Getty Images / Aurich Lawson
Last year, organizations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware that targets networked devices. EDRs, as they are commonly called, provide a new approach to malware detection. Static analysis, one of two more traditional methods, looks for suspicious signs in the DNA of the file itself. Dynamic analysis, another more radical method, runs untrusted code inside a secure “sandbox” to analyze what it’s doing to confirm it’s safe before allowing access to the full system.
It is projected to generate revenue from EDRs $18 billion by 2031 and sold by dozens of security companies – take a completely different approach. Rather than analyzing the structure or execution of code in advance, EDRs monitor the code’s behavior as it runs within a machine or network. In theory, it can stop a ransomware attack in progress by detecting that a process running on hundreds of machines has en masse encrypted files in the last 15 minutes. Unlike static and dynamic analyses, EDR is like a security guard that uses machine learning to track activities within a machine or network in real-time.
Nohl and Gimenez
Simplifying EDR evasion
Despite the hype surrounding EDRs, new research shows that the protection they provide isn’t too difficult for experienced malware developers. In fact, the researchers behind the study estimate that EDR evasion adds just one extra week of development time to a typical infection of a large organizational network. This is because two fairly basic bypass techniques, especially when combined, seem to work in most EDRs available in the industry.
“EDR evasion is well documented, but is more art than science,” said Karsten Nohl, chief scientist at Berlin-based SRLabs, in an email. “What’s new is that a combination of several well-known techniques yields malware that evades all of the EDRs we’ve tested. This allows a hacker to facilitate EDR evasion efforts.”
Both malware and malware use code libraries to interact with the OS kernel. For this, the libraries call the kernel directly. EDRs work by interrupting this normal execution flow. Instead of calling the kernel, the library first calls EDR, which collects information about the application and its behavior. To interrupt this execution flow, EDRs write partial libraries with additional code known as “hooks”.
Nohl and SRLabs researcher Jorge Gimenez tested three widely used EDRs sold by Symantec, SentinelOne and Microsoft, believing the sample fairly represented the offerings on the market as a whole. To the researchers’ surprise, they found that all three were bypassed by using one or both of two simple escape methods.
The techniques target the hooks used by EDRs. The first method bypasses the fork function and makes direct kernel system calls instead. Although successful against all three EDRs tested, this hook bypass has the potential to make some EDRs suspicious, so it’s not foolproof.
Nohl and Gimenez
The second technique, when performed in a dynamic link library file also worked against all three EDRs. This involves using only fragments of hooked functions to avoid triggering hooks. For this, the malware makes indirect system calls. (A third technique involving open functions worked against one EDR, but was too dubious to fool the other two test subjects.)
Nohl and Gimenez
In the lab, the researchers used each bypass technique to insert two commonly used pieces of malware — one called Cobalt Strike and one called Silver — into both the .exe and .dll files. One of the EDRSs — the researchers did not specify which one — failed to detect any of the samples. The other two EDRs failed to detect samples from the .dll file when using either technique. For good measure, the researchers also tested a generic antivirus solution.
Nohl and Gimenez
The researchers estimated the typical lead time required for a malware compromise of a large corporate or organizational network by a team of four experts to be about eight weeks. While evasion of EDR is believed to slow down the process, the discovery that two relatively simple techniques can reliably bypass this protection means that malware developers may not need as much extra work as some think.
Nohl wrote: “Overall, EDRs add about 12 percent or a week to the hacking effort when a large corporation is compromised—depending on the typical execution time of a red team exercise.”
Researchers presented their findings at the Hack in the Box security conference in Singapore last week. Nohl said EDR makers should focus on detecting malicious behavior more generally, rather than just triggering the specific behavior of the most popular hacking tools, such as Cobalt Strike. The extreme focus on specific behavior makes EDR evasion “too easy for hackers using more bespoke tools,” Nohl writes.
“In addition to better EDRs on endpoints, we still see potential in dynamic analysis within sandboxes,” he said. “These can run in the cloud or connect to email gateways or web proxies and filter malware before it reaches the endpoint.”
