SlideShare a Scribd company logo

EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?

Michael Gough
Michael Gough

This document discusses the presenter's testing of various EDR and EPP solutions using three malware samples. Key findings include: 1) Many solutions failed to detect infections, even those detected by the presenter's IPS. Detection was weakest for "fileless" Kovter and morphing Dridex malware. 2) Solutions provided inadequate details to fully remediate infections. The presenter's own LOG-MD tool outperformed EDR solutions in revealing infection artifacts. 3) Based on the results, the presenter recommends that EDR tools integrate capabilities to remotely run third-party tools like LOG-MD for more thorough investigations. Simpler consoles are also needed to distribute workload across security

Technology
1 of 52
Download to read offline
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED? Michael Gough – Founder MalwareArchaeology.com IMFSecurity.com MalwareArchaeology.com Looks like Tod Beardsley (Fellow Austinite Rapid7)
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
Why are we here? • Anti-Virus is not cutting it • Actually AV provides me a lot • Alerts me to large campaigns, hours or days later, old stuff and infected USB drives MalwareArchaeology.com
Why are we here? • AV’s lack of being able to catch today’s threats • But also because logging was inadequate in Windows until 3 years ago (2014) when Process Command Line logging was added • This lack of good logging and details left an opportunity for vendors to create tools that captured Command Line (ETL) Logs and join them with other details, like Intel, and behavior • Many of the EDR tools use command line logging as a major component into what is going on with the endpoint MalwareArchaeology.com
Why are we here? • We evaluated a bunch of EDR solutions • We had some VERY surprising findings • Found and opened bugs with several vendors, yup we got by them – Are you shocked? • We only used 3 malware sample types – Only ONE vendor solution caught all 3 • We were surprised at what gave us the most artifact details, it wasn’t even close • Here is what we found and you should know MalwareArchaeology.com
Our Malware Samples • Kovter – Some call it “Fileless Malware” – Psst it’s not fileless – Stored components in the registry – Mshta used to launch javascript and calls PowerShell • Dridex – Uses valid MS signed binaries and side loads a bad Dll from a directory in user space – Morphs on each reboot, new binary and Dll hash • Gozi – Typical commodity malware – Run key, files on disk, locked the binary when infected MalwareArchaeology.com
Our Malware Samples • Kovter gave us registry artifacts to test detection, also PowerShell calling out to the Internet • Dridex gave us Dll side loading and morphing malware to show who was relying on hash lookups • Gozi was typical commodity, but locked binary that was a challenge to delete post infection MalwareArchaeology.com
Our Malware Samples • EDR Failed to detect or provide across the board – AutoRuns – Related Reg Keys – Files other than binary that was caught – Other related log data • Scheduled Task • Services – Terrible 3rd party integration (e.g. VirusTotal) • Basically all the details need to remediate MalwareArchaeology.com
Our Baseline • We have an IPS, it is surprisingly good • The IPS alerted us to the system being infected for all 3 samples • But an IPS alert gives you no details about the endpoint, so we have to investigate • So we knew EDR needed to at least alert us that something was up, hopefully with details • When on or off the corporate network MalwareArchaeology.com
Let’s talk boring terms real quick MalwareArchaeology.com
Boring stuff first - Terms Gartner and others defined these terms MalwareArchaeology.com ETDR – Endpoint Threat Detection & Response EDR – Endpoint Threat Detection & Response EPP – Endpoint Protection Platform The term used 2 years ago The term that will be used 2 years from now #OVERHEARD - “AV + Randomly related shit” The current term we will use
Boring stuff first - Terms Next-Gen AV • Might have evolved from vendors trying to get the PCI certification • It is a dead term, or so Gartner wants it to be – So we agree to kill it, because AV is AV MalwareArchaeology.com
