Evan Perotti

Screaming about detection coverage in ALLCAPS!

Are your tools actually detecting on the right indicators? A common refrain in defense is that attacks should be addressed at the behavior level and avoid low-hanging indicators. From the hundreds of purple team exercises we conduct each year, we've evaluated all manner of endpoint security controls. And, invariably, they all suffer from diminished coverage when removing weaker indicators, like process command lines. It seems security vendors prefer taking the easy route. This talk will focus on separating attack behaviors from their specific implementations, evaluating detection robustness, and implementing atomic testing procedures to address these concepts. This talk will also cover open-source tooling we've released that is designed to help red teams put these concepts into practice for their organizations.