Zoltan Balazs , MRG Effitas Budapest, Hungary
Sveta Miladinov , MRG Effitas Budapest, Hungary
Chris Pickard , MRG Effitas Budapest, Hungary
Traditional antivirus systems, firewalls, intrusion detection or prevention systems, mail and web proxies have been bypassed by determined attackers for a long time. In order to fight these new threats, vendors started to develop new systems, called breach detection systems. Because the end-goal of these systems is detection, those can be considered as next generation intrusion detection systems. In order to measure the effectiveness of these breach detection systems, we propose a new type of test methodology. Our approach is based on that advanced attackers who can bypass the existing layers of security have the time, skill and resources to create unknown malware, with advanced bypass capabilities. We will evaluate a hybrid approach, where the IP / domain of the attacker C&C server is simulated in one case, and real in another case. Our approach uses only RAT (Remote Admin Tools / Remote Access Trojans) functionality, using both in-the-wild and custom developed RAT.