Endpoint Protection Platform (EPP) Definition End Point Protection Platforms (EPP) are enterprise security platforms that protect PCs, mobile devices and server environments from malware, spyware, rootkits, trojans and worms. Platforms may include technologies such as: – signature based malware/spyware detection and removal – personal firewalls – host based intrusion prevention systems (HIPS) – application whitelisting – data protection (e.g. file encryption) – malicious website blocking – file reputation systems – security management and reporting • In short, EPP products typically employ a cocktail approach to protect devices and servers from malware. arch.simplicable.com MalwareArchaeology.com #OVERHEARD - “AV + Randomly related shit”
Endpoint Protection Platform (EPP) Definition • Gartner – An endpoint protection platform (EPP) is a solution that converges endpoint device security functionality into a single product that delivers antivirus, anti-spyware, personal firewall, application control and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive solution… MalwareArchaeology.com #OVERHEARD - “AV + Randomly related shit”
The EPP Magic Quadrant MalwareArchaeology.com The typical AV Suites Errrr… Platforms The up and coming EDR solutions
How I felt after weeks of testing MalwareArchaeology.com EDR VENDORS HIT
There are lots of vendors MalwareArchaeology.com
But all EDR/EPP are NOT created equal • We need some sort of term(s) to separate out all these solutions because they vary in primary features • After a long discussion with my Gartner friend Dr. Anton Chuvakin, changing the terms is not a good idea • So we will just add to them to make it easier for everyone MalwareArchaeology.com
Improved Terms • Use these two as they are current and the future – EDR and EPP • We will add extensions so that we can break up the solutions into logical functions – EDR – Preventative – EDR – Detective and Information – EDR – IR or Incident Response – EPP – Has a Platform currently (Traditional AV) – EPP – Eco Systems – Mixes network with endpoint MalwareArchaeology.com
EDR - Preventative • Focuses on Prevention • Would be what we call Next Gen AV • May provide detective alerts • May provide some IR details • But really these are the “set and forget” easier to use solutions MalwareArchaeology.com
Examples of EDR - P • Primarily Prevention MalwareArchaeology.com
EDR - Detective • Focus is on detection • Little or no prevention (yet) • May provide some additional information • May provide some IR details – But not what we need, too much normal noise • These solutions are evolving into EDR – P • I honestly do not see a need or reason for these MalwareArchaeology.com
Examples of EDR - D • Primarily Detective and Information MalwareArchaeology.com
EDR - IR • Focus is on Response • Hunting capabilities • Detective capabilities • Little or no prevention • Provides a lot of details – Too many really, LOTS of normal noise, hard to find the bad – But not enough for remediation • These solutions are really for hunting for additional systems with artifacts you find with say, LOG-MD MalwareArchaeology.com
Examples of EDR - IR • Primarily IR Hunting MalwareArchaeology.com
EPP - Eco Systems • These are total solutions • Yes, Platforms • Endpoint • Web Gateway • Network • Email • Etc. MalwareArchaeology.com
Examples of EPP – Eco Systems • Covering the endpoint, network, web, email MalwareArchaeology.com
MalwareArchaeology.com
What did we expect? • Some decent results • We expected many or most of the solutions to catch what our IPS caught as that is what we would measure against, our baseline • If the IPS caught something and alerted us to “HEY! Look at that system!!!” • Then EDR should do the same • And give us all kinds of details… MalwareArchaeology.com
And what we were treated to after weeks of testing… MalwareArchaeology.com
What we tested • We did NOT test the following: – Eco Systems – we were not going to do a forklift upgrade and go all out on Cisco AMP, RSA ECAT, or Mandiant/FireEye – EPP – We did not test the typical AV with all the bells and whistles – Sandbox solutions – We know this would provide a lot of detail of what malware does on infection, but we have LOG-MD and with roughly 30% of malware that detects sandboxes, we opted not to go this route – Any Managed Service Providers MalwareArchaeology.com
What we tested • EDR – Preventative solutions (NG-AV) • EDR – Detective and Information solutions • EDR – Incident Response solutions • The typical up and coming EDR solutions that InfoSec would own and manage MalwareArchaeology.com
How we tested • First thing we did was analyze the infection using ;-) • So we knew all the details we wanted and needed to remediate a system and to compare against what EDR could provide us • We tested 3 conditions 1. User initiated – Pre-Infection 2. Already infected – Post Infection 3. Bad actor pushed and wait for reboot MalwareArchaeology.com
MalwareArchaeology.com
