Home  >  Carbanak+FIN7  >  Protection Categories

Carbanak+FIN7 Evaluation: Protection Categories




Protection Categories

Protection categories will be used to clearly identify whether or not a protection was encountered in the adversary emulation, and whether a user prompt was required to confirm the blocking activity. Categories are subject to change, based on lessons learned from the evaluation.

Vendor did not deploy protection capabilities on the system under test. The vendor must state before the evaluation what systems they did not deploy a sensor on to enable Not Applicable to be in scope for relevant steps.

Examples
No sensor was deployed in the Linux systems within the environment to block red team activity.

The technique under test was not blocked and/or the technique was unsuccessful and there is no evidence provided to the user that the capability blocked the activity.

Examples
The technique under test was successful.

The technique under test was unsuccessful, but no evidence was displayed within the capability showing that the behavior was explicitly blocked by the tool.

The technique under test was blocked and the user was explicitly informed that the capability blocked the activity.

Examples
A detection was generated for “Potential Malicious Credential Dumping” specifying that the capability detected potential credential access activity and successfully blocked the behavior.

Protection Modifier Categories