All Webinars
Understanding Modern EDR Tools: How They Work, How They Provide Value, and How to Bypass Them
Overview
Endpoint detection and response (EDR) tools are quickly becoming the standard protection against today’s adversaries. Yet, much like the solutions before them – legacy antivirus – attackers are already researching, publishing, and deploying novel techniques to understand and evade modern EDR products.
To stay one step ahead of the stealthiest cyber adversaries, red teams and penetration testers must study and simulate real defensive evasion techniques to identify weaknesses in their organization’s defense in depth, and security leaders must gain a better understanding of the EDR technologies they invest in.
During this webinar led by NetSPI VP of Research Nick Landers, viewers will:
- Explore the role that modern EDRs play and tips for evaluating vendors
- Review the latest defensive evasion techniques sophisticated adversaries deploy to bypass EDR tools
- Discover helpful resources for staying up to date with modern research and techniques
- Learn how to effectively implement the defensive evasion techniques within your own red team operations
Key highlights:
- 04:22 – The transition from Antivirus to EDR and other solutions
- 23:57 – Technical overview and evasion strategies
- 48:28 – Hopeful solutions
- 56:43 – Final thoughts: where does this leave us?
The transition from classic antivirus to EDR and other solutions
For about 30 years, it’s been widely known that antivirus software isn’t perfect and presents tricky challenges. The table below outlines antivirus strategies and associated evasions.
| Antivirus Strategies | Antivirus Evasions | |
| Checksums | Compare the SHA/MD5 hash to verify system integrity, match a known malicious sample, or mark an affected software version. | Make small binary changes to manipulate hashes. Re-use system binaries for functionality. Side-load modules for persistence. |
| Signatures | Compare byte level contents of file data, file system structures, MBR, etc. to match known malicious patterns. | Chunk samples and identify affected portions in sequence. Obfuscate/pack executable code. Scan signature files for matches. |
| Sandboxing | Detonate payloads in controlled environments to track heuristic behaviors and flag known patterns. | Detect sandbox environments before execution. Deliver stages from servers with intelligence. Force user interaction. |
| Data mining | Use a known data set of malicious and benign samples to train generic algorithms and/or build signatures. | Monitor popular data sources (VirusTotal), Perform in-memory manipulation/execution to evade statically-sourced detections. |
| Real time | Monitor open file handles, system events, application installs, etc., to identify dangerous behavior. | Avoid using disk components where possible. Prefer OS internals for persistence as opposed to full software packages. |
Despite common evasion techniques, antivirus has made some progress, such as:
- Traditional antivirus
- The need for signatures/rules never goes away
- Years of public research offered a convenience set of “problems” to fix
- Many well-known antivirus vendors now sell EDR as an additional product
The technical case for EDR products
When it comes to the technical case, at a high level, it’s important to think about how EDR solutions differ from antivirus and what EDR products have to do. There are three main components that they have to design, all of which have nuances and caveats, as well as flaws that an attacker can try to abuse or disrupt.
The three main components include:
- Data generation
- Process creation
- Network traffic
- File write/read events
- Sandboxing
- Library load events
- Kernel callbacks
- Data collection
- Event forwarding
- Agent stability
- Data integrity
- Network uptime
- Privilege separation
- Performance impact
- Data response
- Dashboards
- Risk scoring
- Processing delay
- Baselining
- Remote isolation
- Network scaling
General EDR evasion strategies
It’s important to have a holistic view of common EDR evasion strategies — and four common strategies often come to mind.
Typical evasion strategies include:
- Use obscurity to avoid known/common event patterns
- Just like defense, obscurity alone is a weak strategy
- Challenge assumptions about OS internals and subsystems
- The advantage always lies in understanding the battlefield
- Disable event sources to break data collection
- ETW, AMSI, user mode hooks, etc.
- Avoid transitions to reduce detection surface, as you are most vulnerable in transition
Hopeful solutions
When discussing possible solutions, machine learning (ML) and artificial intelligence (AI) need to be part of the conversation. The two terms are often used interchangeably and AI is more commonly used than ML, but this topic in particular focuses more on machine learning.