How did they do? • Most did OK with Pre-Infection conditions • Meaning when a user opened a Word Doc that called wscript and/or PowerShell, this condition was caught • What about systems that were already infected? – Many missed the infection • What about acting like a bad actor and dropping the payload and waiting for it to load – Many missed the infection MalwareArchaeology.com
How did they do? • Kovter was missed by several solutions – When caught it was mshta calling PowerShell • Dridex was missed by several solutions – Side loading by a signed MS binary is an issue – Morphing rendered hash lookups worthless • Gozi was missed by a couple solutions – This is typical commodity so VERY lame to miss • Really??? IPS did better than EDR??? MalwareArchaeology.com
How to evaluate EDR/EPP solutions MalwareArchaeology.com
MalwareArchaeology.com
Expectations • Check your expectations • Build a set of requirements • What do you REALLY need??? • Expect that you may not be satisfied MalwareArchaeology.com
Test your SH*T • I think their was shock, surprise and bewilderment that our testing found the amount of issues we did • Do people actually test EDR??? • You REALLY need to test this stuff and decide for yourself what works • Your requirements are NOT our requirements • Solutions will change and/or improve over time, or not MalwareArchaeology.com Or we HOPE…
Suggested evaluation • Determine what you REALLY need – EDR – P – EDR – D – EDR – IR – EPP – EPP - Eco System • Test only the solutions in the area you need – Compare Apples to Apples MalwareArchaeology.com Pick one, skip this one
How to evaluate solutions • Use malware you actually receive – Or ask us or people that can give you good samples • NEVER use samples from the vendor, they know their stuff can catch it • Use LOG-MD to evaluate your samples to discover the artifacts you will use to evaluate the solutions you select • Create a short list of things you need or want MalwareArchaeology.com
How to evaluate solutions • How easy to use is the console / GUI – Many are very difficult or complicated to use – Tier 1 probably cannot use them so impacts your staffing • Do you expect them to provide all the details you need to remediate? – They all sucked at this - seriously – You will know the system is infected and some details – But not everything you need to remediate – Which means you will need to investigate systems that trigger alerts to obtain all remediation details MalwareArchaeology.com
How to evaluate solutions • Test the damn stuff – You will be surprised • What impact to your resources will it have • Some are complete time sucks – Is this really what you need or want? • Shouldn’t this stuff save us time or at least automate some tasks and gain some efficiency? MalwareArchaeology.com
It’s all in the details MalwareArchaeology.com
What surprised us • My expectations were that I would get some details more than AV or IPS gave us – This file is bad and this IP is infected • I expected that we would get some details to help us know what infected the system and how… • I was soooo disappointed… MalwareArchaeology.com
What surprised us • Here is where I should bash the solutions at how bad they were • But I realized my expectations were based on how good logging CAN be and how we do it – The Windows Logging Cheat Sheet(s) • Several of the tools are just fancy Log Management type tools with details, Intel and noise added • And how good other tools we use that can push out tools we have and like MalwareArchaeology.com
What surprised us • provided us details none of the solutions could even come close to – And WAY faster • On a scale of 1-10 – EDR – IR • 2-5 – 10 !!! MalwareArchaeology.com
After Testing - My Top 10 Tools 1. Log Management 1. Of course with the “Windows Logging Cheat Sheet(s)” 2. Query the System 1. I LOVE BigFix, Tanium, Grrr, OSQuery, Investigator 3. 4. n/a 5. n/a 6. n/a 7. n/a 8. n/a 9. n/a 10. n/a – Maybe one that implements the changes I am about to recommend MalwareArchaeology.com
Recommendations to the Industry • EDR – IR – Need a console that allows us to run say……… LOG-MD or other tool(s) of your choice – Not one by one, but automated on all the suspect systems we want to obtain more details • Simpler consoles to address Tier 1 staff – Can have drill down for more detail – But focus at Tier 1 so I can share some of the load – Help me distribute the load across the team MalwareArchaeology.com
Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet(s)” – MalwareArchaeology.com • This presentation and others on SlideShare – Search for MalwareArchaeology or LOG-MD
Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog)

