Detecting a new attack toolset in an endpoint detection and response system

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Date
2023-08-21
Department
Major/Subject
SECCLO
Mcode
SCI3113
Degree programme
Master’s Programme in Security and Cloud Computing (SECCLO)
Language
en
Pages
6 + 82
Series
Abstract
Endpoint detection and response (EDR) is a software commercialised to detect malicious activities. It is used mainly at organisations as a second layer of protection after antivirus software, which is intended to prevent the execution of such code. If the execution of malware cannot be prevented, the job of the EDR solution is to detect the attack and report it to the system administrator, who can take actions based on the provided information. The problem is that attack toolsets are under constant evolution, finding ways to avoid being detected. Therefore, it is hard for EDR software providers to keep up with the attack toolsets and detect attacks accurately. The objective of this thesis project is to enhance the detection capabilities of the EDR solution provided by Withsecure. This enhancement is done by improving the current detection rules or creating new ones. As Withsecure attempts to keep its detection rules based on real attacks and not hypothetical scenarios, security researchers should justify the rule improvements by providing evidence of an undetected attack. This project launches attacks from a specific attack toolset to test the detection rules. Furthermore, this project makes an improvement in the ruleset justifiably for each detection flaw discovered by the attacks of the toolset. The chosen attack toolset to test the detection capabilities of is CALDERA which provides easy access to a wide range of attacks. In a nutshell, this project presents the results of iterating over testing the attacks provided by CALDERA, improving the detection rules of the EDR system to detect those attacks and reporting the results. This thesis project ran 129 attack steps from CALDERA which led to the development of 32 detection rule improvements. Further detection improvements were done besides the CALDERA tests. This led to a total of 54 rule improvements.

Endpoint detection and response (EDR) is a software commercialised to detect malicious activities. It is used mainly at organisations as a second layer of protection after antivirus software, which is intended to prevent the execution of such code. If the execution of malware cannot be prevented, the job of the EDR solution is to detect the attack and report it to the system administrator, who can take actions based on the provided information. The problem is that attack toolsets are under constant evolution, finding ways to avoid being detected. Therefore, it is hard for EDR software providers to keep up with the attack toolsets and detect attacks accurately. The objective of this thesis project is to enhance the detection capabilities of the EDR solution provided by Withsecure. This enhancement is done by improving the current detection rules or creating new ones. As Withsecure attempts to keep its detection rules based on real attacks and not hypothetical scenarios, security researchers should justify the rule improvements by providing evidence of an undetected attack. This project launches attacks from a specific attack toolset to test the detection rules. Furthermore, this project makes an improvement in the ruleset justifiably for each detection flaw discovered by the attacks of the toolset. The chosen attack toolset to test the detection capabilities of is CALDERA which provides easy access to a wide range of attacks. In a nutshell, this project presents the results of iterating over testing the attacks provided by CALDERA, improving the detection rules of the EDR system to detect those attacks and reporting the results. This thesis project ran 129 attack steps from CALDERA which led to the development of 32 detection rule improvements. Further detection improvements were done besides the CALDERA tests. This led to a total of 54 rule improvements.
Description
Supervisor
Suoranta, Sanna
Thesis advisor
Ranta-aho, Perttu
Keywords
endpoint detection and response, edr, mdr, cybersecurity, malware analysis, caldera
Other note
Citation