reader comments
24 with 24 posters participating
Last year, organizations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they’re commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured “sandbox” to analyze what it does to confirm it’s safe before allowing it to have full system access.
EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyze the structure or execution of the code ahead of time, EDRs monitor the code’s behavior as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.
Streamlining EDR evasion
Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn’t all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organizational network. That’s because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.
The second technique, when implemented in a dynamic link library file, also worked against all three EDRs. It involves using only fragments of the hooked functions to keep from triggering the hooks. To do this, the malware makes indirect system calls. (A third technique involving unhooking functions worked against one EDR but was too suspicious to fool the other two test subjects.)
In a lab, the researchers packed two commonly used pieces of malware—one called Cobalt Strike and the other Silver—inside both an .exe and .dll file using each bypass technique. One of the EDRS—the researchers aren’t identifying which one—failed to detect any of the samples. The other two EDRs failed to detect samples that came from the .dll file when they used either technique. For good measure, the researchers also tested a common antivirus solution.
The researchers estimated that the typical baseline time required for the malware compromise of a major corporate or organizational network is about eight weeks by a team of four experts. While EDR evasion is believed to slow the process, the revelation that two relatively simple techniques can reliably bypass this protection means that the malware developers may not require much additional work as some might believe.
“Overall, EDRs are adding about 12 percent or one week of hacking effort when compromising a large corporation—judged from the typical execution time of a red team exercise,” Nohl wrote.
The researchers presented their findings last week at the Hack in the Box security conference in Singapore. Nohl said EDR makers should focus on detecting malicious behavior more generically rather than triggering only on specific behavior of the most popular hacking tools, such as Cobalt Strike. This overfocus on specific behavior makes EDR evasion “too easy for hackers using more bespoke tooling,” Nohl wrote.
“Complementary to better EDRs on endpoints, we still see potential in dynamic analysis within sandboxes,” he added. “These can run in the cloud or attached to email gateways or web proxies and filter out malware before it even reaches the endpoint.”