So, About That Expensive Endpoint Detection and Response Software You Invested In …
Sounds Great On Paper …
Once again the spectre of doom hovers over the computing world. There was an idea, which sounded wonderful, to implement a new type of security software, referred to as Endpoint Detection and Response by the sales drones, which doesn’t passively scan your machine but instead detects suspicious behaviour in real time. Traditional antivirus software examines files and tries to determine if the files contain a signature which matches known malware in it’s databases.
EDR monitors the behaviour of software as it runs inside a machine or network, in an attempt to strangle an infection as it tries to spread by recognizing odd behaviour. If an Excel macro runs on a machine and then finishes, this makes sense; that same macro immediately trying to access everything that the machine it ran on can connect to would trigger an alert and possibly a lockdown. While this sounds good, indeed it has become a billion dollar industry, the effectiveness of EDR software is apparently nowhere near what you might assume.
Karsten Nohl, the chief scientist at Berlin-based SRLabs and his team have some news. They tested Endpoint Detection and Response software from Symantec, SentinelOne, and Microsoft, finding that all three of which were bypassed by using one or both of two fairly simple evasion techniques. The first was to avoid hooks and instead to make direct kernel system calls, not terribly hard to program. If you guessed the second was to leverage DLLs, give yourself a pat on the pack. Using a DLL to make indirect system calls is expected and tends to avoid EDR completely and is also not previously unheard of as a method of infection.
This doesn’t mean EDR software is useless, merely that it is another layer in the onion we like to refer to as security.
EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyze the structure or execution of the code ahead of time, EDRs monitor the code's behavior as it runs inside a machine or network.