Carbanak+FIN7 Evaluation: Protection Categories
Protection categories will be used to clearly identify whether or not a protection was encountered in the adversary emulation, and whether a user prompt was required to confirm the blocking activity. Categories are subject to change, based on lessons learned from the evaluation.
Vendor did not deploy protection capabilities on the system under test. The vendor must state before the evaluation what systems they did not deploy a sensor on to enable Not Applicable to be in scope for relevant steps.
|No sensor was deployed in the Linux systems within the environment to block red team activity.|
The technique under test was not blocked and/or the technique was unsuccessful and there is no evidence provided to the user that the capability blocked the activity.
|The technique under test was successful.
The technique under test was unsuccessful, but no evidence was displayed within the capability showing that the behavior was explicitly blocked by the tool.
The technique under test was blocked and the user was explicitly informed that the capability blocked the activity.
|A detection was generated for “Potential Malicious Credential Dumping” specifying that the capability detected potential credential access activity and successfully blocked the behavior.|
Protection Modifier Categories
The technique under test was blocked after confirmation/consent was manually provided by the user.
|A detection was generated for “Potential Malicious Credential Dumping” specifying that the capability detected potential credential access activity and successfully blocked the behavior only after the user accepted a prompt to confirm that the behavior should be blocked. This protection would receive a Modifier protection category of User Consent.|