EDR product’s effectiveness evaluation
Evaluating EDR Product against Threat Actors: Uncovering Limitations and Collaboration for Enhanced Detection of Multiple Killchains.
The penetration testing team was hired to perform an internal adversary simulation assessment for an undisclosed financial institution. The end goal of the test was to obtain network access and valid application authentication credentials to the internal protected processing segment. It should be noted that generic quarterly infrastructure penetration tests were performed by a third-party team and the Client has mitigated vulnerabilities detailed in previous penetration test reports.
The simulation was staged onsite at the Client’s premises, which allowed for physical attacks to take place.
The penetration testing team obtained complete access to the Customer’s office domain, network access to processing segments, SSH credentials to critical servers, database passwords, and access to critical Web applications.
The scenario assumed the attacker has office employee-level access. However, it was still deemed necessary to outline initial attack vectors for an outside attacker.
Service misconfigurations were abused for LPE.
EDR bypass and network filtering bypass techniques were developed and used to establish Command and Control.
Kerberoasting and password spraying were used to elevate domain privileges.
Keystroke logging and credential dumping were used to obtain credentials for a segmented domain, where transfer processing servers reside.
With the credentials available, RDP with the previously established C2 and EDR evasion techniques were used to gain access to the segmented infrastructure.
Once the network access to the processing segment was obtained, the penetration testing team performed password-hunting and service enumeration activities on the terminal virtual hosts.
An open share was discovered, containing employee manuals for processing operators. These manuals contained in unencrypted, unprotected form text files left over by previous and current employees with their authentication credentials, which allowed the security team’s complete access to both testing and production environments and databases.
At this point, on an agreement with the Customer, the adversary simulation activity was considered complete not to accidentally disrupt the normal workflow of the infrastructure.
The adversary simulation activity allowed the security team to demonstrate a complete compromise path while not using any usual, “exploitable” vulnerabilities. Instead, the attackers relied on the human factor, weak password policies and password reuse, service and Active Directory misconfiguration, and weak segmentation measures to achieve the goal. Also, flaws in threat detection and response, endpoint protection, wireless protection, and security policies were discovered, something that is usually out-of-scope for an infrastructure penetration test.
Despite mitigating all vulnerabilities discovered by a third-party company, the Client remained vulnerable to attacks and methods which a penetration test does not cover. Adversary simulation, in this case, has offered a completely different viewpoint on the security infrastructure of the Client, which allowed for preventing a threat of a similar real-world attack in the future.
Evaluating EDR Product against Threat Actors: Uncovering Limitations and Collaboration for Enhanced Detection of Multiple Killchains.
The adversary simulation activity helped the client identify and remediate multiple issues with the on-premise infrastructure and vulnerabilities, calculate potential risks, and improve the overall security posture. Each finding also included proposed solutions for applying industry-standard defences.
The team created several hardware connect-back appliances and used it in a PCI DSS segmentation testing.