By Kyle Hubbard, Software Engineer
EDRs have become an indispensable part of endpoint security. By combining “behavioral” detections to pair alongside more traditional hash-based or indicator-of-compromise (IOC) detections, endpoint detection, and response (EDR) platforms have proven more effective than their predecessors, the antivirus program.
It no longer matters if a known malicious binary was slightly modified to make its hash unique. Behavioral detections mean that defenders can focus on analyzing malicious techniques and patterns while avoiding the pitfall of “enumerating known badness.” If a brand-new program with a unique hash is trying to perform credential dumping and lateral movement, then you’ve got a pretty good idea that it’s up to no good. Focusing on the behaviors of a process, or aggregate behaviors of a particular user, also helps identify malicious usage of typically benign programs that are included with operating systems (so-called “living off the land” and “LOLbins”).
Where EDR stops short
That said, EDRs aren’t a panacea and they have their own issues. There’s a whack-a-mole cycle where defenders are constantly trying to keep up with the latest techniques, and not just from malicious actors. The topic of “EDR bypasses” is its own cottage blog industry, with new techniques discovered regularly. And it’s not always clear how real these bypasses are – what were the EDR detection settings, how was the user accessing the system, and what pre-conditions had to be in place for the bypass? Keeping up with detections research and sorting out what’s novel and what isn’t so novel after all can soak up valuable defender time and resources.
EDRs require a lot of defender time to triage false positives, and it’s not always easy. EDRs naturally want to default towards preventing as much malicious activity as they possibly can. But when you aren’t 100% certain something is malicious, it becomes a risk to take action on that process or file. Now instead of protecting the user, you’re disrupting their work or, even worse, possibly causing data loss. So instead, many detections are configured as “alerts”, or information-only telemetry events that need to be sorted through manually by analysts. It takes time to find the right balance for a given network between too many false positives versus too little telemetry that lets bad behavior go undetected. And it’s not something that can be done once and forgotten, but instead an ongoing effort.
Additionally, EDRs, by nature, have a point-in-time dependency. If a malicious actor gains access to a host and begins their operation, the EDR had to have been installed ahead of time, along with the latest detection coverage, to have any hope of detecting or preventing access. EDRs justifiably try to prevent as much malicious activity as they can, but preventing only works if you’re there in time. Undetected malicious binaries will sometimes be deleted after an actor achieved their goals, or remain inert and persist until the next time they’re needed. In these cases, it doesn’t matter if EDRs are later updated with relevant detections because the actor has already moved on, and the defender would never know.
But what if you automatically collected all unique and relevant files and programs from your environment and had detections run and re-run over these files whenever new content was available? Then, new detections are relevant for older files because you can run the latest detections on every file continually, and you’ll know that a file first seen 6 months ago, which was initially unknown, now contains known bad IOCs. You could also run machine learning and variant analysis on all files to find new malicious files that were unknown to any detections.
Filling in the gaps
Stairwell has been calling this approach Continuous Intelligence, Detection, and Response (CIDR). CIDR provides the ability to repeatedly run intelligence and detections over the entire file corpus of your environment. Supply-chain attacks are becoming more common as a way to abuse trusted software to gain initial access to networks. Attackers have demonstrated patience in their operations by leaving malware inert on systems until they’re ready to be activated. The malware that infected SolarWinds was configured to wait two weeks before beginning activity. With CIDR, you collect everything, and you don’t have to trust programs or vendors. The DLL from SolarWinds would have been collected, and as soon as detections were available for it, you would know every host that had been compromised.
|EDR + CIDR = Better Together|
EDR is a must-have tool for any organization, but it can’t stop everything. It can only defend against what it knows about. So, what do you do about the unknown – the newly released malware variants, the supply chain vulnerabilities that haven’t yet hit the news, and the other threats lurking around the corner?
Supply chain isn’t the only way that trust is being abused by attackers. Increasingly, they’re finding and exploiting vulnerable drivers to be able to run payloads from kernel mode. Some malware install these types of drivers themselves, a technique known as bring-your-own-vulnerable-driver. Access to kernel mode can make detecting malicious activity much more difficult and, in some cases, this can allow actors to disable EDRs entirely. By collecting all files with a CIDR solution, you would know every single host that had been infected with a vulnerable driver, even if the driver wasn’t known to be vulnerable at the time it was deployed.
Vulnerable drivers have become such a problem that Microsoft introduced a block list that can be consumed by early-lauch antimalware drivers to block known vulnerable or malicious drivers – except that Microsoft themselves didn’t update the list on Windows hosts for years. To protect a large and powerful attack surface like kernel mode, defense in depth is required, and a CIDR solution can instantly tell you each host that a vulnerable driver was deployed and loaded on your network.
In the next year, we’ll likely continue to see more EDR bypasses. It’ll increasingly be more important to implement layers of defense to know when your network has been targeted with malicious activity. CIDR solutions aren’t a replacement for your EDR – they are complements that help reduce your dependence on the detections-bypass-coverage cycle while giving your organization a more holistic view of its entire environment and everything inside.
Kyle has been building security software products for over 10 years. He loves that there's always something new to learn in the industry. When he's not chasing his daughter around, he enjoys playing ultimate frisbee and cross-country skiing.