execution",
  68. "score": 3,
  69. "color": "",
  70. "comment": "",
  71. "enabled": true,
  72. "metadata": []
  73. },
  74. {
  75. "techniqueID": "T1090",
  76. "tactic": "command-and-control",
  77. "score": 3,
  78. "color": "",
  79. "comment": "",
  80. "enabled": true,
  81. "metadata": []
  82. },
  83. {
  84. "techniqueID": "T1003",
  85. "tactic": "credential-access",
  86. "score": 3,
  87. "color": "",
  88. "comment": "",
  89. "enabled": true,
  90. "metadata": []
  91. },
  92. {
  93. "techniqueID": "T1002",
  94. "tactic": "exfiltration",
  95. "score": 2,
  96. "color": "",
  97. "comment": "",
  98. "enabled": true,
  99. "metadata": []
  100. },
  101. {
  102. "techniqueID": "T1022",
  103. "tactic": "exfiltration",
  104. "score": 2,
  105. "color": "",
  106. "comment": "",
  107. "enabled": true,
  108. "metadata": []
  109. },
  110. {
  111. "techniqueID": "T1074",
  112. "tactic": "collection",
  113. "score": 2,
  114. "color": "",
  115. "comment": "",
  116. "enabled": true,
  117. "metadata": []
  118. },
  119. {
  120. "techniqueID": "T1005",
  121. "tactic": "collection",
  122. "score": 3,
  123. "color": "",
  124. "comment": "",
  125. "enabled": true,
  126. "metadata": []
  127. },
  128. {
  129. "techniqueID": "T1140",
  130. "tactic": "defense-evasion",
  131. "score": 3,
  132. "color": "",
  133. "comment": "",
  134. "enabled": true,
  135. "metadata": []
  136. },
  137. {
  138. "techniqueID": "T1480",
  139. "tactic": "defense-evasion",
  140. "score": 2,
  141. "color": "",
  142. "comment": "",
  143. "enabled": true,
  144. "metadata": []
  145. },
  146. {
  147. "techniqueID": "T1106",
  148. "tactic": "execution",
  149. "score": 3,
  150. "color": "",
  151. "comment": "",
  152. "enabled": true,
  153. "metadata": []
  154. },
  155. {
  156. "techniqueID": "T1041",
  157. "tactic": "exfiltration",
  158. "score": 3,
  159. "color": "",
  160. "comment": "",
  161. "enabled": true,
  162. "metadata": []
  163. },
  164. {
  165. "techniqueID": "T1179",
  166. "tactic": "persistence",
  167. "score": 2,
  168. "color": "",
  169. "comment": "",
  170. "enabled": true,
  171. "metadata": []
  172. },
  173. {
  174. "techniqueID": "T1179",
  175. "tactic": "credential-access",
  176. "score": 2,
  177. "color": "",
  178. "comment": "",
  179. "enabled": true,
  180. "metadata": []
  181. },
  182. {
  183. "techniqueID": "T1056",
  184. "tactic": "collection",
  185. "score": 3,
  186. "color": "",
  187. "comment": "",
  188. "enabled": true,
  189. "metadata": []
  190. },
  191. {
  192. "techniqueID": "T1036",
  193. "tactic": "defense-evasion",
  194. "score": 3,
  195. "color": "",
  196. "comment": "",
  197. "enabled": true,
  198. "metadata": []
  199. },
  200. {
  201. "techniqueID": "T1170",
  202. "tactic": "execution",
  203. "score": 2,
  204. "color": "",
  205. "comment": "",
  206. "enabled": true,
  207. "metadata": []
  208. },
  209. {
  210. "techniqueID": "T1135",
  211. "tactic": "discovery",
  212. "score": 2,
  213. "color": "",
  214. "comment": "",
  215. "enabled": true,
  216. "metadata": []
  217. },
  218. {
  219. "techniqueID": "T1010",
  220. "tactic": "discovery",
  221. "score": 3,
  222. "color": "",
  223. "comment": "",
