Let's face it... Our worst fears came true in the last few weeks of 2021. A global critical vulnerability was published that impacted almost every organisation, and will continue to have impacts for years to come. It was great to see the security community pull together and share information and knowledge, that would have otherwise been used for commercial benefit. Every single defender across the world was working hard to protect their organisations from impending doom.
What log4j (it still brings a shudder) has taught us, is that we really do need a Defence in Depth approach. A lot of organisations have started to understand Endpoint Detection and Response (EDR) tools and their place in a good cyber defence. However, there is still confusion around EDR and how this fits. So, we thought we would uncover what is EDR exactly, and run through what they do and why you should consider adding them to your organisation’s security toolbelt - if you haven’t already.
What is an EDR?
Let’s break down the name and go through each part:
Endpoint – you deploy the EDR agent onto endpoints (servers and user workstations) within your environment, these agents will collect telemetry about what is happening on the computer and send this data to your own private tenancy in the cloud, these tenancies are generally hosted by the EDR vendor.
Detection – EDR tools will have both traditional signature-based detections (known malicious files will be prevented from running) as well as behavioural detection capabilities (identifying suspicious or abnormal behaviour) and will fire alerts when it sees these.
Response – This is where an EDR tool really shines – they have the capability for responders to remotely connect to a host to perform triage, collect logs and gather forensic evidence. If it is identified that something malicious is running on an endpoint, it can be isolated from the rest of the network to sever a Threat Actor’s access, whilst still allowing responders to issue commands and continue their work.
What kind of data do EDRs collect?
The type of data being collected can differ depending on the EDR vendor, but this is a sample of some of the common pieces of telemetry they will record from a host:
This may be a small subset of the data that is collected by an EDR tool, but it is critical information required to understand what has happened during a security incident and will speed up the time to investigate what happened, how it happened, what the impact is and what needs to be done to remediate. Installation of an EDR tool into a client environment will be one of the first things that an incident response team will do when responding.
Will an EDR break my applications?
An important thing to do when rolling an EDR out into an environment is to plan. If you install the agent onto all your endpoints and turn the detection and prevention capabilities up to the maximum level it might indeed cause some issues within your existing stack. EDR tools will generally allow you to manage their configurations via policies. These can be heavily customised to suit complex environments where certain applications have to be up and running all the time.
When you are installing an EDR tool, the best practice is to install it into detection or monitor only mode and run it side by side your existing AV software. This will keep an eye on what is happening in your environment and alert to malicious behaviour, but it won’t do anything to prevent it. You can use this time to identify what legitimate processes and behaviours are being flagged as malicious and make adjustments to your policies or allow listing them.
After a suitable period of time, you can then remove your existing AV solution and put the EDR tool into prevention mode as well, to block any malicious behaviour.
Is an EDR tool a silver bullet?
An EDR tool is simply one part of a defense in depth security model but it is an extremely powerful one. Having an EDR tool doesn’t guarantee that you won’t be breached. For example, if you only rolled it out onto certain endpoints and servers in your environment, but not on a few Internet facing servers, these can still be exploited by a Threat Actor, who can then move into other parts of your network using Living of the Land Binaries (LOLbins) to evade detection.
Similarly, if you have successfully installed an EDR tool onto your entire fleet, but have placed exclusions onto certain paths, malicious software can still be executed from these folders. This was seen in the Kaseya supply chain hacks earlier this year. Sophos have a great article that covers how Kaseya required certain folders to be excluded from AV and EDR tools, which was abused by Threat Actors to deploy ransomware.
Anything else they can do?
Several EDR tools have capability to set policies around USB access controls on endpoints. This could be fine tuned to specify read only, block USB devices completely or only allow trusted USB devices to be connected. An EDR is not a full-blown Data Loss and Prevention (DLP) tool, but USB access controls are a great way to prevent malware from being introduced to a network from USB devices.
The telemetry that is being captured for each individual endpoint is being stored within the EDR cloud tenancy, this provides a lot of data for Threat Hunting. As alluded to earlier, Threat Actors will often using LOLbins and built in operating system software to complete their objectives. A Threat Hunter will be able to review all this activity and look for unusual usage which could indicate malicious behaviour.
Whilst EDR tools are generally defined as a security tool, they can also be utilised for normal IT operations. If a support team is trying to find out what is happening right before an application is crashing, they will be able to query this data from the EDR tool. Similarly, if they were looking for all occurrences of a particular program being run in an environment, they can see this information in the EDR console.
Does an EDR replace my other toolsets?
To an extent, yes. It can. An EDR can replace your antivirus software as many EDR solutions have this functionality built in. However, an EDR should not replace your SIEM or other log monitoring solutions. This is an enhancement to provide greater visibility and telemetry.
What EDR should I be considering?
There are many EDR solutions on the market. We recommend running a comparison on the leading solutions to check which one meets your requirements. Remember, it is not always about price. But, you do get what you pay for. We recommend chatting to a Red Teamer about the EDR platforms they come up against and have been defeated by. Always ask which ones they love seeing, as this might guide you and which ones to avoid.
Doesn't my antivirus do this already?
Unfortunately, no. Standard AV is pattern based. Whereas EDR is all about processes and visibility. As mentioned above, EDR can replace your AV. You should consider an EDR solution when renewing your AV. Many of the leading vendors will provide knockout pricing based on your current AV spend.
Who do I talk to for more information?
As always, the Triskele Labs team are here to chat. We see a lot of EDR solutions and support many. Reach out to any of the team to chat either technical, or commercial.