--- tags: Hauman工作筆記, MDR, 奧義 --- # MITRE評比比較資訊 ---------------------------------- ## 廠商名:Cycraft(奧義科技) ### 測試服務策略 #### Alerting Strategy(告警策略) 英文原文: Events that are deemed to be related to a suspicious or malicious behavior are assigned appropriate severity values (1-10). These behaviors are also enriched with a short description, related events, and potential mapping(s) to related ATT&CK Tactics and Techniques. Tagged behaviors are aggregated into specific views as well as highlighted (with specific icons and colors) when included as part of other views of system events/data. 中文翻譯: 被系統認為可疑、或惡意行為相關的資安事件會被歸類到適當的風險值 (分成1-10分)。 這些駭客行為還通過簡短描述、相關事件以及與相關 ATT&CK 戰術和技術的潛在映射進行了豐富。 當這份可視圖包含了這些駭客行為系統事件/數據的其他視圖的一部分時,被標記的駭客行為被整合成特別的可視圖之中、並且被特別註明起來(使用特別的圖標和顏色)。 #### Correlation Strategy(關聯性策略) 英文原文: Campaign Graph and Behavior Graph views highlight potentially associated suspicious or malicious behaviors in an environment. Each detection includes one or more hosts and process tree views which capture correlation between system events and data, such as process lineage or interactions between processes and files or network connections. Campaign Sequence views are also available to provide a timeline of events across multiple hosts. 中文翻譯: 活動圖和行為圖視圖突出顯示環境中可能相關的可疑或惡意行為。 每個檢測包括一個或多個主機和進程樹視圖,它們捕獲系統事件和數據之間的相關性,例如進程沿襲或進程與文件或網絡連接之間的交互。 活動序列視圖也可用於提供跨多個主機的事件時間線。 ### MITRE公布的測試截圖 ---------------------------------- ## 廠商名:Trend Micro(趨勢科技) ### 測試服務策略 ### Alerting Strategy(告警策略) 英文原文: The Observed ATT&CK Techniques view contains the majority of alerts. Alerts are generated from detection criteria based on system events that took place. They are assigned a risk level of info, low, medium, high along with a description. Each alert has a dropdown that contains the corresponding events that were triggered on. For network specific alerts, the Deep Discovery Inspector view displays granular network information. 中文翻譯: Observed ATT&CK Techniques 視圖包含大部分警報。 警報是根據發生的系統事件根據檢測標準生成的。它們被分配了信息、低、中、高風險級別以及描述。每個警報都有一個下拉列表,其中包含觸發的相應事件。 對於特定於網絡的警報,深度威脅發現設備視圖顯示精細的網絡信息。 ### Correlation Strategy(關聯性策略) 英文原文: The Analysis Chain view captures correlation between system events such as process lineage, file activity, and network communication. Each process or file is a node where the inter-node relationships are the activity that took place. Nodes that met a medium level or greater of maliciousness are colored yellow. Alerts are correlated by host in the Incident Workbench view. 中文翻譯: 分析鏈視圖捕獲系統事件之間的相關性,例如流程沿襲、文件活動和網絡通信。 每個進程或文件都是一個節點,其中節點間的關係是發生的活動。 達到中等或更高惡意程度的節點為黃色。 警報由事件工作台視圖中的主機關聯。 ### MITRE公布的測試截圖 ---------------------------------- ## 廠商名:MALWAREBYTES ### 測試服務策略 #### Alerting Strategy(告警策略) 英文原文: Events that match analytic logic for malicious behaviors are alerted on, assigned a severity of low, medium, or high, and sent to a central queue. These alerted events are enriched with contextual information such as an alert name, short description of the behavior, alert logic, and potential mapping(s) to related ATT&CK Tactics and Techniques. Alerts are also assigned to responsible processes in the process tree view. 中文翻譯: 與惡意行為的分析邏輯匹配的資安事件會收到警報,分配低、中或高的嚴重性,並發送到中控序列。這些警報事件富含上下文信息,像是警報名稱、行為的簡短描述、警報邏輯以及與潛在地對照到與ATT&CK相關的策略和技術。