A team of Greek academics tested endpoint detection and response (EDR) software from 18 top cybersecurity companies and discovered that many fail to detect some of the most common attack techniques used by advanced persistent threat (APT) actors, including state-sponsored espionage groups and ransomware groups. The results indicate there’s room for improvement as state-of-the-art EDRs fail to prevent and log the bulk of the attacks.
A detailed research paper published in the Journal of Cybersecurity and Privacy titled “An Empirical Assessment of Endpoint Detection and Response Systems Against Advanced Persistent Threats Attack Vectors” assesses EDR software, an evolution of the classic antivirus program that uses both static and dynamic analysis methods to detect malware. Additionally, the software monitors, collects, and aggregates data from endpoints to detect malicious behavior that relies on more stealthy techniques, such as abusing legitimate apps to launch attacks.
EDRs combine static file signature rules and advanced machine learning modules and are considered the most advanced security software. However, EDRs are not perfect. The research demonstrates how the EDRs from some of the largest companies fared in various simple attacks that simulate common advanced persisted threat kill chains. The work includes buying a mature expired domain to host malware payloads, securing the domain with a Let’s Encrypt SSL certificate, and hosting four types of files used in attacks:
- A Windows Control panel shortcut file (.cpl)
- A legitimate Microsoft Teams installer (that will load a malicious DDL)
- An unsigned portable executable (EXE) file
- An HTML application (HTA) file
Once the four files are executed, they abuse legitimate functions to load and run a Cobalt Strike Beacon backdoor. The purpose of the attack chain is that the four files and the Beacon backdoor are regular payloads sent to victims through spear-phishing email campaigns in which all EDRs are expected to detect, block, or alert security teams when deployed inside networks.
The researchers tested the attacks against EDR software from Bitdefender, Carbon Black, Check Point, Cisco, Comodo, CrowdStrike, Elastic, ESET, F-Secure, Fortinet, Kaspersky, McAfee, Microsoft, Panda Security, Sentinel One, Sophos, Symantec, and Trend Micro. The results are documented in the accompanying table:
The results indicate that none of the EDRs tested were fully covered for all attack vectors, which allowed threat actors to bypass a company’s defenses. The research teams argued that this leaves EDRs vulnerable to situations where threat operators can turn them off or disable their telemetry functions, blinding defenders to what might happen on an infected system and allowing threat actors to prepare further attacks on the local network.
What the research fails to evaluate is the resourcefulness of personnel charged with monitoring the networks equipped with these advanced EDR toolsets. Like all equipment, whether software or hardware, EDRs are prone to failure. The addition of a certified engineer continuously scrutinizing alerts identified and captured by the software exponentially enhances a network’s security posture. While humans are also prone to error, it is their expertise and experience, when working in coordination with a specialized and sophisticated EDR system, that protection against APTs is strongest.
With more advanced ransomware groups and threat actors using common attack methods to move through a network undetected, it’s important for companies to remain alert on the current threat landscape and improve their detection and response methods to prevent potential attacks. Even the most advanced and state-of-the-art endpoint detection and response software can fail to detect the most common attack techniques. Fortunately, at SpearTip, we specialize in incident response capabilities and handling ransomware threats with one of the fastest response times in the industry. Our certified engineers at our Security Operations Centers work in a continuous investigative cycle, ready to respond to any incident at a moment’s notice. SpearTip is able to respond to a breach within minutes of an engagement and reclaim your network within hours.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.