MITRE ATT&CK第三轮评估结果发布 – 作者:sanfenqiantu

MITER 每年会针对不同的攻击组织进行模拟,对参加的各个安全厂商进行评估。2021 年 4 月 20 日,MITER 发布了最新一轮的 ATT&CK 安全解决方案评估结果。这是继 2018 年测试评估检测 APT3、2019 年测试评估检测 APT29 后的第三轮评估测试,2020 年测试评估的目标是检测 Carbanak/FIN7。

本轮评估有 29 个安全厂商参加,包括 Microsoft、Cisco 等大厂;CrowdStrike、Carbon Black 等终端安全强势厂商;Bitdefender、McAfee、Symantec 等传统安全厂商等,具体如下所示:

1619663263_608a199f118ac3e7018d9.png!small

Carbanak/FIN7 从 2013 年开始活跃,于 2018 年被跨国联合行动沉重打击后仍在活动。数年间在全球三十多个国家/地区造成了超过 10 亿欧元的损失,累计窃取了超过 1500 万张信用卡信息。

MITRE 模拟了 Carbanak/FIN7 的复杂攻击手法,评估不同安全解决方案的检测与分析能力。每个参与测评的厂商都单独提供结果,评估指标如下所示:

检测数量:检测总数,包括原始遥测和分析检测

分析覆盖:能提供额外上下文检测的子步骤数量

遥测覆盖:最少处理就能检测的子步骤数量

可见数量:可分析或遥测的子步骤数量

将各个厂商的数据整理在一起,如下所示:

厂商 检测数量 分析覆盖 遥测覆盖 可见数量

AhnLab

123

37

80

90

Bitdefender

366

151

150

158

Check Point

330

157

161

162

Cisco

160

42

112

122

CrowdStrike

231

64

141

152

Cybereason

302

148

153

160

CyCraft

264

125

128

130

BlackBerry Cylance

253

99

134

141

Cynet

261

107

140

153

Elastic

214

63

138

140

ESET

271

93

143

147

Fidelis

282

119

147

147

FireEye

259

124

117

136

Fortinet

196

68

113

117

F-Secure

253

80

137

152

GoSecure

153

59

84

100

Malwarebytes

187

85

99

116

McAfee

274

93

148

151

Micro Focus

146

82

56

122

Microsoft

356

134

148

151

Open Text

238

67

122

125

Palo Alto Networks

335

149

154

169

ReaQta

220

101

119

135

SentinelOne

333

159

164

174

Sophos

157

39

114

118

Symantec

282

122

143

159

Trend Micro

338

139

162

167

Uptycs

204

62

124

127

VMware Carbon Black

278

90

152

154

值得注意的是,有些 Linux 环境的子步骤因为有些厂商没有对应的 Agent 无法检测,包括 AhnLab、ESET、Fortinet、GoSecure、Malwarebytes、Open Text、Sophos。

按检测数量进行排序,如下所示:

1619663591_608a1ae763670673ecbc0.png!small

按分析覆盖进行排序,如下所示:

1619663620_608a1b042fc785b9413c3.png!small

按遥测覆盖进行排序,如下所示:

1619663648_608a1b202a0221fc1ec63.png!small

按可见数量进行排序,如下所示:

1619663680_608a1b40269b3fd99c6ef.png!small

取各项的 TOP3 如下所示:

1619663711_608a1b5fb6e111acb9784.png!small参与测评的 29 个安全厂商还是以美国的厂商为主,单是美国自己就占到了 18 家,在网络安全领域较为强势的英国和以色列紧随其后。而有些厂商缺席了本次评估测试,例如参与过此前评估的卡巴斯基未参与本次评估。

1619663746_608a1b82f29f920e60268.png!small

ATT&CK 的三轮评估使用了知名 APT 和黑产组织进行模拟,无论是专攻 EDR 领域的厂商还是号称能够进行高级威胁检测的厂商都可以参与评估模拟,从参加的厂商来看也是不同细分领域都有厂商参加,希望将来能有更多的国内安全厂商参与评估。

