F-Secure EDR performance against APT attack vectors

mrF · 2021-07-23T14:13:54+00:00

There was an error rendering this rich post.

Hello,

I came accross this recent research paper about various EDR performance versus specific attack vectors: https://www.mdpi.com/2624-800X/1/3/21

I'd like to hear a comment from F-Secure folks about the tests realized there and the results obtained by F-Secure EDR. To be fair, other vendors didn't do great either but I am mainly interested in what F-Secure can learn from such research and if there are plans to improve.

Thanks1

Find more posts tagged with

Comments

mrF

Hello @gancal

Thank you for the updates about that particular paper. I am obviously happy to know that the abnormality of the initial results was root-caused and I am even happier seeing the effort you and your team made to follow-up with the researchers. This is undeniably excellent work from your part, please keep it up.

Thank you once more for your replies. I really appreciate it.

gancal

Hello @mrF ,

Good day to you!

We have now been notified that the revised version of the paper has now been released and can be accessed from the following links:

https://arxiv.org/abs/2108.10422

https://vx-underground.org/papers/VXUG/Mirrors/APT_assessment.pdf

Feel free to let us know if you have more questions :) Have a great day!

Regards,

Calvin Gan of Tactical Defense Unit

gancal

Hello @mrF ,

Thanks for reaching our to us and sorry it took a while to get back to you!

On 9 July George Karantzas (Information Management System Institute, Marousi, Greece) and Constantinos Patsakis (Department of Informatics at the University of Piraeus, Greece) published a paper titled “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors” on https://www.mdpi.com/2624-800X/1/3/21 The test gained some popularity on Twitter and was also referenced in an SC Magazine article: https://www.scmagazine.com/featured/edr-alone-wont-protect-your-organization-from-advanced-hacking-groups/

After a brief review of the publication F-Secure discovered that the two researchers didn’t use F-Secure’s EDR, but included only F-Secure’s End Point Protection in their test which by design wouldn’t detect the attacks as they were performed without a malicious payload that performed system changes or malicious process execution. As the researchers aimed to test EDR products, their methodology was mostly simulating attack techniques without a malicious payload.

F-Secure reached out to the researchers on 12 July, informed about their mistake and collaborated in retesting with the correct product and configuration. F-Secure’s EDR was able to detect 3 out of the 4 performed attacks. Our Detection and Response Team is already analyzing the missed attack to improve F-Secure EDR further.

The researchers were quick to respond, helping to retest and will provide an updated paper for the Cornell University archive.

Feel free to let us know if you have more questions :) Have a great day!

Regards,

Calvin Gan of Tactical Defense Unit