Overview of protection of EDR-XDR solutions. Simulation of offensive security tests including the visibility of attacks in telemetry

13 March 2023

Introduction to the test

Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions are derived from multi-layered endpoint protection. Their role is to monitor the supported operating systems and applications in the cloud in real time. They take proactive searching for threats to the next level, including IoC (Indicator of Compromise) artifacts. This may mean that your company will receive more useful feedback from endpoints, which will help you better protect the entire network and employees against cyberattacks. Using EDR-XDR improves visibility of information flow from the entire infrastructure. An insight into Telemetry includes not only endpoints, but also Amazon Web Service, Microsoft Azure, mobile devices, IoT sensors, Web 2.0 applications, and even network edge devices.

EDR-XDR as an ally of Red-Blue Team

In order to compare EDR-XDR solutions, we temporarily step into the shoes of the Red Team, i.e. simulate actions of attackers who already have access to the IT infrastructure, and thus the opportunity to steal data from workstations, and ultimately as defenders of the Blue Team develop conclusions for a better understanding of how EDR-XDR solutions work. The purpose of this test is to justify the investment in a product for active and passive protection of systems by assessing its capabilities in confrontation with targeted APT (Advanced Persistent Threat) attacks.

Tools and protocols we used

We wanted to diversify the ways of bypassing security, so we tried to use several network protocols and different tools. For example, in one scenario we use the Telegram API (MTProto Mobile Protocol) to try to silently send selected files from a victim’s computer to another Telegram account which is controlled by an attacker. According to the MITRE Techniques & Tactics, in real attacks on enterprises hackers use system tools such as PowerShell, CMD, MSHTA, WMI, and others which should be covered by the software for monitoring data and information. Threats we use in the test were additionally subjected to the process of obfuscation of malware code. Moreover, we used the Caldera Framework formerly known from the online banking test to obtain basic information about the victim’s system. We also used the offensive Metasploit software to check the visibility of attacks in the admin console.

Telemetry and visibility of attacks in the admin console

This is the first edition of the EDR-XDR test, so our primary goal was to check the logging of attack traces in the admin console. Some of the attacks will be easy to detect, such as the payload generated in Metasploit software with a reverse TCP connection established immediately after a victim runs a malicious file.

Checking the effectiveness of protection was not even a secondary goal of the test, so we focused all our attention on observing the visibility of attacks along with telemetry (the so-called alert attack context). The lack of visibility or telemetry can mean for your company that the product did not work in a real-life situation or detected the threat too late.

This could lead to encrypting a part of the infrastructure before the security agent manages to stop the escalation of a cyberattack on the workstation. In addition, thanks to automation, EDR-XDR is an effective tool for large and small organizations with any level of technical skill.

Features of a good EDR-XDR

This class of solution must provide multi-layered protection – from supporting a variety of systems to network processes, services and protocols. At the same time, it should be easy to use. We made the following assumptions that guided us in the test:

  1. It is important to automatically detect threats as well as fixing issue with malicious software, including an agent and operating system misconfiguration, to quickly and easily support small and medium-sized organizations in the security process.
  2. Effective management and visibility of the entire attack chain is an important feature of the product that makes it easier to view events of preventive protection as well as adaptive detection of suspicious activity along with automatic response to incidents.
  3. Advanced search for telemetry artifacts must enable identification and remediation of potential issues with security of the organization before the attacker gets what he has planned. That is why EDR-XDR solution must provide detailed visibility of the attack, and quick and easy access to telemetry data in order to assist analysts in detecting threats.
  4. An important feature is to avoid “alert spam” by providing the necessary to detect artifacts during suspicious activity. This point can be met by automatically neutralizing cyberattacks without human intervention.
  5. EDR-XDR consists of the entire ecosystem of security modules cooperating with each other so in the test we avoid disabling some protection as the goal of EDR-XDR solutions is to detect and stop increasingly complex attacks.
  6. Regardless of the operating system, the solution should provide an immediate identification of events from all endpoints using a single dashboard. The so-called holistic view of infected IT resources allows to response quickly and neutralize any type of attack.

How did we choose the software for the test?

We have taken into account developers of those EDR-XDR solutions which we have easy access to due to previous cooperation in other tests. Generating test accounts and contacting a developer sometimes takes weeks, and because of the 30-day trial version of a product it would be impossible to complete the test. We do not exclude that in next editions we will take into account other solutions. Developers willing to cooperate are invited to contact us.

List of 6 solutions:

  1. Bitdefender GravityZone Business Security Enterprise with XDR
  2. Emsisoft Enterprise Security with EDR
  3. Microsoft Defender for Endpoint with EDR
  4. Trend Micro Apex One + Trend Micro Vision One with XDR
  5. Xcitium Advanced Endpoint Protection with EDR
  6. One more Vendor was tested as private mode.

Sophos and ESET refused to participate in the test.

Victim and agent system configuration

  • To simulate attacks we used a virtual machine with Linux Mint as a Command and Control server with the Caldera Framework (with predefined attack types), and a virtual machine with Kali Linux and Metasploit software.
  • Virtual machines with Windows 11 and Windows Server 2019 with agents of the tested solutions were connected to the same network and had full access to the Internet. We used a completely default configuration of Windows.
  • We gave up creating campaigns from scratch. The so-called payload was delivered by the described protocols without any social engineering because the type and purpose of the attack in the simulated scenario was known to testers.

Policy configuration for antivirus agents was the default or included additional settings for more detailed telemetry. We did not disable antivirus protection. In the case of solutions which had to have a predefined policy configuration assigned, e.g. Microsoft Defender for Endpoint, we wanted to assign the best possible protection to have detailed insight into the information on the attack chain and maximum telemetry which was the purpose of our test.

Overview of protection of EDR-XDR solutions

Simulation of offensive security tests including the visibility of attacks in telemetry

Graphical Summary