A team of Greek researchers has tested endpoint detection and response (EDR) software from 18 cybersecurity companies and found that many EDRs fail to detect some of the most common attack methods used by advanced threat groups, such as state-sponsored spy groups and ransomware groups.
We found that many EDRs were unable to detect some of the most common attack techniques used by advanced threat groups such as state-sponsored spy groups and ransomware groups.
George Karantzas and Constantinos Patsakis, researchers at the University of Piraeus in Athens, Greece
They found that there is still room for improvement, as state-of-the-art EDRs are unable to prevent or record the majority of the attacks reported here
He stated.
Typical attack scenario
This research is detailed in the paper “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors” published last year.
This research is detailed in the paper “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors” published last year.
EDR software is an evolution of traditional anti-virus programs that not only uses both static and dynamic analysis methods to detect malware, but also monitors, collects and aggregates data from endpoints to detect malicious behavior that relies on more stealthy techniques, such as exploiting legitimate apps to launch attacks. This is an attempt to detect malicious behavior that relies on highly sophisticated technology.
EDR is currently considered to be the pinnacle when it comes to security software, combining everything from static file signing rules to advanced machine learning modules.
But it’s not perfect.
In their study, Karantzas and Patsakis investigated how EDRs at leading companies today perform against a variety of simple attacks that mimic the common kill chain of APTs.
For this study, we used an expired mature domain and protected the domain with a Let’s Encrypt SSL certificate. We placed the following four malware files that are commonly used in attacks.
- Windows Control Panel shortcut file (.cpl)
- Genuine installer for Microsoft Teams (loads malicious DLL)
- Unsigned portable executable (EXE)
- HTML application (HTA) files
When these four files are executed, they all exploit legitimate functionality to load and execute the backdoor “Cobalt Strike Beacon”.
The idea behind this attack chain is that these four files and the Beacon backdoor are normal payloads sent to victims as part of a spear phishing email attack, and that EDRs deployed within corporate networks are expected to detect, block, or at least alert the security team. The idea is that they are expected to alert the security team.
Tested EDRs and results
The research team tested these attacks against Bitdefender, Carbon Black, Check Point, Cisco, Comodo, CrowdStrike, Elastic, ESET, F-Secure, Fortinet, Kaspersky, McAfee We tested against EDR software from Microsoft, Panda Security, Sentinel One, Sophos, Symantec, and Trend Micro.
The results are shown in the table below.
These results show that none of the EDRs we tested fully covered all attack vectors and that it is possible for threat groups to slip through corporate defenses.
The research team believes that the results will allow attackers to turn off EDRs, or at least disable their telemetry capabilities, so that defenders are unaware of what is happening on the infected system, allowing threat actors to prepare further attacks on the local network. Comment.
However, not all EDRs participated in this experiment.
In a vlog on the YouTube channel of John Hammond, senior security at Huntress Labs, last year, the researchers said that not all EDR vendors agreed to release their products for testing, and that of the 18 products tested They noted that some were done with the help of intermediaries such as SOCs and CERT teams.
But Karantzas and Patsakis said that once their research was made public, several vendors contacted them and inquired about ways to improve their products.
The article was updated shortly after publication to include the results of an expanded version of the study, which analyzed seven more EDRs in addition to the original 11.
Comments