Case Studies

EDR product’s effectiveness evaluation

Evaluating EDR Product against Threat Actors: Uncovering Limitations and Collaboration for Enhanced Detection of Multiple Killchains.

schedule a call

The challenge

During our comprehensive evaluation, we conducted realistic simulations of multiple internal adversary killchains, mimicking the tactics, techniques, and procedures (TTPs) commonly employed by threat actors. However, the EDR product underperformed, as it failed to effectively detect and block various stages of the killchains, including initial access attempts and lateral movement. This highlighted limitations in the product's detection capabilities, necessitating further improvements to enhance its efficacy in defending against internal adversaries.

The solution

The combined efforts of our team and the EDR vendor resulted in a more robust and effective detection capability, enabling our clients to better defend against adversary attacks and thwart common killchains. This also benefited the broader customer base of the EDR vendor, reinforcing our commitment to delivering effective cybersecurity solutions for our clients and their end-users.

As a trusted security consultant company, Tenendo’s recent engagement involved evaluating the effectiveness of an Endpoint Detection and Response (EDR) product against simulated internal adversary attacks. Our goal was to thoroughly assess the product’s capabilities in detecting and blocking common killchains used by different threat actors within the organization’s environment. However, our findings revealed limitations in the product’s detection capabilities, presenting us with a challenge that required collaborative efforts to overcome.

How we did it

Through collaborative efforts and the development of customized detection rules, our team successfully enhanced the EDR product’s capabilities in detecting adversary attacks and blocking common killchains, resulting in improved security postures for our clients.

The Attack Lifecycle

Collaborative Efforts

Instead of viewing this challenge as a setback, we leveraged our expertise and collaborated with the EDR product vendor. We worked closely with their development and threat-hunting teams, sharing our findings and insights. We provided specific recommendations for implementing additional detection rules and fine-tuning existing ones to enhance the product’s attack detection capabilities. Our collaboration was based on a mutual partnership, with a shared goal of improving the product’s detection capabilities for the benefit of our client.

Enhanced Detection

Through our collaborative efforts, the vendor significantly improved the EDR product. We provided custom detection rules that were tailored to the threat landscape and TTPs of adversaries. These additional rules and implementation recommendations enabled the product to effectively detect and block common killchains that were previously missed. The vendor also incorporated our recommendations into their regular product updates, ensuring that our client and their broader customer base could benefit from the enhanced detection capabilities.

Conclusion

Our case study demonstrates the importance of thorough evaluation and collaborative efforts in cybersecurity. While the initial evaluation revealed limitations in the EDR product’s detection capabilities, our partnership with the vendor resulted in significant improvements and enhanced detection against cyber adversary attacks. We remain committed to providing valuable insights and recommendations to strengthen our client’s security posture against evolving threats in the ever-changing cybersecurity landscape.

Your Cyber Resiliency is Our Passion

schedule a call

White paper: Red Teaming

This white paper outlines different stages of the attack lifecycle. It describes various adversary simulation activities that a Red Team may undertake, including attack surface mapping, phishing, evasion and mimicking known tools, tactics, and procedures, on-demand purple team exercises, and a Red Team project. The document also provides information about the methodology, testing process, results, and recommendations.

About security testing:

Azure Active Directory compromise

The Azure penetration test helped the client identify and remediate multiple issues and misconfigurations, harden their infrastructure and calculate potential risks.

Case Studies | Case studies. Red Teaming | Case studies. Security

Social engineering

During this social engineering engagement, it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and compromise the internal segmented infrastructure.

Case Studies | Case studies. Security | Case studies. VAPT

Internal Adversary Simulation Case

The adversary simulation activity helped the client identify and remediate multiple issues with the on-premise infrastructure and vulnerabilities, calculate potential risks, and improve the overall security posture. Each finding also included proposed solutions for applying industry-standard defences.