The #mitre #engenuity attack evaluation project is super interesting and well done
I'm looking at Linux EDR solutions, and there seems to be is very little info out there about how they perform. But this is a great source of info after you figure out how it works and it really shows how the tools work.
For example, take a look here, a comparison of fortinet, crowdstrike and palo alto, to help you understand what you are looking at and keep the focus on Linux for now, start with unchecking all the steps before 9.7 (which will limit it to Linux).
Now in the summary, you will see a lot of purple. Purple means the EDR saw the activity.
This is somewhat interesting, most are quite good at finding things, but what I find to be really interesting is when you scroll down, you can see screenshots of the activity as it shows up in the EDR console. I find this the real value, as it gives a rare glimpse into how different solutions present the information. Because I think this is a key part of how useful software is. A EDR will by definition collect much more info than it needs, and then the important part becomes presenting the information in a usable way that allows the end user (threat hunter) to quickly figure out if something is malicious or not.
Blocking or alerting on it is of course the other important thing, and that is not tested in this Scenario (more on that in a moment). But I think the screenshots give an idea for most of the products if it would have been an alert.
For example this one is interesting to look at
(Linux) cron executes a reverse shell to 176.59.15.33:8081
For FortiNet, they are only showing the Threat Hunting view so hard to tell if FortiEDR has generated an alert or not and what severity.
[#]linux #edr #mitre #engenuity
=> More informations about this toot | More toots from gnyman@infosec.exchange
text/geminiThis content has been proxied by September (ba2dc).