On the trail towards EDR
In our last blog post "Silent hacker attacks and the need for detection mechanisms" we talked about covert cyber attacks and the need for detection tools. Now we would like to present a typical Endpoint detection and response solution with its building blocks.
Here is a summary of what an EDR platform does:
- Visibility of all actions on the endpoints: Detects security events, not just intruding malware
- Detection of and response to cyber threats and attacks
- Behavioural analysis
- An advantage over simple anti-malware solutions, which only help against explicit, known malware at the time of intrusion, but not, for example, against file-less malware.
The features of an Endpoint Detection & Response (EDR) solution
1. Monitor the activity of the endpoint in real-time
There are analyses that an attack via a Living-of-the-Land attack (LotL) - "file-less attacks" - remain undetected for up to 200 days on average. Endpoint Detection & Response solutions enable the "silent" observation of an intruder without intervention.
Recognition, collection and cross-correlation of data
An EDR solution offers the possibility to recognise and correlate data company-wide. It collects information during an attack:
- ongoing processes,
- files that are being accessed,
- started programs,
- devices that are connected,
- the type of access that occurs on the endpoint via the network,
logon attempts made,
- changes from the endpoint baseline where default security settings were set, such as installed unauthorised software
2. Support for forensic analysis and threat detection
The EDR solution provides security managers, security teams, and forensic investigators with the information they need to perform their analysis of abnormal or deviant behaviour on the endpoint.
When it comes to cyber security, a security team should always be able to report the status and progress of its investigations. The prerequisite for this is an understanding of typical attack vectors and attack procedures.
Attack techniques and vectors - What attacks are there?
Let's take the MITRE ATT&CK™-Datenbank database as an example: This database provides in-depth information on attack tactics and techniques and is based on real observations. MITRE ATT&CK™ is free of charge.
Incident tracking: Thread Hunting
The number of incidents detected during threat hunting should not be the only indicator of success. What if you don't find anything suspicious and something is still there?
It is therefore important to check whether the correct data has been collected, whether automation has been improved, and how much the team knows about its own environment when searching for specific enemy techniques. This only works with a focus on the right data - and this is where the EDR solution comes in.
3. Identification of attacks through behavioural or heuristic analysis
A behavioural or heuristic analysis can identify new techniques and malware without relying on known signatures. By signatures, we mean, among other things, the established practice of software manufacturers to sign their programs.
Antivirus programs (AV) work on the basis of known signatures and can therefore only report or prevent what they know. Descriptions for malicious software are often not up to date, however, or are missing anyway due to the number of variants that occur.
An AV solution can recognise a malware signature, which is a continuous sequence of bytes contained in malware. But zero-day attacks, for example, manipulate the signature and are often not recognised by AV solutions.
Ransomware attacks are software that is infiltrated by users, often via an infected email attachment. AV does not always protect against ransomware, as the signature of the malware is sometimes new or not recognisable.
Unlike a ransomware threat, a file-free malware attack is an attack on existing Windows tools, not on malicious software installed on the victim's computer. Therefore there is no signature that the AV can pick up.
4. Solving and elimination of problems
EDR solutions enable more effective cleanup and remediation after an attack. The counter-reactions or responses are configured (with DriveLock) in a policy. Responses are executed automatically when an alert occurs or centrally by an administrator.
Possible response options for alerts include
- Quarantine computers or isolate them from the network, kill processes, adjust security settings
- Execution of any scripts and batch files (e.g. Powershell script)
- Changing group membership to control policies
- Evaluation of user behaviour (user score)
- Determination of unsafe computers (Computer Score)
- Launch a security awareness campaign
If you would like to test our EDR solution live, you have the opportunity to do so free of charge for 30 days.
Would you like more information about EDR? Watch the recording of our EDR webinar. There, our product managers and pre-sales colleagues explain how EDR works using our solution.