EDRs are Cybersecurity Stars, But You Still Need Offense and Defense

There is an ongoing cybersecurity battle to keep pace with the persistent evolution of more sophisticated malware and relentless malicious actors. As quickly as preventive measures are deployed, cybercriminals find new vulnerabilities and stealthy workarounds. The need for more comprehensive protections has spawned a modern approach to cyberdefense in the form of endpoint detection and response (EDR).

EDR is a Key Post-Execution Security Player

Organizations are turning to EDR solutions for much-needed visibility into malicious activity on endpoint devices, regardless of location. They are also essential for incident response. When an event is detected, EDRs can hasten the process of identifying the attack scope and remediating it.

EDRs discover and expose endpoint threats and collect data for investigations and response. They offer a different process than traditional detection and analysis approaches by monitoring code behavior running on endpoint devices.

EDRs Must Adapt and Become More Preemptive

EDRs have proven to be a significant next-level security layer with the benefits of greater endpoint visibility, real-time response and proactive protection. However, despite continued advancements, there are always unknown malicious activities from cybercriminals.

All applications use DLLs to interact with computer operating systems, but EDRs can interrupt this flow by overwriting them with additional code known as “hooks.” This causes function calls inside DLL to be forwarded to the EDR first, which collects data about the program and its behaviors on the endpoint. The DLL hooks operate in usermode, the highest-privilege access, to avoid shutdown or removal by bad actors.

Most endpoint detection responses are reactive, only blocking post-execution malicious activities. Below are two fairly simple evasion techniques that have been effective against EDRs in targeting endpoint devices.

User mode direct syscalls–This approach is aimed at EDR hooks at the user level. The user mode is attractive due to the need for minimal privileges. Hackers manipulate process and file attributes to make them look like authentic Windows processes. Instead of calls to the operating system API, the hook functions are bypassed, and the malicious code makes direct syscalls to the OS kernel.

Reflective DLL loading–Hackers load a DLL from memory into the existing process instead of loading it from disk. Only fragments of the code are used to keep from triggering the EDR hooks. The malware then makes indirect system calls without detection.

To combat direct syscall attempts, EDRs can monitor the execution flow and detect suspicious code behaviors and malicious activities at the endpoint. They gather the data needed to isolate, analyze, and respond. If the EDR finds potentially malicious code, it can automatically quarantine the device, send an alert to the security team, and even shut the device down.

Third-Party Testing Highlights EDR Bypass Vulnerabilities

Recently, Security Research Labs detailed three obfuscation methods hackers are using against EDR solutions from Microsoft, Symantec and Sentinel One. Researcher Karsten Nohl noted, “Endpoint detection response makers should focus on detecting malicious behavior more generically rather than triggering only on specific behavior of the most popular hacking tools, such as Cobalt Strike. This overfocus on specific behavior makes EDR evasion too easy for hackers using more bespoke tooling.”

Another recent research report by the University of Piraeus in Athens, Greece, was published through Cornell University. Entitled “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors”, testing included EDRs from leading vendors, including Bitdefender, Carbon Black, Check Point, Cisco, Comodo, CrowdStrike, Elastic, ESET, F-Secure, Fortinet, Kaspersky, McAfee, Microsoft, Panda Security, Sentinel One, Sophos, Symantec and Trend Micro. The results showed nearly all lacked the ability to prevent and log the attacks.

Threat Protection Needs a Preventive Offense and Defense Response

With the startling scope and escalation of malware attacks, organizations need to prevent, not just react. The key to solving the growing bypass problem for EDRs is to accurately scan DLLs with machine learning to detect hidden malware. When hackers attempt to install Shell extensions to load malicious DLLs and avoid detection, EDRs can defend themselves by requiring administrators to approve all Shell extensions before they allow them to run. This means every new executable, before it is allowed to run on a device, must be either whitelisted or sandboxed for analysis to trace and analyze code for establishing the caller identity. This will ensure all syscalls are from the original OS code and eliminate the possibility for malicious code to bypass endpoint detection response hooks.

Avatar photo

Mucteba Celik

Mucteba is RevBits' Chief Technology Officer. With over fifteen years of experience in cybersecurity and development, he designed, architected and led the development efforts of RevBits products, which utilize five of his patents. Mucteba is a hands-on and highly experienced cybersecurity leader with numerous advanced certificates, including GXPN, GREM, GCFA, OSCP, OSCE, etc. For many years Mucteba analyzed malware, cyber-attacks, state sponsored attackers and cyber-criminal behavior, and in parallel he analyzed cybersecurity products, and their vulnerabilities and shortcomings. Overseeing more than sixty developers at RevBits, he has created a suite of innovative and effective security products that make cyberspace safer for enterprises.

mucteba-celik has 1 posts and counting.See all posts by mucteba-celik