Chris Swagler | January 6th, 2022


A team of Greek academics tested endpoint detection and response (EDR) software from 18 top cybersecurity companies and discovered that many fail to detect some of the most common attack techniques used by advanced persistent threat (APT) actors, including state-sponsored espionage groups and ransomware groups. The results indicate there’s room for improvement as state-of-the-art EDRs fail to prevent and log the bulk of the attacks.

Room to Improve EDR Tools

A detailed research paper published in the Journal of Cybersecurity and Privacy titled “An Empirical Assessment of Endpoint Detection and Response Systems Against Advanced Persistent Threats Attack Vectors” assesses EDR software, an evolution of the classic antivirus program that uses both static and dynamic analysis methods to detect malware. Additionally, the software monitors, collects, and aggregates data from endpoints to detect malicious behavior that relies on more stealthy techniques, such as abusing legitimate apps to launch attacks.

EDRs combine static file signature rules and advanced machine learning modules and are considered the most advanced security software. However, EDRs are not perfect. The research demonstrates how the EDRs from some of the largest companies fared in various simple attacks that simulate common advanced persisted threat kill chains. The work includes buying a mature expired domain to host malware payloads, securing the domain with a Let’s Encrypt SSL certificate, and hosting four types of files used in attacks:

  • A Windows Control panel shortcut file (.cpl)
  • A legitimate Microsoft Teams installer (that will load a malicious DDL)
  • An unsigned portable executable (EXE) file
  • An HTML application (HTA) file

Once the four files are executed, they abuse legitimate functions to load and run a Cobalt Strike Beacon backdoor. The purpose of the attack chain is that the four files and the Beacon backdoor are regular payloads sent to victims through spear-phishing email campaigns in which all EDRs are expected to detect, block, or alert security teams when deployed inside networks.

The researchers tested the attacks against EDR software from Bitdefender, Carbon Black, Check Point, Cisco, Comodo, CrowdStrike, Elastic, ESET, F-Secure, Fortinet, Kaspersky, McAfee, Microsoft, Panda Security, Sentinel One, Sophos, Symantec, and Trend Micro. The results are documented in the accompanying table:

EDR Test ResultsThe results indicate that none of the EDRs tested was fully covered for all attack vectors, which allowed threat actors to bypass a company’s defenses. The research teams argued that this leaves EDRs vulnerable to situations where threat operators can turn them off or disable their telemetry functions, blinding defenders to what might happen on an infected system and allowing threat actors to prepare further attacks on the local network.

What the research fails to evaluate is the resourcefulness of personnel charged with monitoring the networks equipped with these advanced EDR toolsets. Like all equipment, whether software or hardware, EDRs are prone to failure. The addition of a certified engineer continuously scrutinizing alerts identified and captured by the software exponentially enhances a network’s security posture. While humans are also prone to error, it is their expertise and experience, when working in coordination with a specialized and sophisticated EDR system, that protection against APTs is strongest.

With more advanced ransomware groups and threat actors using common attack methods to move through a network undetected, it’s important for companies to remain alert on the current threat landscape and improve their detection and response methods to prevent potential attacks. Even the most advanced and state-of-the-art endpoint detection and response software can fail to detect the most common attack techniques. Fortunately, at SpearTip, we specialize in incident response capabilities and handling ransomware threats with one of the fastest response times in the industry. Our certified engineers at our Security Operations Centers work in a continuous investigative cycle, ready to respond to any incident at a moment’s notice. SpearTip is able to respond to a breach within minutes of an engagement and reclaim your network within hours.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.



Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.