Endpoint Detection and Response (EDR) solutions are often described as a ‘silver bullet’ and have become a cornerstone defensive tool for organisations attempting to protect their devices. In this article, Ineta Simkunaite and Waithera Junghae dispute this characterisation of EDR, arguing that is it how you use this technology that determines if the deployment is a success or a misfire.
This article is the fourth in a special series on cyber incident response which will culminate in the S-RM IR Bulletin in late January 2024. Missed last week's instalment? Read From red to blue: how pentesters enhance incident response now.
In the last 12 months, S-RM has responded to dozens of ransomware cases in which the organisation had an EDR tool in place, but despite deploying this advanced technology, the cybercriminals have managed to achieve their objectives. Which leaves the victim with the question, why did the EDR tool not prevent the attack?
We explored common threads throughout these cases and concluded that even when deploying advanced technology, the details matter.
Left to its own devices
The first key lesson is that the technology cannot be left to its own devices. In several of our most high-impact cases of 2023, we found alerts in their defensive tools which would have indicated an attack was underway, if there had been adequate and regular monitoring of these tools. The technology itself had worked as expected: it had identified malicious behaviour and had implemented a preset schema of response actions to delete the malware, quarantine the device and set off an array of colourful alarms and alerts. However, it had not stopped the attacks: instead it had forced the ransomware actors to be smarter, to evade, bypass and disable these tools but ultimately carrying on to achieve their initial objectives.
The tools lacked the human factor which turns them from intelligent sentries, to a key part of an effective detection, eradication and response strategy. EDR must be augmented by highly skilled and well-trained analysts who can identify and respond to the alerts. While the technology can produce an alert and try its best to remediate it, you need security teams to contextualise this alert. Security teams typically hold a deep understanding of the environment, allowing them to distinguish between false and true positives and take appropriate actions when threats are identified.
EDR must be augmented by highly skilled and well-trained analysts who can identify and respond to the alerts."
This ‘collaboration’ between technology and security teams should be formalised as much as possible by developing, documenting, and implementing detailed monitoring strategies tailored to suit their unique infrastructure and needs. This should enable teams to prioritise alerts based on both their severity and the likelihood they constitute a genuine threat. Additionally, they need to be constantly updated to deal with the ever-evolving threat landscape. Such plans help guard against 'alert fatigue' – when security teams get overwhelmed with large volumes of notifications – and ensure vital warnings signs are not missed.
Once the monitoring strategy is in place it’s important to create well-defined alert response plans. Organisations should have containment, eradication and response procedures to make sure potential threats are mitigated with minimal impact on the business operations.
Ultimately, the message is one of collaboration: neither security teams nor security technology are good enough to match the current threat in isolation. Careful collaboration between human and artificial intelligence is key.
99% is not good enough
The second most common pitfall is incomplete technology rollouts leaving gaps in visibility. These unguarded areas, or 'blind spots', are a goldmine for cybercriminals. They can serve as access points to maintain a foothold within the network, staging hosts from which they run their malware and scripts, and ideal devices to harvest data from to steal from the network. Without EDR in the way, it is trivial to remove built-in defensive tools like Windows Defender to continue the attack.
In October 2023, we responded to a case where a threat actor attempted to encrypt an organisation for a second time, despite having a highly capable EDR tool in place. The company had successfully rolled out the tool to 99% of the environment. The threat actor exploited the 1% that remained to re-enter the environment without detection. The threat actor then used the unmonitored device as a launchpad, deploying malicious tools and mapping the attack path to enable rapid movement across the broader network. In this case, S-RM halted the attack after observing a suspicious account accessing devices where EDR was installed; however, the case is not uncommon, with threat actor’s constantly leveraging incomplete technology rollouts to maintain a foothold.
Incomplete technology rollouts leaving gaps in visibility...and can serve as access points to maintain a foothold within the network"
That said, completing a technology rollout can often be complex. For most major EDR tools, there may not be an available software package for old legacy systems, many of which cannot be replaced to due to business needs. Or, the business uses an appliance with a proprietary operating system, like a VMware ESXI host, which most EDR tools cannot be installed upon, again limiting coverage.
Nonetheless security needs need to be aware of their coverage limitations, and where visibility cannot be improved, appropriate mitigations put in place. Unmonitored systems aren't merely isolated threats: they form a chain of vulnerabilities threatening the organisation's overall security. An endpoint protection strategy must encompass every device if it is to function effectively.
It’s not always malware
The third common pitfall is the assumption that an attack starts and ends with malware. EDR tools are extremely effective at identifying and terminating malware, yet many attacks do not use malware at all, or at least avoid doing so until it is too late for security teams to stop it.
For example, in 2023 we have observed the increased use of 'Living off the Land' (‘LOLbin’) tactics, where threat actors exploit legitimate tools within systems, which can fly under the radar of passive monitoring. If a threat actor manages to compromise a legitimate user’s VPN credentials, logs into the network and begins using tools like Remote Desktop Protocol (‘RDP’) to move around, and a legitimate software deployment tool like PDQ Deploy to execute their malware, it’s unlikely any EDR tool will flag this until it is too late and the malware or ransomware has already been executed. This is particularly problematic if the threat actor already has access to a highly privileged account used for IT systems administration, as it is unlikely they will be flagged for use of legitimate system administration tools even if done so in a strange context.
Defending against such covert techniques using EDR technology is challenging. Organisations need to move beyond the conventional approach of viewing malicious activity as synonymous with malware, and start to actively incorporate threat hunting into their detection and response strategy. To do this effectively, security teams need to carefully establish a baseline of normal activity, and then hunt for activity which deviates from this baseline.
So what?
Ultimately, your EDR technology is still an absolutely vital component in any organisation’s defence strategy. Yet, it is important to bear in mind they are not standalone solutions. EDR should be monitored by people who provide context and insight; the tool should be deployed as widely as possible; and the monitoring team should frequently hunt for irregular activity that might not trigger traditional detection engines. This ensures people, technology, and processes are aligned to amplify the effectiveness of this technology.