警報還會將對應的程式分布到流程樹狀圖供瀏覽。 #### Correlation Strategy(關聯性策略) 英文原文: The process tree captures correlation between processes. Selecting a specific process within the tree will show specific information about the process such as file writes, network connections, and associated alerts. Additionally, an endpoint dashboard exists to correlate alerts by host. 中文翻譯: 程式樹狀圖捕獲程式之間的關聯性。在樹狀圖中選擇特定程式,會顯示出有關特定程式的特定信息,例如文件寫入、網絡連接和相關警報。此外,端點儀表板有以主機有關係的警報。 ### MITRE公布的測試截圖 ### 原始資料連結 https://attackevals.mitre-engenuity.org/enterprise/participants/malwarebytes/results?adversary=carbanak_fin7 ---------------------------------- ## 廠商名:CrownStrike ### 測試服務策略 #### Alerting Strategy(告警策略) 英文原文: Indicators that are deemed to be related to a compromise are assigned appropriate severity values (Informational, Low, Medium, High, Critical). These compromise related indicators are also enriched with contextual information, such as a short description and potential mappings to related ATT&CK Tactics and Techniques, processes, users, hosts, or other assets involved in the alert. In addition, CrowdScore will detect attacks from observed behavior and Indicators of Attack across multiple processes and lateral movement to other devices to identify attacker behavior. These detections are given a contextual CrowdScore (out of 10) to indicate the severity based on the observed behaviors in the customer environment and globally. An overall CrowdScore (out of 100) is given to represent the current threat level across the entire enterprise. 中文翻譯: 被認為與危害相關的指標被分配適當的風險值(信息、低、中、高、嚴重)。 這些與妥協相關的指標還包含上下文信息,例如簡短描述以及與相關 ATT&CK 策略和技術、流程、用戶、主機或警報中涉及的其他資產的潛在映射。 此外,CrowdScore 將根據觀察到的行為和跨多個程式的攻擊指標以及橫向移動到其他設備來檢測攻擊,以識別攻擊者行為。 這些檢測被賦予上下文 CrowdScore(滿分 10),以根據在客戶環境和全球觀察到的行為來指示嚴重性。 給出總體 CrowdScore(滿分 100)來代表整個企業的當前威脅級別。 #### Correlation Strategy(關聯性策略) 英文原文: The Incident Workbench presents CrowdScore detections and correlation between system events and data, such as process lineage or interactions between processes, files, and networks. Within the Incident Workbench you can see an overview of activity on hosts, and between hosts and pivot into investigation or response workflows. Investigation and activity views are also present, where process trees are generated that enable visualizations of process lineage, detections, and context for each of the processes within the tree. 中文翻譯: 事件工作台(Incident Workbench)提供 CrowdScore 偵測以及系統事件和數據之間的關聯性,例如程式繼承關係或程式、文件和網絡之間的關聯。 在事件工作台(Incident Workbench)中,您可以查看主機上和主機之間的活動概覽,並轉入調查或回應作業流程。 調查和活動可視圖還提供,在哪裡產生的程式樹狀圖,有著每個程式的程式繼承、檢測和上下文的可視化。 ### MITRE公布的測試截圖 ### 原始資料連結 ---------------------------------- ## 其他 ### MITRE 評比比較工具 #### 兩個廠商的攻擊模組步驟比較工具(連結): https://attackevals.mitre-engenuity.org/participant_comparison 使用說明 ![](https://i.imgur.com/EcNdeW1.png) #### 數個廠商的攻擊模組步驟比較工具(連結): https://attackevals.mitre-engenuity.org/technique_comparison?round=carbanak_fin7&step_tid=1.A.1_T1204&vendors=CyCraft,TrendMicro,CrowdStrike 使用說明 ![](https://i.imgur.com/MjMAAUM.png) ------------------------------------ ## 範本格式 ---------------------------------- ## 廠商名: ### 測試服務策略 #### Alerting Strategy(告警策略) 英文原文: 中文翻譯: #### Correlation Strategy(關聯性策略) 英文原文: 中文翻譯: ### MITRE公布的測試截圖 ### 原始資料連結 ----------------------------------