In our last blog post "Silent hacker attacks and the need for detection mechanisms" we talked about covert cyber attacks and the need for detection tools. Now we would like to present a typical Endpoint detection and response solution with its building blocks.
EDR, known as Endpoint Detection and Response, is a type of endpoint security solution that goes beyond detection-based, reactive defence. It also monitors end-user devices to detected and respond to cyber threads.
The term itself was created by Anton Chuvakin at Gartner and was defined as ‘’solution that records and stores endpoint-system-level behaviours, uses various data analytics techniques to detect suspicious system behaviour, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems.”
Why is EDR Security important?
Endpoint security has always been crucial element of IT Security but nowadays it became even more important, especially after an increased number of organizations’ employees are working remotely. Theirs devices must be protected from potential threads coming from cyber criminals but also from lack of regular security patching.
Moreover, EDR security solution will help you and your business in collecting and monitoring data, and it will give your IT Security team possibilities to show most vulnerable in the network, faster investigations of threads, and automatic remediation.
4 Benefits of an EDR platform
Here is a summary of what an EDR platform does:
Visibility of all actions on the endpoints: Detects security events, not just intruding malware
Detection of and response to cyber threats and attacks
Behavioural analysis
An advantage over simple anti-malware solutions, which only help against explicit, known malware at the time of intrusion, but not, for example, against file-less malware.
The features of an Endpoint Detection & Response (EDR) solution
1. Monitor the activity of the endpoint in real-time
There are analyses that an attack via a Living-of-the-Land attack (LotL) - "file-less attacks" - remain undetected for up to 200 days on average. Endpoint Detection & Response solutions enable the "silent" observation of an intruder without intervention.
Recognition, collection and cross-correlation of data
An EDR solution offers the possibility to recognise and correlate data company-wide. It collects information during an attack:
ongoing processes,
files that are being accessed,
started programs,
devices that are connected,
the type of access that occurs on the endpoint via the network, logon attempts made,
changes from the endpoint baseline where default security settings were set, such as installed unauthorised software
2. Support for forensic analysis and threat detection
The EDR solution provides security managers, security teams, and forensic investigators with the information they need to perform their analysis of abnormal or deviant behaviour on the endpoint. When it comes to cyber security, a security team should always be able to report the status and progress of its investigations. The prerequisite for this is an understanding of typical attack vectors and attack procedures.
Attack techniques and vectors - What attacks are there? Let's take the MITRE ATT&CK™ database as an example: This database provides in-depth information on attack tactics and techniques and is based on real observations. MITRE ATT&CK™ is free of charge.
Incident tracking: Thread Hunting
The number of incidents detected during threat hunting should not be the only indicator of success. What if you don't find anything suspicious and something is still there? It is therefore important to check whether the correct data has been collected, whether automation has been improved, and how much the team knows about its own environment when searching for specific enemy techniques. This only works with a focus on the right data - and this is where the EDR solution comes in.
3. Identification of attacks through behavioural or heuristic analysis
A behavioural or heuristic analysis can identify new techniques and malware without relying on known signatures. By signatures, we mean, among other things, the established practice of software manufacturers to sign their programs.
Antivirus programs (AV) work on the basis of known signatures and can therefore only report or prevent what they know. Descriptions for malicious software are often not up to date, however, or are missing anyway due to the number of variants that occur.
An AV solution can recognise a malware signature, which is a continuous sequence of bytes contained in malware. But zero-day attacks, for example, manipulate the signature and are often not recognised by AV solutions.
Ransomware attacks are software that is infiltrated by users, often via an infected email attachment. AV does not always protect against ransomware, as the signature of the malware is sometimes new or not recognisable.
Unlike a ransomware threat, a file-free malware attack is an attack on existing Windows tools, not on malicious software installed on the victim's computer. Therefore there is no signature that the AV can pick up.
4. Solving and elimination of problems
EDR solutions enable more effective cleanup and remediation after an attack. The counter-reactions or responses are configured (with DriveLock) in a policy. Responses are executed automatically when an alert occurs or centrally by an administrator.
Possible response options for alerts include
Quarantine computers or isolate them from the network, kill processes, adjust security settings
Execution of any scripts and batch files (e.g. Powershell script)
Changing group membership to control policies
Evaluation of user behaviour (user score)
Determination of unsafe computers (Computer Score)
DriveLock
