Traditionally, signature-based detections are used by anti-virus software. A signature file is a unique set of data, or file, that is matched against a binary or a process that allows it to be identified. An example of a signature file is an anti-malware test file, also known as EICAR which was originally incepted by Paul Ducklin in cooperation with CARO. However, signature-based antivirus software has increasingly been replaced with endpoint detection and response (EDR) software. EDR software has become increasingly popular within corporate organizations and the remote workforce. As people begin to work from home more, endpoints require software solutions that protect both the enterprise and the remote employees.
Components of an EDR
EDR software is designed to go beyond static signature-based detection and reactive measures such as quarantining malicious files. Instead, it provides continuous telemetry gathering that reports to a centralized dashboard providing security teams with more visibility on activity that goes on any enrolled endpoints. Incidents that trigger on these endpoints can also quickly be triaged. What we find with a traditional AV approach is that even though alerts are raised in the console, these alerts are rarely collected nor monitored which often allow minor infections to escalate into full-blown breaches. Lastly, is the ability for security teams to conduct threat hunting which allows insight into potential signs of early infection or an existing infection. This is why, for every organization that wants to take security seriously, it is important to invest in an EDR product and either have a security team that has the capacity to conduct threat hunting or outsource to a 3rd party penetration testing company.
Uncovering the Marketing Behind Endpoint Protection
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework is a detailed cross-referenced repository of information about known APT groups and their operational tactics. This is often the framework that has been used to evaluate how well an EDR product does.
However, a quick Google search of “MITRE EDR Evaluation Results” shows us that you will find a bar graph that links to a blog post on virtually every single EDR vendor that presents their product as the “leader” or that they have the most detection coverage based some arbitrary metric using the MITRE ATT&CK framework. If everyone claims that their product is the most superior, it makes it very hard for IT and security teams to reference any reliable information on any given product.
Therefore, it is important to do some preliminary tests before deciding to sign off on any given product. There is also a common trend across vendors to label their products as “EDR” when in fact, does only a little more than detection based on static signatures or heuristics-based detection.
What EDR is Not
When an analyst or an IT professional tries to learn the differences between a traditional anti-virus and an EDR, many blog posts label anti-virus as “legacy” or “obsolete” and term EDR products as software that provides “total security.”. EDRs do not provide “total security.” Unfortunately, this mentality has permeated IT across several industries. Many security teams have a complete overreliance on EDR software to protect them against all threats.
When a red team or an adversary simulation is conducted against these same teams, EDR vendors often get pushed back on why their product could not detect X attacks. If your security program depends solely on an EDR and not on the talented individuals on your security team, your organization may not prevail against more sophisticated actors.
Bottom line: training and education for your security or IT team are more beneficial for overall enterprise security. When your IT team understands the difference between EDR and traditional anti-virus they can interpret the difference, bypass all the marketing jargon and make a more informed decision on how to procure an EDR product.
Things to Watch out For
Lastly, at Packetlabs, we want to impart with you some things that your organizations can do during the procurement or the EDR trial process:
Generate known and signatured shellcode with known C2 frameworks
Download malicious executable via the browser through HTTP and HTTPS
Detonate or execute the malicious payload
Use well-known lateral movement techniques such as PSExec and RDP
Conduct host and network discovery using built-in Windows net commands or using PowerShell
Conduct credential dumping techniques such as using Task Manager alongside Mimikatz (on a separate host)
Mark down the above actions based on the following:
Blocked and generated risk-associated alerts
Blocked, but no generated alerts
Allowed, but generated risk-associated alerts
Allowed, and no generated alerts
This list of activities is by no means an exhaustive list that we use for our own testing. However, it is a good starting point for IT teams or security teams to understand their organization’s investment into a security product.
When and if you have an endpoint detection and response product, your team needs to know the product’s limitations. There are many things that EDR software is not able to see nor prevent. It is necessary to build defences against its gaps. Speak to us to learn how penetration testing and endpoint testing can improve your overall security posture.