Recommended

Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Osint
OsintOsint
Osint
Kamal Rathaur
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 

Recommended

Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Osint
OsintOsint
Osint
Kamal Rathaur
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
AbimbolaFisher1
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Career in Ethical Hacking
Career in Ethical Hacking Career in Ethical Hacking
Career in Ethical Hacking
neosphere
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
Evolve IP
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING Sweta Leena Panda
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
Md. Raquibul Hoque
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Mark Arena
 
Hash cat
Hash catHash cat
Hash cat
Sreekanth Narendran
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
Sumedt Jitpukdebodin
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 

More Related Content

What's hot

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
AbimbolaFisher1
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Career in Ethical Hacking
Career in Ethical Hacking Career in Ethical Hacking
Career in Ethical Hacking
neosphere
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
Evolve IP
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
Md. Raquibul Hoque
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Mark Arena
 
Hash cat
Hash catHash cat
Hash cat
Sreekanth Narendran
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
Sumedt Jitpukdebodin
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 

What's hot (20)

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Career in Ethical Hacking
Career in Ethical Hacking Career in Ethical Hacking
Career in Ethical Hacking
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
 
Hash cat
Hash catHash cat
Hash cat
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 

Similar to EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?

Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Michael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
Michael Gough
 

Similar to EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED? (20)

Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 

More from Michael Gough

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 

More from Michael Gough (12)

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 

Recently uploaded

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 

Recently uploaded (20)

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 

EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?

