Last year, organizations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware that targets network-connected devices. EDRs, as they are commonly called, represent a newer approach to malware detection. Static analysis, one of the two more traditional methods, looks for suspicious characters in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code in a secure “sandbox” to analyze what it’s doing to confirm it’s secure before gaining full system access.
EDRs — projected to generate $18 billion in revenue by 2031 and sold by dozens of security companies — take a very different approach. Rather than pre-analyzing the code’s structure or execution, EDRs monitor the behavior of the code as it runs within a machine or network. In theory, it can stop an ongoing ransomware attack by detecting that a process running on hundreds of machines in the last 15 minutes is massively encrypting files. Unlike static and dynamic analytics, EDR is akin to a guard that uses machine learning to track activity within a machine or network in real time.
Streamline EDR evasion
Despite the buzz surrounding EDRs, new research suggests that the protections they provide aren’t too hard for experienced malware developers to get around. In fact, the researchers behind the study estimate that EDR evasion adds just one extra week of development time to the typical infection of a large organizational network. That’s because two fairly simple bypass techniques, especially when combined, seem to work on most EDRs available in the industry.
“EDR evasion is well documented, but more as a craft than a science,” Karsten Nohl, chief scientist at Berlin-based SRLabs, wrote in an email. “What’s new is the insight that combining several known techniques yields malware that evades all the EDRs we tested. This allows the hacker to streamline their EDR evasion efforts.”
Both malicious and benign apps use code libraries to communicate with the OS kernel. To do this, the libraries call the kernel directly. EDRs work by interrupting this normal flow of execution. Instead of calling the kernel, the library first calls the EDR, which then collects information about the program and its behavior. To interrupt this flow of execution, EDRs partially overwrite the libraries with additional code known as “hooks.”
Nohl and fellow SRLabs researcher Jorge Gimenez tested three commonly used EDRs sold by Symantec, SentinelOne and Microsoft, a sample they believe fairly represents the offering in the market as a whole. To the researchers’ surprise, they found that all three were circumvented by using one or both of fairly simple evasion techniques.
The techniques focus on the hooks that the EDRs use. The first method bypasses the hook function and makes direct kernel system calls instead. While successful against all three EDRs tested, this hook avoidance has the potential to raise suspicion in some EDRs, so it’s not foolproof.
The second technique, when implemented in a Dynamic Link Library file, also worked against all three EDRs. It means that only fragments of the hooked functions are used to avoid triggering the hooks. To do this, the malware makes indirect system calls. (A third technique involving unhooking functions worked against one EDR, but was too suspicious to fool the other two subjects.)
In one lab, the researchers stuffed two commonly used pieces of malware, one called Cobalt Strike and the other Silver, into both an .exe and .dll file using each bypass technique. One of the EDRS — the researchers don’t identify which one — did not detect any of the samples. The other two EDRs were unable to detect samples from the .dll file when using either technique. For the record, the researchers also tested a common antivirus solution.
The researchers estimate that the typical baseline time it takes for malware to compromise a large corporate or organizational network is about eight weeks by a team of four experts. While EDR evasion is believed to slow down the process, the revelation that two relatively simple techniques can reliably bypass this protection means that the malware developers may not need a lot of extra work as some might think.
“In general, EDRs add about 12 percent or a week of hacking effort when compromising a large company — judging by the typical execution time of a red team drill,” Nohl wrote.
The researchers presented their findings at the Hack in the Box security conference in Singapore last week. Nohl said EDR makers should focus on more generically detecting malicious behavior rather than just triggering on specific behavior of the most popular hacking tools, such as Cobalt Strike. This excessive focus on specific behavior makes EDR evasion “too easy for hackers who use more custom tools,” Nohl wrote.
“In addition to better EDRs on endpoints, we still see potential in dynamic analysis within sandboxes,” he added. “These can run in the cloud or be tied to email gateways or web proxies and filter out malware before it reaches the endpoint.”