Detecting a new attack toolset in an endpoint detection and response system

dc.contributorAalto-yliopistofi
dc.contributorAalto Universityen
dc.contributor.advisorRanta-aho, Perttu
dc.contributor.authorRumi Chiapella, Stefano
dc.contributor.schoolPerustieteiden korkeakoulufi
dc.contributor.supervisorSuoranta, Sanna
dc.date.accessioned2023-08-27T17:19:56Z
dc.date.available2023-08-27T17:19:56Z
dc.date.issued2023-08-21
dc.description.abstractEndpoint detection and response (EDR) is a software commercialised to detect malicious activities. It is used mainly at organisations as a second layer of protection after antivirus software, which is intended to prevent the execution of such code. If the execution of malware cannot be prevented, the job of the EDR solution is to detect the attack and report it to the system administrator, who can take actions based on the provided information. The problem is that attack toolsets are under constant evolution, finding ways to avoid being detected. Therefore, it is hard for EDR software providers to keep up with the attack toolsets and detect attacks accurately. The objective of this thesis project is to enhance the detection capabilities of the EDR solution provided by Withsecure. This enhancement is done by improving the current detection rules or creating new ones. As Withsecure attempts to keep its detection rules based on real attacks and not hypothetical scenarios, security researchers should justify the rule improvements by providing evidence of an undetected attack. This project launches attacks from a specific attack toolset to test the detection rules. Furthermore, this project makes an improvement in the ruleset justifiably for each detection flaw discovered by the attacks of the toolset. The chosen attack toolset to test the detection capabilities of is CALDERA which provides easy access to a wide range of attacks. In a nutshell, this project presents the results of iterating over testing the attacks provided by CALDERA, improving the detection rules of the EDR system to detect those attacks and reporting the results. This thesis project ran 129 attack steps from CALDERA which led to the development of 32 detection rule improvements. Further detection improvements were done besides the CALDERA tests. This led to a total of 54 rule improvements.en
dc.description.abstractEndpoint detection and response (EDR) is a software commercialised to detect malicious activities. It is used mainly at organisations as a second layer of protection after antivirus software, which is intended to prevent the execution of such code. If the execution of malware cannot be prevented, the job of the EDR solution is to detect the attack and report it to the system administrator, who can take actions based on the provided information. The problem is that attack toolsets are under constant evolution, finding ways to avoid being detected. Therefore, it is hard for EDR software providers to keep up with the attack toolsets and detect attacks accurately. The objective of this thesis project is to enhance the detection capabilities of the EDR solution provided by Withsecure. This enhancement is done by improving the current detection rules or creating new ones. As Withsecure attempts to keep its detection rules based on real attacks and not hypothetical scenarios, security researchers should justify the rule improvements by providing evidence of an undetected attack. This project launches attacks from a specific attack toolset to test the detection rules. Furthermore, this project makes an improvement in the ruleset justifiably for each detection flaw discovered by the attacks of the toolset. The chosen attack toolset to test the detection capabilities of is CALDERA which provides easy access to a wide range of attacks. In a nutshell, this project presents the results of iterating over testing the attacks provided by CALDERA, improving the detection rules of the EDR system to detect those attacks and reporting the results. This thesis project ran 129 attack steps from CALDERA which led to the development of 32 detection rule improvements. Further detection improvements were done besides the CALDERA tests. This led to a total of 54 rule improvements.fi
dc.format.extent6 + 82
dc.identifier.urihttps://aaltodoc.aalto.fi/handle/123456789/122899
dc.identifier.urnURN:NBN:fi:aalto-202308275240
dc.language.isoenen
dc.programmeMaster’s Programme in Security and Cloud Computing (SECCLO)fi
dc.programme.majorSECCLOfi
dc.programme.mcodeSCI3113fi
dc.subject.keywordendpoint detection and responseen
dc.subject.keywordedren
dc.subject.keywordmdren
dc.subject.keywordcybersecurityen
dc.subject.keywordmalware analysisen
dc.subject.keywordcalderaen
dc.titleDetecting a new attack toolset in an endpoint detection and response systemen
dc.titleDetecting a new attack toolset in an endpoint detection and response systemfi
dc.typeG2 Pro gradu, diplomityöfi
dc.type.ontasotMaster's thesisen
dc.type.ontasotDiplomityöfi
local.aalto.electroniconlyyes
local.aalto.openaccessno

Files