Nearly every end-user device, and indeed the majority of servers and other computing platforms, have some form of malware defense installed. Such tools serve as the last line of defense against attacks that have managed to land on a desktop, server, or other device. The art and science of malware detection and response has evolved rapidly over even the last five to 10 years. Modern Endpoint Detection and Response (EDR) platforms can identify and block malicious actions as a binary is executing by evaluating the actions and executions that the binary is performing. While EDR tools provide powerful defensive operations and should be seen as a vital part of overall cybersecurity resilience, they are not infallible.
This is the first blog in a two-part series that highlights EDR and how attackers seek to bypass these controls and evade detection. This first blog examines common methods used by cybersecurity tools to defend devices and organizations. Part 2 will examine methods used by threat actors to attempt to overcome those defenses.
Different Options for Endpoint Defense
Before we can delve into how a threat actor could overcome an EDR platform, it is necessary to define what the term means in the modern digital world. With so many vendors offering different solutions to bolster endpoint defense, detailing what is meant by “EDR” can clarify how these tools are visualized by threat actors in their pursuit of a goal.
Anti-Virus Solutions (Static Detection): The term “anti-virus” is generally defined as signature and heuristic scanning of files – either on demand, on a schedule, or both. These tools examine files written to disk for telltale signs that they are likely or definitely malicious in nature, and do so before the file itself is opened or executed. Signature scanning looks at the result of mathematical operations to produce a hash – or signature – for the file. This hashing will always produce the same output, given the same input; and so the hash can be compared to millions of known malicious file hashes for confirmation. Heuristic scanning (which is often used along-side signature scanning) does perform hashing and hash comparison, but not merely on the file as a whole. Blocks of code within the file are also hashed to determine if the file is likely to be malware due to similarity of its code with code from known malware.
Behavioral Detection (Dynamic Detection): Modern anti-malware solutions allow a file to be opened and/or executed, while carefully monitoring every action that file takes to determine if it is attempting to perform actions which can be classified as malicious. This can be done within a “sandbox” – a restricted environment where even if the file is malicious it would have significant difficulty in impacting the device itself – or within the running Operating System itself. EDR solutions typically fall into this category, monitoring each process to determine the likelihood that it is malicious in nature, and shutting down those processes it determines to be a threat.
Combination Platforms: Many platforms available for organizational use will utilize both forms of defensive operations in order to reduce the overhead and system use while providing the highest possible detection rate. Static analysis is performed on files written to disk, but if those files are opened and/or executed; then dynamic analysis is immediately brought to bear. This reduces the CPU and RAM use of the anti-malware tool for files which are downloaded but not immediately opened. The tool can quarantine or destroy any file that appears to be malware before it is even run, but this dynamic analysis comes with a cost of higher resource use whenever a file is opened.
eXtended Detection and Response (XDR): Solutions that look beyond the individual end-user device often classify themselves as XDR. These tools use static and dynamic detection methodologies on each device, but also share real-time information about other detections on other devices throughout the network. By centralizing information and viewing the organization as a whole, XDR platforms provide static and dynamic scanning while also recognizing additional signs that threat activity. Depending on the vendor and scope of the XDR, this can include network activity, Internet activity, SaaS platform activity, and a host of other metrics and operational data. While more complex to implement, tune, and manage over time, the additional data points that XDR can analyze can be of great assistance to a cybersecurity resilience program.
All three common methods for endpoint defense – static analysis (anti-virus scanning), dynamic analysis (behavioral detection), and XDR methodologies provide layers of protection against malware that has made it onto a user or server device. While static analysis alone has been shown to be less effective than alternatives, it is not fully obsolete. Combinations of static and dynamic analysis continue to be the best choice for the majority of organizations looking to keep their endpoints safe.
Read more about an EDR evasion technique discovered by Cymulate researchers.