Machine learning captures the attention of investors and common terms or statements associated with the concept include, “analyzes millions of data points and adapts,” “high degree of confidence,” and “next generation.” However, in addition to being a trend or marketing buzzword, it’s important to understand what machine learning really is.
Overview of machine learning:
- Set of techniques that aim to model a problem mathematical
- Essentially a combination of statistics, math, and computers
- Predictions without explicit programming
- Impressive results for the right problems
- Growing utility for every field
- Computing power is more available
- Data aggregation is common in systems
Data presents several challenges or issues related to creating stronger defenses against threats.
Issues associated with data include:
- Better defenses demand we have more data
- More data to identify edge cases
- More data to reduce false positives
- More data to contextualize complex attacks
- New telemetry doesn’t replace existing data
- File hashes and content still need to be reviewed
- Network traffic still needs to be analyzed
- Spam and phishing emails still need to be identified
- Data in some places is approaching zettabytes in scale
- Given the points above, machine learning is almost the only solution; it can’t be done any other way
Machine learning is often seen as the next solution to solve attacks. While it is a buzzword that gets thrown around in marketing materials to sell products, in security, machine learning is primarily used for classification. Methods are also tried and true, as opposed to advanced methods, and include decision trees and gradient boosting.
Here’s an example of a machine learning strategy for EDR:
- Collect a data set for analysis
- Example: EMBER/SOREL dataset for PE files
- One file type from one platform doesn’t represent “malware”
- Select feature set for learning
- Consider the context of that data (packed PE vs loaded code)
- Exports/Entropy/Runtime API calls/String/Raw data
- Make the model actionable
- Does data in the real world match the features in the model?
- Can you test against models fast enough in real time?
- Domain knowledge is required (know any data science/malware authors?)
While machine learning has many benefits, it isn’t without risks.
Machine learning risks include, but aren’t limited to:
- Data privacy is a real concern for training data
- Anonymization techniques can’t be perfect
- Extracting information from models
- Models, once trained, are difficult to adjust manually
- Once understood, offensive attacks are trivial
- “It’s not even a question, there are no defenses, there are no detections, there’s barely any lagging.” – @moo_hax
- Model stealing requires very limited information (just a score)
- Machine learning systems engineers aren’t thinking about security yet
- Bypassing an algorithm will always be easier than a human
Where does this leave us?
Here are some final considerations to keep in mind about EDR tools:
- Almost everything “new” is just a fresh decal on existing engines made by the same people at the same companies
- Products continue to demand more data, charging customers for the privilege to share, and rolling that data into future products
- Machine learning/AI is mainly a new buzzword like app whitelisting, command line logging, zero trust, etc.
- Alert fatigue and poor scoring is a huge issue, even more than lack of telemetry
- Attackers are achieving a very deep understanding of OS internals and the same should be asked of EDR vendors both in communications and implementations
- Nothing will ever be a silver bullet, effective security will always be about defense in depth
- Consider the multitude of free solutions available and opportunities to layer projects and mitigations
With these considerations in mind, here a few questions to ask vendors when evaluating EDR tools:
- What data would you collect from our network and how would the data be used?
- Does your product make use of the kernel driver component?
- Are you a member of the Microsoft Virus Initiative? (MVI)
- What do you use to measure solution effectiveness?
- What metrics do you use for testing changes in QA?
- Do you perform any public third party testing to verify the integrity of your solutions? Can we see any report?
Improve your security controls with NetSPI
While EDR tools offer businesses some security benefits, these tools also have flaws and threat actors have identified several evasion strategies. As a result, only 20 percent of common attack behaviors are caught by EDR, SIEM, and MSSP out-of-the-box solutions.
While 100 percent detection doesn’t exist, EDR tools alone are not enough. NetSPI’s Breach and Attack Simulation (BAS) can improve your security controls by delivering a centralized detective control platform that enables you to create and execute customized procedures utilizing purpose-built technology.
Professional human pentesters simulate real-world attacker behaviors, not just indicators of compromise (IOCs), putting your detective controls to the test in a way no other BAS solution can. Learn more about NetSPI’s BAS offerings or connect with an expert team member by scheduling a demo today.
Presenter:
