TALKING POINTS

The EDR Evaluation

Carbanak+FIN7

By The Competitive Team

©2021 Check Point Software Technologies Ltd. 1

Leading EDR
Vendor!
MITRE ATT&CK –
CARBANAK AND
FIN7
What is it ?
CARBANAK is a threat group that mainly targets banks. It also refers to
malware of the same name (Carbanak). It is sometimes referred to
as FIN7, but these appear to be two groups using the
same Carbanak malware and are therefore tracked separately.

FIN7 is a financially-motivated threat group that has primarily targeted

the U.S. retail, restaurant, and hospitality sectors since mid-2015. They
often use point-of-sale malware. A portion of FIN7 was run out of a
front company called Combi Security
 MITRE – ANALYZING THE
RESULTS

MITRE DETECTION CATEGORIES – per SUB-STEP

• None – did not pass the minimal requirement for visibility
• Telemetry – visibility to raw data, no context or mapping to relevant TTP
• General – Visibility to an alert, referring the event, with no context
• Tactic – Visibility to an alert with high level context only (Tactic group)
• Technique – HIGHEST visibility – alert with specific context to relevant TTP
PUBLISHED METRICS
• Detection count – Total # of detections of ANY type
• Analytic coverage – Number of sub steps with detection ABOVE telemetry (General,
Tactic, Technique)
• Telemetry coverage – Number of sub steps with telemetry
• Visibility – Number of sub step with ANY type of detection (Telemetry, General, Tactic,
Technique)
 MITRE – ANALYZING THE
RESULTS
PART 2

CARBANAK AND FIN7 STATS

• 20 steps
• 174 sub steps
• 46 Techniques
All vendors are analyzing the results in different ways
• Per sub-step / step / techniques
• Counting ANY visibility / telemetry / analytics / detection
• Removing protection only / day 3 (config change modifier) / specific vendors
• The calculation by Check Point is by the Summaries as MITRE presents as an aggregated
result – which is the most straight forward (check out next slide)

Meaning – many more metrics than the ones published by MITRE

 How Did We
Calculate?

• DETECTION COUNT = each observable can generate several/many alerts, hence not unique
• ANALYTICS COVERAGE = what exactly happened with breakdown info. Example: Powershell does screen capture = technique
• TELEMETRY COVERAGE = Alert that something happened. Example: Powershell calls bitblt
• VISIBILITY = average of analytics and telemetry coverage. Meaning even if only one of the two (analytics or telemetry generated alert – it
counts in “Visibility”

• CONCLUSION: the unique measurement of the real ability is Analytics and Telemetry. We aggregated the result .
 MITRE ATT&CK DETECTION EVENTS

Raw event data

with no context Why was this event done?

No event
data to show

Malicious/Suspicious event What was accomplished by

occurred but no context this event?
Best Detection Event
 IMPORTANT POINTS YOU SHOULD
GET FROM THIS TEST
1. Check Point is the #2 vendor in the overall aggregated results of all parts of the evaluation, comparing to all vendors.
2. 29 vendors participated in this test and Check Point is leading the pack!
3. No other vendor achieved higher than Harmony Endpoint in Windows Analytic Coverage
4. THE HIGHEST COVERAGE of technique level detection for unique detections - #1 out of all vendors (we detected 44 out of 46 techniques at
the technique level – not just “visibility”, but with the proper context).

This evaluation focuses on the EDR (Endpoint Detection & Response) component and Check Point did much better than perceived by the
leaders in this industry. (can anyone say CrowdStrike?)

We Chose the Top 15 to be calculated in our rating:

 CrowdStrike came in 15th! And this is important as they are perceived as a leader in the EDR landscape (#1 EDR winner in Forrester WAVE)
 Carbon Black in the middle of the pack despite being considered an EDR stalwart
 Palo Alto Networks came in 3rd
 Trend Micro got respectable results
 Microsoft came in only 7th… despite their $10B security business
 Symantec and McAfee came in 8th and 13th respectively and continue to underperform in 3rd party evaluations
 Fortinet with FortiEDR (Ensilo acquisition) – missed almost 60% of the analytic coverage
 Sophos interceptX is near the bottom of the pack!
 Cisco finishes last
 Finally – Check Point beat all of the top rated vendors (CrowdStrike, TrendMicro, Microsoft) from Forrester WAVE EDR 2020!
 Remember that Check Point always does better on hands-on evaluation when the product is actually tested comparing to Market
Analysis based questionnaires and surveys (no offense)
COMPETITIVE
TOOLS
 MITRE ENGENUITY ATT&CK MAP 100%

SentinelOne
95%
Trend Micro
Check Point
90%
ESET Palo Alto
Carbon Black Cybereason

McAfee Microsoft 85%

BitDefender
Symantec
Crowdstrike
Cynet 80%

Telemetry
Cylance
75%

Sophos 70%
Fortinet

FireEye
65%
Cisco

60%

55%
20% 30% 40% 50% 60% 70% 80% 90% 100%

Created By Check Point and Based on MITRE official EVALUATION SUMMARY

Analytics ©2021 Check Point Software Technologies Ltd. 11
 MITRE ENGENUITY ATT&CK
ye
net
ET
der
ack
nce
os
ec
ee
ke
Net
co
cro
oft
on
to
nt
ne
 #1 WITH UNIQUE TECHNIQUE DETECTION - COVERAGE PER TECHNIQUE
46
44
42
42 41 41
39
38
38 37
35
34

30

26

22

18

15
14
Check Point Trend Micro Palo Alto Cybereason SentinelOne FireEye Microsoft Symantec Crowdstrike

Series 1
https://mitre.checkpoint.com/
Few Examples Of
Useful
Comparisons In
MITRE Page
https://attackevals.mitreengenuity.org/participant_comparison.html
 Example

COMPLEX ANALYSIS DISPLAYED

IN HTML SYNTAX MAKING IT
IMPOSSIBLE TO REACT
INSTANTLY TO AN ON-GOING
ATTACK
 Example

CHECK POINT PROVIDES BOTH

GRAPHICAL AND DETAILED VIEW.
CLEAR AND EASY TO
UNDERSTAND
 Example

NONE

NONE

Technique totally
missed by McAfee.
Detected and
described by Check
Point
THANK YOU

©2021 Check Point Software Technologies Ltd. 19