TL;DR
This paper empirically evaluates endpoint security systems' effectiveness against advanced persistent threats, revealing significant gaps in detection and prevention capabilities and discussing potential tampering methods.
Contribution
It provides a comprehensive assessment of EDRs and endpoint solutions against APTs using diverse attack scenarios, highlighting areas needing improvement.
Findings
Many attacks bypass detection and logging by current endpoint security systems.
State-of-the-art solutions still have significant vulnerabilities.
Methods to tamper with telemetry can enable stealthier attacks.
Abstract
Advanced persistent threats pose a significant challenge for blue teams as they apply various attacks over prolonged periods, impeding event correlation and their detection. In this work, we leverage various diverse attack scenarios to assess the efficacy of EDRs and other endpoint security solutions against detecting and preventing APTs. Our results indicate that there is still a lot of room for improvement as state of the art endpoint security systems fail to prevent and log the bulk of the attacks that are reported in this work. Additionally, we discuss methods to tamper with the telemetry providers of EDRs, allowing an adversary to perform a more stealth attack.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