  • 1. EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED? Michael Gough – Founder MalwareArchaeology.com IMFSecurity.com MalwareArchaeology.com Looks like Tod Beardsley (Fellow Austinite Rapid7)
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. Why are we here? • Anti-Virus is not cutting it • Actually AV provides me a lot • Alerts me to large campaigns, hours or days later, old stuff and infected USB drives MalwareArchaeology.com
  • 4. Why are we here? • AV’s lack of being able to catch today’s threats • But also because logging was inadequate in Windows until 3 years ago (2014) when Process Command Line logging was added • This lack of good logging and details left an opportunity for vendors to create tools that captured Command Line (ETL) Logs and join them with other details, like Intel, and behavior • Many of the EDR tools use command line logging as a major component into what is going on with the endpoint MalwareArchaeology.com
  • 5. Why are we here? • We evaluated a bunch of EDR solutions • We had some VERY surprising findings • Found and opened bugs with several vendors, yup we got by them – Are you shocked? • We only used 3 malware sample types – Only ONE vendor solution caught all 3 • We were surprised at what gave us the most artifact details, it wasn’t even close • Here is what we found and you should know MalwareArchaeology.com
  • 6. Our Malware Samples • Kovter – Some call it “Fileless Malware” – Psst it’s not fileless – Stored components in the registry – Mshta used to launch javascript and calls PowerShell • Dridex – Uses valid MS signed binaries and side loads a bad Dll from a directory in user space – Morphs on each reboot, new binary and Dll hash • Gozi – Typical commodity malware – Run key, files on disk, locked the binary when infected MalwareArchaeology.com
  • 7. Our Malware Samples • Kovter gave us registry artifacts to test detection, also PowerShell calling out to the Internet • Dridex gave us Dll side loading and morphing malware to show who was relying on hash lookups • Gozi was typical commodity, but locked binary that was a challenge to delete post infection MalwareArchaeology.com
  • 8. Our Malware Samples • EDR Failed to detect or provide across the board – AutoRuns – Related Reg Keys – Files other than binary that was caught – Other related log data • Scheduled Task • Services – Terrible 3rd party integration (e.g. VirusTotal) • Basically all the details need to remediate MalwareArchaeology.com
  • 9. Our Baseline • We have an IPS, it is surprisingly good • The IPS alerted us to the system being infected for all 3 samples • But an IPS alert gives you no details about the endpoint, so we have to investigate • So we knew EDR needed to at least alert us that something was up, hopefully with details • When on or off the corporate network MalwareArchaeology.com
  • 10. Let’s talk boring terms real quick MalwareArchaeology.com
  • 11. Boring stuff first - Terms Gartner and others defined these terms MalwareArchaeology.com ETDR – Endpoint Threat Detection & Response EDR – Endpoint Threat Detection & Response EPP – Endpoint Protection Platform The term used 2 years ago The term that will be used 2 years from now #OVERHEARD - “AV + Randomly related shit” The current term we will use
  • 12. Boring stuff first - Terms Next-Gen AV • Might have evolved from vendors trying to get the PCI certification • It is a dead term, or so Gartner wants it to be – So we agree to kill it, because AV is AV MalwareArchaeology.com
  • 13. Endpoint Protection Platform (EPP) Definition End Point Protection Platforms (EPP) are enterprise security platforms that protect PCs, mobile devices and server environments from malware, spyware, rootkits, trojans and worms. Platforms may include technologies such as: – signature based malware/spyware detection and removal – personal firewalls – host based intrusion prevention systems (HIPS) – application whitelisting – data protection (e.g. file encryption) – malicious website blocking – file reputation systems – security management and reporting • In short, EPP products typically employ a cocktail approach to protect devices and servers from malware. arch.simplicable.com MalwareArchaeology.com #OVERHEARD - “AV + Randomly related shit”
  • 14. Endpoint Protection Platform (EPP) Definition • Gartner – An endpoint protection platform (EPP) is a solution that converges endpoint device security functionality into a single product that delivers antivirus, anti-spyware, personal firewall, application control and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive solution… MalwareArchaeology.com #OVERHEARD - “AV + Randomly related shit”
  • 15. The EPP Magic Quadrant MalwareArchaeology.com The typical AV Suites Errrr… Platforms The up and coming EDR solutions
  • 16. How I felt after weeks of testing MalwareArchaeology.com EDR VENDORS HIT
  • 17. There are lots of vendors MalwareArchaeology.com
  • 18. But all EDR/EPP are NOT created equal • We need some sort of term(s) to separate out all these solutions because they vary in primary features • After a long discussion with my Gartner friend Dr. Anton Chuvakin, changing the terms is not a good idea • So we will just add to them to make it easier for everyone MalwareArchaeology.com
  • 19. Improved Terms • Use these two as they are current and the future – EDR and EPP • We will add extensions so that we can break up the solutions into logical functions – EDR – Preventative – EDR – Detective and Information – EDR – IR or Incident Response – EPP – Has a Platform currently (Traditional AV) – EPP – Eco Systems – Mixes network with endpoint MalwareArchaeology.com
  • 20. EDR - Preventative • Focuses on Prevention • Would be what we call Next Gen AV • May provide detective alerts • May provide some IR details • But really these are the “set and forget” easier to use solutions MalwareArchaeology.com
  • 21. Examples of EDR - P • Primarily Prevention MalwareArchaeology.com
  • 22. EDR - Detective • Focus is on detection • Little or no prevention (yet) • May provide some additional information • May provide some IR details – But not what we need, too much normal noise • These solutions are evolving into EDR – P • I honestly do not see a need or reason for these MalwareArchaeology.com
  • 23. Examples of EDR - D • Primarily Detective and Information MalwareArchaeology.com
  • 24. EDR - IR • Focus is on Response • Hunting capabilities • Detective capabilities • Little or no prevention • Provides a lot of details – Too many really, LOTS of normal noise, hard to find the bad – But not enough for remediation • These solutions are really for hunting for additional systems with artifacts you find with say, LOG-MD MalwareArchaeology.com