附录一

两个场景下不同阶段的检测数量如下所示,想要看具体的数字可在附录二的每个厂商的具体页面中进行查看。

1619663785_608a1ba93df76b7aacf67.png!small

1619663807_608a1bbf7c9442938ac15.png!small

1619663844_608a1be4c4275795c9490.png!small

1619663871_608a1bff560535baafe41.png!small

1619663900_608a1c1cf41d0d82c6719.png!small

1619663941_608a1c4537a752548c83e.png!small

1619663969_608a1c61d47854feb31dc.png!small

1619663997_608a1c7d02ed858025130.png!small

附录二

厂商  评估结果地址

AhnLab

https://attackevals.mitre-engenuity.org/enterprise/participants/ahnlab/?adversary=carbanak_fin7

Bitdefender

https://attackevals.mitre-engenuity.org/enterprise/participants/bitdefender/?adversary=carbanak_fin7

Check Point

https://attackevals.mitre-engenuity.org/enterprise/participants/checkpoint/?adversary=carbanak_fin7

Cisco

https://attackevals.mitre-engenuity.org/enterprise/participants/cisco/?adversary=carbanak_fin7

CrowdStrike

https://attackevals.mitre-engenuity.org/enterprise/participants/crowdstrike/?adversary=carbanak_fin7

Cybereason

https://attackevals.mitre-engenuity.org/enterprise/participants/cybereason/?adversary=carbanak_fin7

CyCraft

https://attackevals.mitre-engenuity.org/enterprise/participants/cycraft/?adversary=carbanak_fin7

BlackBerry Cylance

https://attackevals.mitre-engenuity.org/enterprise/participants/cylance/?adversary=carbanak_fin7

Cynet

https://attackevals.mitre-engenuity.org/enterprise/participants/cynet/?adversary=carbanak_fin7

Elastic

https://attackevals.mitre-engenuity.org/enterprise/participants/elastic/?adversary=carbanak_fin7

ESET

https://attackevals.mitre-engenuity.org/enterprise/participants/eset/?adversary=carbanak_fin7

Fidelis

https://attackevals.mitre-engenuity.org/enterprise/participants/fidelis/?adversary=carbanak_fin7

FireEye

https://attackevals.mitre-engenuity.org/enterprise/participants/fireeye/?adversary=carbanak_fin7

Fortinet

https://attackevals.mitre-engenuity.org/enterprise/participants/fortinet/?adversary=carbanak_fin7

F-Secure

https://attackevals.mitre-engenuity.org/enterprise/participants/f-secure/?adversary=carbanak_fin7

GoSecure

https://attackevals.mitre-engenuity.org/enterprise/participants/gosecure/?adversary=carbanak_fin7

Malwarebytes

https://attackevals.mitre-engenuity.org/enterprise/participants/malwarebytes/?adversary=carbanak_fin7

McAfee

https://attackevals.mitre-engenuity.org/enterprise/participants/mcafee/?adversary=carbanak_fin7

Micro Focus

https://attackevals.mitre-engenuity.org/enterprise/participants/microfocus/?adversary=carbanak_fin7

Microsoft

https://attackevals.mitre-engenuity.org/enterprise/participants/microsoft/?adversary=carbanak_fin7

Open Text

https://attackevals.mitre-engenuity.org/enterprise/participants/opentext/?adversary=carbanak_fin7

Palo Alto Networks

https://attackevals.mitre-engenuity.org/enterprise/participants/paloaltonetworks/?adversary=carbanak_fin7

ReaQta

https://attackevals.mitre-engenuity.org/enterprise/participants/reaqta/?adversary=carbanak_fin7

SentinelOne

https://attackevals.mitre-engenuity.org/enterprise/participants/sentinelone/?adversary=carbanak_fin7

Sophos

https://attackevals.mitre-engenuity.org/enterprise/participants/sophos/?adversary=carbanak_fin7

Symantec

https://attackevals.mitre-engenuity.org/enterprise/participants/symantec/?adversary=carbanak_fin7

Trend Micro

https://attackevals.mitre-engenuity.org/enterprise/participants/trendmicro/?adversary=carbanak_fin7

Uptycs

https://attackevals.mitre-engenuity.org/enterprise/participants/uptycs/?adversary=carbanak_fin7

VMware Carbon Black

https://attackevals.mitre-engenuity.org/enterprise/participants/vmware/?adversary=carbanak_fin7

来源:公众号 威胁棱镜

来源:freebuf.com 2021-04-29 10:32:15 by: sanfenqiantu

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论