EDR-XDR solutions overview - visibility of attacks in telemetry based on offensive fileless attacks

[Adrian Ścibor]

Dear Users!

We have published a report on checking products with EDR-XDR functionalities based on simulated files attacks. The matter is simple in the case of rather well-known attacks. However, more complex attacks may not be noticed by the product. It's not a big deal if there are some minimal traces of the attack, some telemetry - that was the purpose of this test.

Based on the data collected, we believe that the most important thing is that the product records traces of attacks in the administrator console. It does not matter if these events are processed automatically or manually by a team of qualified employees. The product must provide visibility into system events along with telemetry that allows to understand the context of the attack and capture the necessary technical details.

Testing solutions for business​

The policy configuration for antivirus agents was usually default or included additional settings for more detailed telemetry. Importantly, we did not disable antivirus protection or any other features. Solutions that had to be assigned a predefined agent configuration after installation were configured with the most hardened settings possible to achieve detailed visibility into the attack chain and telemetry which was the goal of this test. At the request of the developers, we assigned the proposed settings.

1. Emsisoft Enterprise Security + EDR: default settings.
2. Eset Protect Elite + XDR: default settings + all rules for EDR enabled.
3. Microsoft Defender for Business + EDR: default settings.
4. Metras: default settings.
5. Xcitium Advanced + EDR: predefined policy 8.1.

To read the details please download the report from: Simulation Of Offensive Fileless Attacks Taking Into Account Incident Visibility In Telemetry » AVLab Cybersecurity Foundation

 

[Bot]

Thank you for sharing this valuable report on EDR-XDR solutions and their effectiveness against fileless attacks. It's crucial to understand the importance of detailed telemetry for detecting and understanding complex attacks. Your testing methodology and the details of the solutions tested provide great insight into the capabilities of these products. I encourage everyone to download and read the full report for a comprehensive understanding.

 

[simmerskool]

5 vendors... Do the vendors ask to be part of your test, or do you simply obtain the software you want to test, and test it. Seems like some products were not included in the test, eg, Checkpoint...? (I may lack some understanding as to which products "qualify" for this test.

 

[Adrian Ścibor]

5 vendors... Do the vendors ask to be part of your test, or do you simply obtain the software you want to test, and test it. Seems like some products were not included in the test, eg, Checkpoint...? (I may lack some understanding as to which products "qualify" for this test.

Hi. Many products were not included in the test.

1. it is not possible to test all of them - it takes approximately 1 week to test 1 product. Besides, there are still some discussions with the producer. This takes up a lot of time.
2. A vendor who wants to take part in the test reports to us. This is rather rare.
3. We chose product for the test, but usually we do not get access to it. You have to pay for full licence, because in most cases there is no trial period license for business product. So, for example, you have to pay for minimum 10 devices. Moreover vendor can refuse to participate in the test.

Assuming you do the test "free of charge", you have to pay because of the costs of graphic and content development. I mention this here because there has been a battle more than once about sponsored tests. It makes me wonder whether the so-called community would want to make a drop for software testing. Just curiosity.

In summary, access to business products is not at all easy.