Many thanks to the great folks at AV-Comparatives, who have sponsored my writing for the past week.
Austrian anti-malware testing lab AV-Comparatives has published its new Advanced Threat Protection report (Enhanced Real-World Test) into endpoint protection products.
The test checks the ability of well-known security products from vendors such as Avast, Bitdefender, CrowdStrike, ESET, FireEye, Kaspersky and Sophos to protect against targeted attacks known as Advanced Persistent Threats (APTs)
APTs are a growing menace, and are engineered to avoid detection by standard malware protection mechanisms. The threat to businesses from such attacks should not be underestimated.
AV-Comparatives performed the test in response to the increasing number of APT attacks. Whilst they can be directed at consumers/individuals, APTs are most commonly directed at businesses. They allow hackers to establish remote control of infected computers, with which they can carry out a wide variety of criminal activities. Data can be stolen, deleted or substituted, and systems can be sabotaged.
Another important reason for AV-Comparatives’ Enhanced Real-World Test is that APTs use a number of techniques to evade detection by endpoint security programs.
To create the most realistic possible scenario, AV-Comparatives’ test uses the same real-world hacking and penetration techniques employed by hackers to access corporate internal computer networks. These include the use of system programs, along with popular scripting languages. The test involves both staged and non-staged malware samples, and deploys obfuscation and encryption techniques to try to hide malicious code.
Fileless malware is included, and different command and control (C2) channels and exploit frameworks are used, to imitate the range of threats found in the real world.
The Enhanced Real-World Test checks whether the malware can evade the respective security product and establish a C2 connection to the attacker’s server. The security products can use all of their protection mechanisms, and the attack can be blocked at any stage of the process before the C2 session is established.
AV-Comparatives’ Enhanced Real-World Test makes use of elements of the MITRE ATT&CK framework, although its aims – to evaluate protection provided by different endpoint security products – are very different. To ensure that tested products cannot score highly by blocking legitimate software or functionality, a false-positives test is included.
The report is free to download from AV-Comparatives’ website.
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.