  224. "enabled": true,
  225. "metadata": []
  226. },
  227. {
  228. "techniqueID": "T1050",
  229. "tactic": "privilege-escalation",
  230. "score": 3,
  231. "color": "",
  232. "comment": "",
  233. "enabled": true,
  234. "metadata": []
  235. },
  236. {
  237. "techniqueID": "T1050",
  238. "tactic": "persistence",
  239. "score": 3,
  240. "color": "",
  241. "comment": "",
  242. "enabled": true,
  243. "metadata": []
  244. },
  245. {
  246. "techniqueID": "T1027",
  247. "tactic": "defense-evasion",
  248. "score": 3,
  249. "color": "",
  250. "comment": "",
  251. "enabled": true,
  252. "metadata": []
  253. },
  254. {
  255. "techniqueID": "T1086",
  256. "tactic": "execution",
  257. "score": 3,
  258. "color": "",
  259. "comment": "",
  260. "enabled": true,
  261. "metadata": []
  262. },
  263. {
  264. "techniqueID": "T1047",
  265. "tactic": "execution",
  266. "score": 3,
  267. "color": "",
  268. "comment": "",
  269. "enabled": true,
  270. "metadata": []
  271. },
  272. {
  273. "techniqueID": "T1057",
  274. "tactic": "discovery",
  275. "score": 3,
  276. "color": "",
  277. "comment": "",
  278. "enabled": true,
  279. "metadata": []
  280. },
  281. {
  282. "techniqueID": "T1093",
  283. "tactic": "defense-evasion",
  284. "score": 2,
  285. "color": "",
  286. "comment": "",
  287. "enabled": true,
  288. "metadata": []
  289. },
  290. {
  291. "techniqueID": "T1055",
  292. "tactic": "defense-evasion",
  293. "score": 3,
  294. "color": "",
  295. "comment": "",
  296. "enabled": true,
  297. "metadata": []
  298. },
  299. {
  300. "techniqueID": "T1055",
  301. "tactic": "privilege-escalation",
  302. "score": 2,
  303. "color": "",
  304. "comment": "",
  305. "enabled": true,
  306. "metadata": []
  307. },
  308. {
  309. "techniqueID": "T1038",
  310. "tactic": "privilege-escalation",
  311. "score": 2,
  312. "color": "",
  313. "comment": "",
  314. "enabled": true,
  315. "metadata": []
  316. },
  317. {
  318. "techniqueID": "T1060",
  319. "tactic": "persistence",
  320. "score": 3,
  321. "color": "",
  322. "comment": "",
  323. "enabled": true,
  324. "metadata": []
  325. },
  326. {
  327. "techniqueID": "T1076",
  328. "tactic": "lateral-movement",
  329. "score": 3,
  330. "color": "",
  331. "comment": "",
  332. "enabled": true,
  333. "metadata": []
  334. },
  335. {
  336. "techniqueID": "T1105",
  337. "tactic": "command-and-control",
  338. "score": 3,
  339. "color": "",
  340. "comment": "",
  341. "enabled": true,
  342. "metadata": []
  343. },
  344. {
  345. "techniqueID": "T1018",
  346. "tactic": "discovery",
  347. "score": 3,
  348. "color": "",
  349. "comment": "",
  350. "enabled": true,
  351. "metadata": []
  352. },
  353. {
  354. "techniqueID": "T1053",
  355. "tactic": "execution",
  356. "score": 2,
  357. "color": "",
  358. "comment": "",
  359. "enabled": true,
  360. "metadata": []
  361. },
  362. {
  363. "techniqueID": "T1113",
  364. "tactic": "collection",
  365. "score": 3,
  366. "color": "",
  367. "comment": "",
  368. "enabled": true,
  369. "metadata": []
  370. },
  371. {
  372. "techniqueID": "T1064",
  373. "tactic": "execution",
  374. "score": 3,
  375. "color": "",
  376. "comment": "",
  377. "enabled": true,
