Texas Cyber Summit IV
Adversary Village

Matthew Eidelberg

Technical Manager, Optiv

Matthew Eidelberg is a Technical Manager in Optiv’s Threat Management Team (Attack and Penetration specialization). Matthew has over 8 years’ experience in both consulting and information security. Matthew’s primary role is focused on leading Threat Management’s Adversary Simulation Services which focus on physical, red/purple team, and other advanced assessments.

Matthew’s expertise also involves research development, focusing on developing new techniques and tooling for endpoint security bypass and evasion. Matthew’s experience working in enterprise networks has also given him a deep understanding of the business operations.

Talk: If EDR is the Answer, You Asked The Wrong Question

EDR products are becoming a necessary solution in the security stack. In this session you will learn the short comings of EDR, so you can make informed strategic decisions. Threat actors often operate in a black box mentality, utilizing techniques and procedures that will not be detected against a wide spectrum of anti-malware controls, rather than avoiding detection from a specific set of controls, with high success. This shift in thinking has yielded new, very sophisticated techniques to evade detection on disk and in memory. These techniques extend beyond the traditional initial compromise vectors and are often utilized in all post-exploitation techniques to prevent any type of detection. With these advanced attacks, the landscape has had to shift from looking for signature and heuristic based threats but to detecting behavioural ones.

With the implementation of these next generation EDR products to detect all these types of bleed edge techniques, how are attackers still so successful? We’ll start by examining the issues that ALL EDRs face in their current deployment and how hackers can take advantage of this to completely bypass the product and blind them to their malicious activities. We will look from the perspective of EDRs as a whole; most of these flaws are present in all of them. Once we understand the systemic issues and how attackers can abuse them, we’ll focus on several techniques developed and deployed in the wild that are highly successful. We’ll conclude with some new techniques that will be introduced into ScareCrow 2.0 being released after the talk.

Recorded Live 📼