Date of Award
Doctor of Philosophy (PhD)
The current industry standard to detect cyber threat activity on endpoints (workstations, servers, etc.) centers around the use of endpoint defense software. The software products marketed are Endpoint Protection Platforms (EPP), Endpoint Detection and Response (EDR), and eXtended Detection and Response (XDR) solutions. These solutions are typically deployed onto endpoints across enterprises and monitor various aspects of each operating system for malicious activity. Current generations of these three solutions have similar underlying software architectures, user workflows, and detection capabilities. These solutions also have a number of issues that inadvertently allow advanced cyber threat actors to succeed in their operations, such as, lack of resilience to intentional evasions against critical software components, lack of resilience against user configuration errors, low detection rates of atomic techniques, low configurability for process-level behaviors, and semantically inappropriate alert messages. As proven in prior research and research that the author is conducting concurrently alongside this research, these issues can be capitalized on by knowledgeable and observant attackers to enable their technique chains to succeed undetected. Through years of professional experience deploying, testing, and evaluating various commercial endpoint solutions in various system architectures (commercial enterprise systems, government systems, disconnected/air-gapped systems, etc.), the author has learned that many commercial endpoint defense technologies are designed to make decisions for the operators on what activity is benign and what activity is malicious, without giving operators the ability to change this decision making. Vendors of these solutions add to this by illustrating a measure of trust in the solution’s ecacy by releasing their detection statistics of known Indicators of Compromise (IOCs). These IOCs may or may not be used by attackers in the future as new attack techniques are developed. This creates a iv detection gap between known techniques that can be detected, and actual techniques that are being executed. In addition to this, the author has observed in organizations across many industries a level of indiscriminate trust in commercial endpoint solutions. Many organizations fully trust endpoint solutions to be the sole defense mechanism on an endpoint without fully testing the solution for resiliency or detection gaps. All of these facts and circumstances create gaps, inconsistencies, and avenues for highly observant cyber attackers to maneuver in and out of systems undetected. This document illustrates all of the research that has been completed as part of this dissertation to solve the identified issues with current-generation endpoint defense solutions. The overarching approach to solving the identified problems was to use the Design Science Research (DSR) methodology to develop a software artifact that is su- ciently di↵erent and more impactful than existing solutions, and test the designed artifact against real-world attack technique stimulus to prove its validity and usefulness within real-world system architectures. The developed artifact gives operators the flexibility to define attack technique behaviors of interest through a custom developed configuration syntax and utilizes Event Tracing for Windows (ETW) telemetry emanating from the Windows operating system in a unique way to detect the defined attack behaviors. Validation experiments on the developed artifact proved that the artifact, along with the user-defined configuration file, successfully detected 36/48 of the chosen atomic attack technique stimuli. The results represent a significantly broad coverage of detection that current-generation endpoint solutions fail to accomplish, thereby illustrating the need to incorporate the developed artifact into real-world environments to combat cyber-attack activity.
Lewis, Trevor M., "ENDPOINT DEFENSE AS CODE (EDAC): CONFIGURABLE CONTEXTUAL ANALYSIS OF PROCESS BEHAVIORS FROM KERNEL/USER EVENT TRACING" (2023). Masters Theses & Doctoral Dissertations. 427.