Tap, Tap, Is This Thing On? Testing EDR Capabilities

ShmooCon XIV - 2018

Presented by: Casey Smith (@infosecsmith2)
Date: Friday January 19, 2018
Time: 17:30 - 17:50
Location: Main Room
Track: One Track Mind

As organizations deploy EDR (Endpoint Detection & Response) solutions, it becomes imperative that these solutions are tested. The efficacy of these products depends on their correct configuration and deployment. In order to conduct these tests, we have developed a free Open Source framework called the Atomic Red Team. Designed to provide teams with small discrete tests. We want these test to be vendor agnostic, and representative of actual adversary behavior. When evaluating if these products are viable for your organization you need some standard tests to compare what provides you with the best coverage. This talk will explore our framework, discuss basic tests, chaining tests, and discuss how to contribute to the framework. Our aim is to put a testing framework in the hands of large and small security teams to confirm that they have the coverage needed to face modern adversaries. You need a plan to test on a regular basis that your systems are operational. We want to share our work, drawing from Software Engineering principles on testing, to help ensure your EDR tools are ready to face actual adversaries. Don’t wait for something horrible to happen to figure out that your solution isn’t working.

Casey Smith

Casey Smith (@subTee) is the Director of Applied Research at Red Canary. He has a passion for testing and understanding the limits of defensive systems.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats