私の着眼点での集計
今回は、MITRE Evaluations の Turla(2023)の個人的な分析(その3)に示した5つの観点での集計結果を展開します。
ユーザの操作、マルウェアそのものの動作、コマンドの実行などの振る舞いおよびOSによって残される痕跡、ネットワークの振る舞い、ファイルやデータそのものの判定、の5つに分類しています。
それぞれの検知状況を元に、それぞれのソリューションがどのような点に強いのか、または弱いのかを判断できるのではと思い、集計結果を掲載します。
なお、MITRE Evaluations の Turla(2023)の個人的な分析(その1)の留意点に書いたとおり、コストや誤検知・過検知、運用までは分からず、あくまで集計結果であることをご承知ください。
AhnLab
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 22 | 2 | 14 | 57.89% |
| Command Level/Leaves traces to be detected in the OS Behavior | 56 | 0 | 0 | 100.00% |
| Network | 12 | 0 | 2 | 85.71% |
| File or data attribute | 2 | 0 | 3 | 40.00% |
Bitdefender
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 39 | 1 | 8 | 81.25% |
| Command Level/Leaves traces to be detected in the OS Behavior | 62 | 0 | 0 | 100.00% |
| Network | 17 | 1 | 0 | 94.44% |
| File or data attribute | 5 | 2 | 3 | 50.00% |
BlackBerry
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 22 | 13 | 13 | 45.83% |
| Command Level/Leaves traces to be detected in the OS Behavior | 54 | 3 | 5 | 87.10% |
| Network | 7 | 7 | 4 | 38.89% |
| File or data attribute | 3 | 3 | 4 | 30.00% |
Broadcom Symantec
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 23 | 6 | 19 | 47.92% |
| Command Level/Leaves traces to be detected in the OS Behavior | 55 | 7 | 0 | 88.71% |
| Network | 9 | 1 | 8 | 50.00% |
| File or data attribute | 2 | 1 | 7 | 20.00% |
CrowdStrike
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 48 | 0 | 0 | 100.00% |
| Command Level/Leaves traces to be detected in the OS Behavior | 62 | 0 | 0 | 100.00% |
| Network | 18 | 0 | 0 | 100.00% |
| File or data attribute | 10 | 0 | 0 | 100.00% |
Cybereason
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 47 | 1 | 0 | 97.92% |
| Command Level/Leaves traces to be detected in the OS Behavior | 62 | 0 | 0 | 100.00% |
| Network | 18 | 0 | 0 | 100.00% |
| File or data attribute | 10 | 0 | 0 | 100.00% |
Cynet
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 48 | 0 | 0 | 100.00% |
| Command Level/Leaves traces to be detected in the OS Behavior | 62 | 0 | 0 | 100.00% |
| Network | 18 | 0 | 0 | 100.00% |
| File or data attribute | 10 | 0 | 0 | 100.00% |
Deep Instinct
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 35 | 0 | 10 | 77.78% |
| Command Level/Leaves traces to be detected in the OS Behavior | 58 | 0 | 1 | 98.31% |
| Network | 13 | 2 | 1 | 81.25% |
| File or data attribute | 5 | 0 | 3 | 62.50% |
Elastic
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 23 | 7 | 18 | 47.92% |
| Command Level/Leaves traces to be detected in the OS Behavior | 47 | 15 | 0 | 75.81% |
| Network | 5 | 11 | 2 | 27.78% |
| File or data attribute | 1 | 2 | 7 | 10.00% |
ESET
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 22 | 5 | 21 | 45.83% |
| Command Level/Leaves traces to be detected in the OS Behavior | 52 | 10 | 0 | 83.87% |
| Network | 6 | 8 | 4 | 33.33% |
| File or data attribute | 1 | 3 | 6 | 10.00% |
Fortinet
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 44 | 2 | 3 | 89.80% |
| Command Level/Leaves traces to be detected in the OS Behavior | 60 | 2 | 0 | 96.77% |
| Network | 18 | 0 | 0 | 100.00% |
| File or data attribute | 10 | 0 | 0 | 100.00% |
HarfangLab
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 27 | 11 | 11 | 55.10% |
| Command Level/Leaves traces to be detected in the OS Behavior | 59 | 1 | 2 | 95.16% |
| Network | 17 | 0 | 1 | 94.44% |
| File or data attribute | 6 | 0 | 4 | 60.00% |
IBM Security
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 21 | 3 | 25 | 42.86% |
| Command Level/Leaves traces to be detected in the OS Behavior | 54 | 7 | 1 | 87.10% |
| Network | 9 | 3 | 6 | 50.00% |
| File or data attribute | 2 | 0 | 8 | 20.00% |
Malwarebytes
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 33 | 3 | 13 | 67.35% |
| Command Level/Leaves traces to be detected in the OS Behavior | 55 | 5 | 2 | 88.71% |
| Network | 11 | 1 | 6 | 61.11% |
| File or data attribute | 5 | 1 | 4 | 50.00% |
Microsoft
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 47 | 2 | 0 | 95.92% |
