Let's get a blue team perspective on EDR software

Excellium services newsletter : Let’s get a Blue Team perspective on EDR software

The latest trends in the threat defense model suggest that deploying an Endpoint Detection and Response (EDR) software might improve the security posture of your infrastructure, especially in large environments.
This short introduction intends to give some clues from a defensive point of view on their real benefits: the differences with your legacy anti-virus, their additional capabilities, but also their limitations.

Excellium services newsletter : Let’s get a Blue Team perspective on EDR software

The EDR software, more than just buffed up Anti-Virus

In the field of host protection, Anti-Virus systems hold the market since a long time. A great majority of those products based their detection on a list of signatures. Given a new malware, the vendors attempt to extract reliable Indicators of Compromise (IoC). For instance, they can be the hash of the binaries, static strings or even chunk of machine code contained in them. Once they have updated the knowledge base with fresh information, they distribute it amongst the agents. The agents will then perform their scans against it.

While this method proved to be of some value in the past, today’s malwares are packed into individual samples. Therefore, this generates unique signatures.

Moreover, they are often polymorphic, slightly modifying themselves at each installation, thus defeating those slow updating lists of signatures. Despite completing their engine with heuristic detection, static analysis of files, and sometimes performing a bit of dynamic analysis (executing files in a sandboxed environment) or memory analysis, Anti-Virus detection capabilities remain mostly limited to static indicators.

More about EDR software

EDR softwares go beyond this and mainly operate through behavioral analysis at a large scale. This includes deep monitoring of network connections, memory activity, or processes interactions. They are hooked deeper and differently into the operating system, and can observe more control points. Some might argue that it probably gives a significant advantage for OS owner to build an efficient EDR software. This being besides the topic of this newsletter, we won’t discuss it any further.

Therefore, instead of attempting to raise an alert solely based on static IoCs, EDRs focus on TTPs (Tactics, Techniques and Procedures). For example, an agent can let an unknown process execute on a given host until it deviates significantly from a safe baseline.

However, let’s be perfectly clear on this subject, EDR are not (yet) Artificial Intelligence. They merely extend their detection capabilities on known behaviors patterns. By implementing TTPs’ detection and recording a baseline of the host activity (usual processes, connections …), an EDR engine can correlate sensors and raise an alert upon deviations. Statistics, not AI.

Analysis and Incident Response

EDR softwares come with their own control center: a centralized interface to manage onboarded hosts. However, they also to perform further correlation and analysis. Indeed, as explained above, an alert is the result of multiple events from sensors. The interface allows the analysts to review associated events to decide whether the alert is justified or not. The analysts will get details about connections involved in the alert, as well as memory and processes artefacts. Some EDRs can even provide additional information. It can be the patterns recognized in the Mitre Attack framework or the kill chain stage detected, which can be of great help for triage.

From the incident handler point of view, some EDR softwares provide interesting capabilities. Indeed, they isolate a host from the rest of the network, capture specific artefacts remotely (full or partial memory segments, disk dump, registry keys), hunt for an IoC across the network. Some products push the limits offering a remote access on the endpoint with either a limited or a full interactive command line. In a way, such capabilities give the blue team the same tools than a Remote Access Trojan (RAT) does for the attackers. And that can make all the difference in an ongoing incident to identify and stop a threat.

EDR softwares: few limitations

As any emerging product, EDRs are not perfect and suffer from their own drawbacks. The first one is closely linked to their detection capabilities. Deployed as yet another black box, they often send continuously events or data to the cloud for further analysis “to improve their engine”. Data such as binaries, documents. Which asks the questions off the trust you give to your vendor and the legal considerations that go with such data sharing.

Moreover, being event driven systems, EDRs can also make the life of your analysts harder. Actually, the number of events per seconds might be very high and include artefacts unrelated with the alerts raised. In such cases, the analysts might have a hard time doing a proper triage. In addition, if you already have a centralized alerting console like a SIEM, you might be able to forward EDR alerts to it.

Nevertheless, your analysts will not have all the clues in their hands to handle it. In fact, being the result of multiple events, an alert does not embed any granularity by itself. Your analysts will have to connect to the EDR console to figure out what happened. Another console, and with a steep learning curve. Lastly, most of EDR interfaces do not support assignment, nor analysis escalation to a higher level. This results in denoting the novelty and lack of maturity of those products.

Technical side

On the technical side, the correlation is still mostly host centric. Indeed, if an attacker gained foothold on the machine A, then moves laterally to B and attacks C from it. No EDR software will draw the consolidated timeline for you. You will have to understand and build the puzzle by yourself. Among the most important features lacking for incident handlers, some EDRs can take memory or disk snapshots… Although, without offering a way to download the result from the interface, they save the snapshots on the disk of the (compromised) endpoint. This might be corrupted before the incident handlers can get to it.

Time to go for an EDR software

Because malwares evolve and get more and more sophisticated, a signature-based detection is not any longer enough. An EDR software, by relying on a more sophisticated approach, offers the ability to identify suspicious behaviors and raise alerts with more accuracy giving your response team a detailed timeline of the events.

However, EDR are only an emerging market, and if some of them might be mature enough to prove valuable tools for incident handlers, others might lack the necessary features to detect anomalies and provide adequate incident response in case of emergency.

Lastly, don’t let vendors fool you by claiming that an EDR software will stop 0-day attacks. It can stop a new trend of malware, an unknown signature but with identifiable noise, while a 0-day vulnerability means unseen vectors of exploitation and hence, unknown noise. Once again, no magic box can totally protect you. You must apply the defense in depth methodology, keep a constant vigilance, and stay aware of the new TTPs used by the attackers.

Cookie	Duration	Description
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

About us

Career Opportunities

Get in Touch

About us

Career Opportunities

Get in Touch

Excellium services newsletter : Let’s get a Blue Team perspective on EDR software

Excellium services newsletter : Let’s get a Blue Team perspective on EDR software

Let's deliver the right solution for your business