Author: Justus Hoffmann

Misc
by Gregor Debus

Assessing Endpoint Protection: Our Approach to EDR/XDR and Supplements Evaluation

There is a growing landscape of security products promising to protect an organization’s IT infrastructure from attacks. Solutions referred to as EDR, and sometimes also as XDR, are designed to protect endpoints from all malicious activity. The ever-increasing cases of breaches and the associated costs, especially in the realm of ransomware attacks, raise the question of whether there is more that can be done to add an additional layer to traditional endpoint protection concepts. That is why a customer of ours commissioned us to evaluate whether EDR supplementing solutions provide extended protection against ever-evolving threats, as well as to shine a light on the performance overheads those solutions might introduce.

This blog post describes the methodology we use to evaluate and compare different EDR solutions for our customers. Given the growing number of sophisticated attacks, it is important not only to look at detection rates in isolation but to assess how these solutions perform under realistic conditions.

Continue reading “Assessing Endpoint Protection: Our Approach to EDR/XDR and Supplements Evaluation”

Continue reading
Misc
by Justus Hoffmann

Jigsaw RDPuzzle: Piecing Attacker Actions Together

In a recent incident response project, we had the chance to virtually look over the attackers’ shoulder and observe their activities. The attackers used the Remote Desktop Protocol (RDP) for lateral movement within the compromized environment and beyond (MITRE techniques T1570, T1021). As a matter of fact, RDP creates cache files that contain tiles of the transferred screen recording data. While this fact is well-known and there are existing tools, we found it worth reporting because of two different aspects:

  • On the one hand, we want to raise awareness for this valuable piece of evidence, explain how it works, how tooling works and how it can be used. In this particular case, the analysis of those cache files yielded valuable insights into the attackers’ activity and allowed further measures.
  • On the other hand, we found it exciting to look over the attacker’s shoulder, see the desktop as they saw it, and the commands they typed. We want to share parts of those insights as far as we are able to show them publicly.

Continue reading “Jigsaw RDPuzzle: Piecing Attacker Actions Together”

Continue reading