  • 25. Examples of EDR - IR • Primarily IR Hunting MalwareArchaeology.com
  • 26. EPP - Eco Systems • These are total solutions • Yes, Platforms • Endpoint • Web Gateway • Network • Email • Etc. MalwareArchaeology.com
  • 27. Examples of EPP – Eco Systems • Covering the endpoint, network, web, email MalwareArchaeology.com
  • 29. What did we expect? • Some decent results • We expected many or most of the solutions to catch what our IPS caught as that is what we would measure against, our baseline • If the IPS caught something and alerted us to “HEY! Look at that system!!!” • Then EDR should do the same • And give us all kinds of details… MalwareArchaeology.com
  • 30. And what we were treated to after weeks of testing… MalwareArchaeology.com
  • 31. What we tested • We did NOT test the following: – Eco Systems – we were not going to do a forklift upgrade and go all out on Cisco AMP, RSA ECAT, or Mandiant/FireEye – EPP – We did not test the typical AV with all the bells and whistles – Sandbox solutions – We know this would provide a lot of detail of what malware does on infection, but we have LOG-MD and with roughly 30% of malware that detects sandboxes, we opted not to go this route – Any Managed Service Providers MalwareArchaeology.com
  • 32. What we tested • EDR – Preventative solutions (NG-AV) • EDR – Detective and Information solutions • EDR – Incident Response solutions • The typical up and coming EDR solutions that InfoSec would own and manage MalwareArchaeology.com
  • 33. How we tested • First thing we did was analyze the infection using ;-) • So we knew all the details we wanted and needed to remediate a system and to compare against what EDR could provide us • We tested 3 conditions 1. User initiated – Pre-Infection 2. Already infected – Post Infection 3. Bad actor pushed and wait for reboot MalwareArchaeology.com
  • 35. How did they do? • Most did OK with Pre-Infection conditions • Meaning when a user opened a Word Doc that called wscript and/or PowerShell, this condition was caught • What about systems that were already infected? – Many missed the infection • What about acting like a bad actor and dropping the payload and waiting for it to load – Many missed the infection MalwareArchaeology.com
  • 36. How did they do? • Kovter was missed by several solutions – When caught it was mshta calling PowerShell • Dridex was missed by several solutions – Side loading by a signed MS binary is an issue – Morphing rendered hash lookups worthless • Gozi was missed by a couple solutions – This is typical commodity so VERY lame to miss • Really??? IPS did better than EDR??? MalwareArchaeology.com
  • 37. How to evaluate EDR/EPP solutions MalwareArchaeology.com
  • 39. Expectations • Check your expectations • Build a set of requirements • What do you REALLY need??? • Expect that you may not be satisfied MalwareArchaeology.com
  • 40. Test your SH*T • I think their was shock, surprise and bewilderment that our testing found the amount of issues we did • Do people actually test EDR??? • You REALLY need to test this stuff and decide for yourself what works • Your requirements are NOT our requirements • Solutions will change and/or improve over time, or not MalwareArchaeology.com Or we HOPE…
  • 41. Suggested evaluation • Determine what you REALLY need – EDR – P – EDR – D – EDR – IR – EPP – EPP - Eco System • Test only the solutions in the area you need – Compare Apples to Apples MalwareArchaeology.com Pick one, skip this one
  • 42. How to evaluate solutions • Use malware you actually receive – Or ask us or people that can give you good samples • NEVER use samples from the vendor, they know their stuff can catch it • Use LOG-MD to evaluate your samples to discover the artifacts you will use to evaluate the solutions you select • Create a short list of things you need or want MalwareArchaeology.com
  • 43. How to evaluate solutions • How easy to use is the console / GUI – Many are very difficult or complicated to use – Tier 1 probably cannot use them so impacts your staffing • Do you expect them to provide all the details you need to remediate? – They all sucked at this - seriously – You will know the system is infected and some details – But not everything you need to remediate – Which means you will need to investigate systems that trigger alerts to obtain all remediation details MalwareArchaeology.com
  • 44. How to evaluate solutions • Test the damn stuff – You will be surprised • What impact to your resources will it have • Some are complete time sucks – Is this really what you need or want? • Shouldn’t this stuff save us time or at least automate some tasks and gain some efficiency? MalwareArchaeology.com
  • 45. It’s all in the details MalwareArchaeology.com
  • 46. What surprised us • My expectations were that I would get some details more than AV or IPS gave us – This file is bad and this IP is infected • I expected that we would get some details to help us know what infected the system and how… • I was soooo disappointed… MalwareArchaeology.com
  • 47. What surprised us • Here is where I should bash the solutions at how bad they were • But I realized my expectations were based on how good logging CAN be and how we do it – The Windows Logging Cheat Sheet(s) • Several of the tools are just fancy Log Management type tools with details, Intel and noise added • And how good other tools we use that can push out tools we have and like MalwareArchaeology.com
  • 48. What surprised us • provided us details none of the solutions could even come close to – And WAY faster • On a scale of 1-10 – EDR – IR • 2-5 – 10 !!! MalwareArchaeology.com
  • 49. After Testing - My Top 10 Tools 1. Log Management 1. Of course with the “Windows Logging Cheat Sheet(s)” 2. Query the System 1. I LOVE BigFix, Tanium, Grrr, OSQuery, Investigator 3. 4. n/a 5. n/a 6. n/a 7. n/a 8. n/a 9. n/a 10. n/a – Maybe one that implements the changes I am about to recommend MalwareArchaeology.com
  • 50. Recommendations to the Industry • EDR – IR – Need a console that allows us to run say……… LOG-MD or other tool(s) of your choice – Not one by one, but automated on all the suspect systems we want to obtain more details • Simpler consoles to address Tier 1 staff – Can have drill down for more detail – But focus at Tier 1 so I can share some of the load – Help me distribute the load across the team MalwareArchaeology.com
  • 51. Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet(s)” – MalwareArchaeology.com • This presentation and others on SlideShare – Search for MalwareArchaeology or LOG-MD
  • 52. Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog)