Detecting a new attack toolset in an endpoint detection and response system

Thumbnail Image

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis

Authors

Date

2023-08-21

Department

Major/Subject

SECCLO

Mcode

SCI3113

Degree programme

Master’s Programme in Security and Cloud Computing (SECCLO)

Language

en

Pages

6 + 82

Series

Abstract

Endpoint detection and response (EDR) is a software commercialised to detect malicious activities. It is used mainly at organisations as a second layer of protection after antivirus software, which is intended to prevent the execution of such code. If the execution of malware cannot be prevented, the job of the EDR solution is to detect the attack and report it to the system administrator, who can take actions based on the provided information. The problem is that attack toolsets are under constant evolution, finding ways to avoid being detected. Therefore, it is hard for EDR software providers to keep up with the attack toolsets and detect attacks accurately. The objective of this thesis project is to enhance the detection capabilities of the EDR solution provided by Withsecure. This enhancement is done by improving the current detection rules or creating new ones. As Withsecure attempts to keep its detection rules based on real attacks and not hypothetical scenarios, security researchers should justify the rule improvements by providing evidence of an undetected attack. This project launches attacks from a specific attack toolset to test the detection rules. Furthermore, this project makes an improvement in the ruleset justifiably for each detection flaw discovered by the attacks of the toolset. The chosen attack toolset to test the detection capabilities of is CALDERA which provides easy access to a wide range of attacks. In a nutshell, this project presents the results of iterating over testing the attacks provided by CALDERA, improving the detection rules of the EDR system to detect those attacks and reporting the results. This thesis project ran 129 attack steps from CALDERA which led to the development of 32 detection rule improvements. Further detection improvements were done besides the CALDERA tests. This led to a total of 54 rule improvements.

Endpoint detection and response (EDR) is a software commercialised to detect malicious activities. It is used mainly at organisations as a second layer of protection after antivirus software, which is intended to prevent the execution of such code. If the execution of malware cannot be prevented, the job of the EDR solution is to detect the attack and report it to the system administrator, who can take actions based on the provided information. The problem is that attack toolsets are under constant evolution, finding ways to avoid being detected. Therefore, it is hard for EDR software providers to keep up with the attack toolsets and detect attacks accurately. The objective of this thesis project is to enhance the detection capabilities of the EDR solution provided by Withsecure. This enhancement is done by improving the current detection rules or creating new ones. As Withsecure attempts to keep its detection rules based on real attacks and not hypothetical scenarios, security researchers should justify the rule improvements by providing evidence of an undetected attack. This project launches attacks from a specific attack toolset to test the detection rules. Furthermore, this project makes an improvement in the ruleset justifiably for each detection flaw discovered by the attacks of the toolset. The chosen attack toolset to test the detection capabilities of is CALDERA which provides easy access to a wide range of attacks. In a nutshell, this project presents the results of iterating over testing the attacks provided by CALDERA, improving the detection rules of the EDR system to detect those attacks and reporting the results. This thesis project ran 129 attack steps from CALDERA which led to the development of 32 detection rule improvements. Further detection improvements were done besides the CALDERA tests. This led to a total of 54 rule improvements.

Description

Supervisor

Suoranta, Sanna

Thesis advisor

Ranta-aho, Perttu

Keywords

endpoint detection and response, edr, mdr, cybersecurity, malware analysis, caldera

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202308275240

Collections

[dipl] Perustieteiden korkeakoulu / SCI