The EDR software, more than just buffed up Anti-Virus
In the field of host protection, Anti-Virus systems hold the market since a long time. A great majority of those products based their detection on a list of signatures. Given a new malware, the vendors attempt to extract reliable Indicators of Compromise (IoC). For instance, they can be the hash of the binaries, static strings or even chunk of machine code contained in them. Once they have updated the knowledge base with fresh information, they distribute it amongst the agents. The agents will then perform their scans against it.
While this method proved to be of some value in the past, today’s malwares are packed into individual samples. Therefore, this generates unique signatures.
Moreover, they are often polymorphic, slightly modifying themselves at each installation, thus defeating those slow updating lists of signatures. Despite completing their engine with heuristic detection, static analysis of files, and sometimes performing a bit of dynamic analysis (executing files in a sandboxed environment) or memory analysis, Anti-Virus detection capabilities remain mostly limited to static indicators.
More about EDR software
EDR softwares go beyond this and mainly operate through behavioral analysis at a large scale. This includes deep monitoring of network connections, memory activity, or processes interactions. They are hooked deeper and differently into the operating system, and can observe more control points. Some might argue that it probably gives a significant advantage for OS owner to build an efficient EDR software. This being besides the topic of this newsletter, we won’t discuss it any further.
Therefore, instead of attempting to raise an alert solely based on static IoCs, EDRs focus on TTPs (Tactics, Techniques and Procedures). For example, an agent can let an unknown process execute on a given host until it deviates significantly from a safe baseline.
However, let’s be perfectly clear on this subject, EDR are not (yet) Artificial Intelligence. They merely extend their detection capabilities on known behaviors patterns. By implementing TTPs’ detection and recording a baseline of the host activity (usual processes, connections …), an EDR engine can correlate sensors and raise an alert upon deviations. Statistics, not AI.
Analysis and Incident Response
EDR softwares come with their own control center: a centralized interface to manage onboarded hosts. However, they also to perform further correlation and analysis. Indeed, as explained above, an alert is the result of multiple events from sensors. The interface allows the analysts to review associated events to decide whether the alert is justified or not. The analysts will get details about connections involved in the alert, as well as memory and processes artefacts. Some EDRs can even provide additional information. It can be the patterns recognized in the Mitre Attack framework or the kill chain stage detected, which can be of great help for triage.
From the incident handler point of view, some EDR softwares provide interesting capabilities. Indeed, they isolate a host from the rest of the network, capture specific artefacts remotely (full or partial memory segments, disk dump, registry keys), hunt for an IoC across the network. Some products push the limits offering a remote access on the endpoint with either a limited or a full interactive command line. In a way, such capabilities give the blue team the same tools than a Remote Access Trojan (RAT) does for the attackers. And that can make all the difference in an ongoing incident to identify and stop a threat.
EDR softwares: few limitations
As any emerging product, EDRs are not perfect and suffer from their own drawbacks. The first one is closely linked to their detection capabilities. Deployed as yet another black box, they often send continuously events or data to the cloud for further analysis “to improve their engine”. Data such as binaries, documents. Which asks the questions off the trust you give to your vendor and the legal considerations that go with such data sharing.
Moreover, being event driven systems, EDRs can also make the life of your analysts harder. Actually, the number of events per seconds might be very high and include artefacts unrelated with the alerts raised. In such cases, the analysts might have a hard time doing a proper triage. In addition, if you already have a centralized alerting console like a SIEM, you might be able to forward EDR alerts to it.
Nevertheless, your analysts will not have all the clues in their hands to handle it. In fact, being the result of multiple events, an alert does not embed any granularity by itself. Your analysts will have to connect to the EDR console to figure out what happened. Another console, and with a steep learning curve. Lastly, most of EDR interfaces do not support assignment, nor analysis escalation to a higher level. This results in denoting the novelty and lack of maturity of those products.
On the technical side, the correlation is still mostly host centric. Indeed, if an attacker gained foothold on the machine A, then moves laterally to B and attacks C from it. No EDR software will draw the consolidated timeline for you. You will have to understand and build the puzzle by yourself. Among the most important features lacking for incident handlers, some EDRs can take memory or disk snapshots… Although, without offering a way to download the result from the interface, they save the snapshots on the disk of the (compromised) endpoint. This might be corrupted before the incident handlers can get to it.
Time to go for an EDR software
Because malwares evolve and get more and more sophisticated, a signature-based detection is not any longer enough. An EDR software, by relying on a more sophisticated approach, offers the ability to identify suspicious behaviors and raise alerts with more accuracy giving your response team a detailed timeline of the events.
However, EDR are only an emerging market, and if some of them might be mature enough to prove valuable tools for incident handlers, others might lack the necessary features to detect anomalies and provide adequate incident response in case of emergency.
Lastly, don’t let vendors fool you by claiming that an EDR software will stop 0-day attacks. It can stop a new trend of malware, an unknown signature but with identifiable noise, while a 0-day vulnerability means unseen vectors of exploitation and hence, unknown noise. Once again, no magic box can totally protect you. You must apply the defense in depth methodology, keep a constant vigilance, and stay aware of the new TTPs used by the attackers.