  378. "metadata": []
  379. },
  380. {
  381. "techniqueID": "T1035",
  382. "tactic": "execution",
  383. "score": 3,
  384. "color": "",
  385. "comment": "",
  386. "enabled": true,
  387. "metadata": []
  388. },
  389. {
  390. "techniqueID": "T1045",
  391. "tactic": "defense-evasion",
  392. "score": 3,
  393. "color": "",
  394. "comment": "",
  395. "enabled": true,
  396. "metadata": []
  397. },
  398. {
  399. "techniqueID": "T1193",
  400. "tactic": "initial-access",
  401. "score": 3,
  402. "color": "",
  403. "comment": "",
  404. "enabled": true,
  405. "metadata": []
  406. },
  407. {
  408. "techniqueID": "T1071",
  409. "tactic": "command-and-control",
  410. "score": 3,
  411. "color": "",
  412. "comment": "",
  413. "enabled": true,
  414. "metadata": []
  415. },
  416. {
  417. "techniqueID": "T1032",
  418. "tactic": "command-and-control",
  419. "score": 3,
  420. "color": "",
  421. "comment": "",
  422. "enabled": true,
  423. "metadata": []
  424. },
  425. {
  426. "techniqueID": "T1082",
  427. "tactic": "discovery",
  428. "score": 3,
  429. "color": "",
  430. "comment": "",
  431. "enabled": true,
  432. "metadata": []
  433. },
  434. {
  435. "techniqueID": "T1016",
  436. "tactic": "discovery",
  437. "score": 3,
  438. "color": "",
  439. "comment": "",
  440. "enabled": true,
  441. "metadata": []
  442. },
  443. {
  444. "techniqueID": "T1033",
  445. "tactic": "discovery",
  446. "score": 3,
  447. "color": "",
  448. "comment": "",
  449. "enabled": true,
  450. "metadata": []
  451. },
  452. {
  453. "techniqueID": "T1204",
  454. "tactic": "execution",
  455. "score": 3,
  456. "color": "",
  457. "comment": "",
  458. "enabled": true,
  459. "metadata": []
  460. },
  461. {
  462. "techniqueID": "T1078",
  463. "tactic": "privilege-escalation",
  464. "score": 3,
  465. "color": "",
  466. "comment": "",
  467. "enabled": true,
  468. "metadata": []
  469. },
  470. {
  471. "techniqueID": "T1497",
  472. "tactic": "defense-evasion",
  473. "score": 2,
  474. "color": "",
  475. "comment": "",
  476. "enabled": true,
  477. "metadata": []
  478. },
  479. {
  480. "techniqueID": "T1077",
  481. "tactic": "lateral-movement",
  482. "score": 3,
  483. "color": "",
  484. "comment": "",
  485. "enabled": true,
  486. "metadata": []
  487. },
  488. {
  489. "techniqueID": "T1087",
  490. "tactic": "discovery",
  491. "score": 1,
  492. "color": "",
  493. "comment": "",
  494. "enabled": true,
  495. "metadata": []
  496. },
  497. {
  498. "techniqueID": "T1059",
  499. "tactic": "execution",
  500. "score": 1,
  501. "color": "",
  502. "comment": "",
  503. "enabled": true,
  504. "metadata": []
  505. },
  506. {
  507. "techniqueID": "T1503",
  508. "tactic": "credential-access",
  509. "score": 1,
  510. "color": "",
  511. "comment": "",
  512. "enabled": true,
  513. "metadata": []
  514. },
  515. {
  516. "techniqueID": "T1089",
  517. "tactic": "defense-evasion",
  518. "score": 1,
  519. "color": "",
  520. "comment": "",
  521. "enabled": true,
  522. "metadata": []
  523. },
  524. {
  525. "techniqueID": "T1173",
  526. "tactic": "execution",
  527. "score": 1,
  528. "color": "",
  529. "comment": "",
  530. "enabled": true,
  531. "metadata": []
  532. },
  533. {
  534. "techniqueID": "T1107",
  535. "tactic": "defense-evasion",
  536. "score": 1,
  537. "color": "",
  538. "comment": "",
  539. "enabled": true,
  540. "metadata": []
  541. },
  542. {
  543. "techniqueID": "T1083",
  544. "tactic": "discovery",
  545. "score": 1,
  546. "color": "",
  547. "comment": "",
  548. "enabled": true,
  549. "metadata": []
  550. },
  551. {
  552. "techniqueID": "T1056",
  553. "tactic": "credential-access",
  554. "score": 3,
  555. "color": "",
  556. "comment": "",
  557. "enabled": true,
  558. "metadata": []
  559. },
  560. {
  561. "techniqueID": "T1112",
  562. "tactic": "defense-evasion",
  563. "score": 1,
  564. "color": "",
  565. "comment": "",
  566. "enabled": true,
  567. "metadata": []
  568. },
  569. {
  570. "techniqueID": "T1202",
  571. "tactic": "defense-evasion",
  572. "score": 2,
  573. "color": "",
  574. "comment": "",
  575. "enabled": true,
  576. "metadata": []
  577. },
  578. {
  579. "techniqueID": "T1075",
  580. "tactic": "lateral-movement",
  581. "score": 1,
  582. "color": "",
  583. "comment": "",
  584. "enabled": true,
  585. "metadata": []
  586. },
  587. {
  588. "techniqueID": "T1069",
  589. "tactic": "discovery",
  590. "score": 1,
  591. "color": "",
  592. "comment": "",
  593. "enabled": true,
  594. "metadata": []
  595. },
  596. {
  597. "techniqueID": "T1012",
  598. "tactic": "discovery",
  599. "score": 1,
  600. "color": "",
  601. "comment": "",
  602. "enabled": true,
  603. "metadata": []
  604. },
  605. {
  606. "techniqueID": "T1219",
  607. "tactic": "command-and-control",
  608. "score": 1,
  609. "color": "",
  610. "comment": "",
  611. "enabled": true,
  612. "metadata": []
  613. },
  614. {
  615. "techniqueID": "T1105",
  616. "tactic": "lateral-movement",
  617. "score": 3,
  618. "color": "",
  619. "comment": "",
  620. "enabled": true,
  621. "metadata": []
  622. },
  623. {
  624. "techniqueID": "T1021",
  625. "tactic": "lateral-movement",
  626. "score": 1,
  627. "color": "",
  628. "comment": "",
  629. "enabled": true,
  630. "metadata": []
  631. },
  632. {
  633. "techniqueID": "T1095",
  634. "tactic": "command-and-control",
  635. "score": 1,
  636. "color": "",
  637. "comment": "",
  638. "enabled": true,
  639. "metadata": []
  640. },
  641. {
  642. "techniqueID": "T1169",
  643. "tactic": "privilege-escalation",
  644. "score": 1,
  645. "color": "",
  646. "comment": "",
  647. "enabled": true,
  648. "metadata": []
  649. },
  650. {
  651. "techniqueID": "T1078",
  652. "tactic": "persistence",
  653. "score": 3,
  654. "color": "",
  655. "comment": "",
  656. "enabled": true,
  657. "metadata": []
  658. }
  659. ],
  660. "gradient": {
  661. "colors": [
  662. "#0033a0",
  663. "#da291c",
  664. "#ffe86c"
  665. ],
  666. "minValue": 1,
  667. "maxValue": 3
  668. },
  669. "legendItems": [
  670. {
  671. "label": "Carbanak",
  672. "color": "#0033a0"
  673. },
  674. {
  675. "label": "FIN7",
  676. "color": "#da291c"
  677. },
  678. {
  679. "label": "Carbanak+FIN7",
  680. "color": "#ffe86c"
  681. }
  682. ],
  683. "metadata": [],
  684. "showTacticRowBackground": false,
  685. "tacticRowBackground": "#dddddd",
  686. "selectTechniquesAcrossTactics": true
  687. }

中文解说:《威胁棱镜 - MITRE ATT&CK 第三轮评估结果发布》

MITER 每年会针对不同的攻击组织进行模拟,对参加的各个安全厂商进行评估。2021 年 4 月 20 日,MITER 发布了最新一轮的 ATT&CK 安全解决方案评估结果。这是继 2018 年测试评估检测 APT3、2019 年测试评估检测 APT29 后的第三轮评估测试,2020 年测试评估的目标是检测 Carbanak/FIN7。
本轮评估有 29 个安全厂商参加,包括 Microsoft、Cisco 等大厂;CrowdStrike、Carbon Black 等终端安全强势厂商;Bitdefender、McAfee、Symantec 等传统安全厂商等,具体如下所示:
MITRE - Enterprise Evaluation 2020 - 图1
Carbanak/FIN7 从 2013 年开始活跃,于 2018 年被跨国联合行动沉重打击后仍在活动。数年间在全球三十多个国家/地区造成了超过 10 亿欧元的损失,累计窃取了超过 1500 万张信用卡信息。
MITRE 模拟了 Carbanak/FIN7 的复杂攻击手法,评估不同安全解决方案的检测与分析能力。每个参与测评的厂商都单独提供结果,评估指标如下所示:

  • 检测数量:检测总数,包括原始遥测和分析检测
  • 分析覆盖:能提供额外上下文检测的子步骤数量
  • 遥测覆盖:最少处理就能检测的子步骤数量
  • 可见数量:可分析或遥测的子步骤数量

将各个厂商的数据整理在一起,如下所示:

厂商 检测数量 分析覆盖 遥测覆盖 可见数量
AhnLab 123 37 80 90
Bitdefender 366 151 150 158
Check Point 330 157 161 162
Cisco 160 42 112 122
CrowdStrike 231 64 141 152
Cybereason 302 148 153 160
CyCraft 264 125 128 130
BlackBerry Cylance 253 99 134 141
Cynet 261 107 140 153
Elastic 214 63 138 140
ESET 271 93 143 147
Fidelis 282 119 147 147
FireEye 259 124 117 136
Fortinet 196 68 113 117
F-Secure 253 80 137 152
GoSecure 153 59 84 100
Malwarebytes 187 85 99 116
McAfee 274 93 148 151
Micro Focus 146 82 56 122
Microsoft 356 134 148 151
Open Text 238 67 122 125
Palo Alto Networks 335 149 154 169
ReaQta 220 101 119 135
SentinelOne 333 159 164 174
Sophos 157 39 114 118
Symantec 282 122 143 159
Trend Micro 338 139 162 167
Uptycs 204 62 124 127
VMware Carbon Black 278 90 152 154

值得注意的是,有些 Linux 环境的子步骤因为有些厂商没有对应的 Agent 无法检测,包括 AhnLab、ESET、Fortinet、GoSecure、Malwarebytes、Open Text、Sophos。
按检测数量进行排序,如下所示:MITRE - Enterprise Evaluation 2020 - 图2
按分析覆盖进行排序,如下所示:
MITRE - Enterprise Evaluation 2020 - 图3
按遥测覆盖进行排序,如下所示:
MITRE - Enterprise Evaluation 2020 - 图4
按可见数量进行排序,如下所示:
MITRE - Enterprise Evaluation 2020 - 图5
取各项的 TOP3 如下所示:
MITRE - Enterprise Evaluation 2020 - 图6
参与测评的 29 个安全厂商还是以美国的厂商为主,单是美国自己就占到了 18 家,在网络安全领域较为强势的英国和以色列紧随其后。而有些厂商缺席了本次评估测试,例如参与过此前评估的卡巴斯基未参与本次评估。
MITRE - Enterprise Evaluation 2020 - 图7
ATT&CK 的三轮评估使用了知名 APT 和黑产组织进行模拟,无论是专攻 EDR 领域的厂商还是号称能够进行高级威胁检测的厂商都可以参与评估模拟,从参加的厂商来看也是不同细分领域都有厂商参加,希望将来能有更多的国内安全厂商参与评估。

附录一

两个场景下不同阶段的检测数量如下所示,想要看具体的数字可在附录二的每个厂商的具体页面中进行查看。
MITRE - Enterprise Evaluation 2020 - 图8
MITRE - Enterprise Evaluation 2020 - 图9
MITRE - Enterprise Evaluation 2020 - 图10
MITRE - Enterprise Evaluation 2020 - 图11
MITRE - Enterprise Evaluation 2020 - 图12
MITRE - Enterprise Evaluation 2020 - 图13
MITRE - Enterprise Evaluation 2020 - 图14
MITRE - Enterprise Evaluation 2020 - 图15

附录二

AhnLab
Bitdefender
Check Point
Cisco
CrowdStrike
Cybereason
CyCraft
BlackBerry Cylance
Cynet
Elastic
ESET
Fidelis
FireEye
Fortinet
F-Secure
GoSecure
Malwarebytes
McAfee
Micro Focus
Microsoft
Open Text
Palo Alto Networks
ReaQta
SentinelOne
Sophos
Symantec
Trend Micro
Uptycs
VMware Carbon Black