| Command Level/Leaves traces to be detected in the OS Behavior | 62 | 0 | 0 | 100.00% |
| Network | 17 | 1 | 0 | 94.44% |
| File or data attribute | 10 | 0 | 0 | 100.00% |
Palo Alto Networks
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 49 | 0 | 0 | 100.00% |
| Command Level/Leaves traces to be detected in the OS Behavior | 62 | 0 | 0 | 100.00% |
| Network | 18 | 0 | 0 | 100.00% |
| File or data attribute | 10 | 0 | 0 | 100.00% |
Qualys
| 〇 | △ | × | 検知率 | |
| User activity | 3 | 1 | 0 | 75.00% |
| Malware Inside Behavior | 17 | 14 | 17 | 35.42% |
| Command Level/Leaves traces to be detected in the OS Behavior | 42 | 19 | 1 | 67.74% |
| Network | 10 | 1 | 5 | 62.50% |
| File or data attribute | 2 | 3 | 4 | 22.22% |
Rapid7
| 〇 | △ | × | 検知率 | |
| User activity | 3 | 1 | 0 | 75.00% |
| Malware Inside Behavior | 15 | 12 | 22 | 30.61% |
| Command Level/Leaves traces to be detected in the OS Behavior | 26 | 30 | 6 | 41.94% |
| Network | 2 | 9 | 7 | 11.11% |
| File or data attribute | 1 | 2 | 7 | 10.00% |
Secureworks
| 〇 | △ | × | 検知率 | |
| User activity | 3 | 1 | 0 | 75.00% |
| Malware Inside Behavior | 19 | 9 | 21 | 38.78% |
| Command Level/Leaves traces to be detected in the OS Behavior | 42 | 19 | 1 | 67.74% |
| Network | 6 | 8 | 4 | 33.33% |
| File or data attribute | 4 | 1 | 5 | 40.00% |
SentinelOne
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 36 | 3 | 3 | 85.71% |
| Command Level/Leaves traces to be detected in the OS Behavior | 60 | 0 | 0 | 100.00% |
| Network | 13 | 3 | 1 | 76.47% |
| File or data attribute | 7 | 0 | 1 | 87.50% |
Somma
| 〇 | △ | × | 検知率 | |
| User activity | 3 | 1 | 0 | 75.00% |
| Malware Inside Behavior | 5 | 12 | 32 | 10.20% |
| Command Level/Leaves traces to be detected in the OS Behavior | 33 | 15 | 14 | 53.23% |
| Network | 5 | 8 | 5 | 27.78% |
| File or data attribute | 2 | 0 | 8 | 20.00% |
Sophos
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 48 | 1 | 0 | 97.96% |
| Command Level/Leaves traces to be detected in the OS Behavior | 61 | 0 | 1 | 98.39% |
| Network | 18 | 0 | 0 | 100.00% |
| File or data attribute | 9 | 0 | 1 | 90.00% |
Tehtris
| 〇 | △ | × | 検知率 | |
| User activity | 3 | 1 | 0 | 75.00% |
| Malware Inside Behavior | 20 | 2 | 27 | 40.82% |
| Command Level/Leaves traces to be detected in the OS Behavior | 50 | 10 | 2 | 80.65% |
| Network | 1 | 8 | 9 | 5.56% |
| File or data attribute | 0 | 1 | 9 | 0.00% |
Trellix
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 30 | 5 | 14 | 61.22% |
| Command Level/Leaves traces to be detected in the OS Behavior | 58 | 2 | 2 | 93.55% |
| Network | 9 | 5 | 4 | 50.00% |
| File or data attribute | 4 | 0 | 6 | 40.00% |
Trend Micro
| 〇 | △ | × | 検知率 | |
| User activity | 3 | 1 | 0 | 75.00% |
| Malware Inside Behavior | 35 | 2 | 12 | 71.43% |
| Command Level/Leaves traces to be detected in the OS Behavior | 60 | 2 | 0 | 96.77% |
| Network | 14 | 2 | 2 | 77.78% |
| File or data attribute | 6 | 1 | 3 | 60.00% |
Uptycs
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 32 | 5 | 12 | 65.31% |
| Command Level/Leaves traces to be detected in the OS Behavior | 61 | 0 | 1 | 98.39% |
| Network | 17 | 1 | 0 | 94.44% |
| File or data attribute | 6 | 0 | 4 | 60.00% |
VMware Carbon Black
| 〇 | △ | × | 検知率 | |
| User activity | 3 | 1 | 0 | 75.00% |
| Malware Inside Behavior | 19 | 7 | 23 | 38.78% |
| Command Level/Leaves traces to be detected in the OS Behavior | 50 | 8 | 4 | 80.65% |
| Network | 10 | 2 | 6 | 55.56% |
| File or data attribute | 2 | 1 | 7 | 20.00% |
WatchGuard
| 〇 | △ | × | 検知率 | |
| User activity | 4 | 0 | 0 | 100.00% |
| Malware Inside Behavior | 21 | 6 | 18 | 46.67% |
| Command Level/Leaves traces to be detected in the OS Behavior | 54 | 4 | 1 | 91.53% |
| Network | 11 | 1 | 4 | 68.75% |
| File or data attribute | 2 | 1 | 5 | 25.00% |
WithSecure
| 〇 | △ | × | 検知率 | |
| User activity | 2 | 2 | 0 | 50.00% |
| Malware Inside Behavior | 16 | 3 | 30 | 32.65% |
| Command Level/Leaves traces to be detected in the OS Behavior | 48 | 12 | 2 | 77.42% |
| Network | 10 | 1 | 7 | 55.56% |
| File or data attribute | 1 | 1 | 8 | 10.00% |