Evaluating EDR Product against Threat Actors: Uncovering Limitations and Collaboration for Enhanced Detection of Multiple Killchains.
During our comprehensive evaluation, we conducted realistic simulations of multiple internal adversary killchains, mimicking the tactics, techniques, and procedures (TTPs) commonly employed by threat actors. However, the EDR product underperformed, as it failed to effectively detect and block various stages of the killchains, including initial access attempts and lateral movement. This highlighted limitations in the product's detection capabilities, necessitating further improvements to enhance its efficacy in defending against internal adversaries.
The combined efforts of our team and the EDR vendor resulted in a more robust and effective detection capability, enabling our clients to better defend against adversary attacks and thwart common killchains. This also benefited the broader customer base of the EDR vendor, reinforcing our commitment to delivering effective cybersecurity solutions for our clients and their end-users.
As a trusted security consultant company, Tenendo’s recent engagement involved evaluating the effectiveness of an Endpoint Detection and Response (EDR) product against simulated internal adversary attacks. Our goal was to thoroughly assess the product’s capabilities in detecting and blocking common killchains used by different threat actors within the organization’s environment. However, our findings revealed limitations in the product’s detection capabilities, presenting us with a challenge that required collaborative efforts to overcome.
How we did it
Through collaborative efforts and the development of customized detection rules, our team successfully enhanced the EDR product’s capabilities in detecting adversary attacks and blocking common killchains, resulting in improved security postures for our clients.
The Attack Lifecycle
Instead of viewing this challenge as a setback, we leveraged our expertise and collaborated with the EDR product vendor. We worked closely with their development and threat-hunting teams, sharing our findings and insights. We provided specific recommendations for implementing additional detection rules and fine-tuning existing ones to enhance the product’s attack detection capabilities. Our collaboration was based on a mutual partnership, with a shared goal of improving the product’s detection capabilities for the benefit of our client.
Through our collaborative efforts, the vendor significantly improved the EDR product. We provided custom detection rules that were tailored to the threat landscape and TTPs of adversaries. These additional rules and implementation recommendations enabled the product to effectively detect and block common killchains that were previously missed. The vendor also incorporated our recommendations into their regular product updates, ensuring that our client and their broader customer base could benefit from the enhanced detection capabilities.
Our case study demonstrates the importance of thorough evaluation and collaborative efforts in cybersecurity. While the initial evaluation revealed limitations in the EDR product’s detection capabilities, our partnership with the vendor resulted in significant improvements and enhanced detection against cyber adversary attacks. We remain committed to providing valuable insights and recommendations to strengthen our client’s security posture against evolving threats in the ever-changing cybersecurity landscape.
This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.