Last year, organizations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they’re commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured “sandbox” to analyze what it does to confirm it’s safe before allowing it to have full system access.
EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyze the structure or execution of the code ahead of time, EDRs monitor the code’s behavior as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.
Streamlining EDR evasion
Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn’t all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organizational network. That’s because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.
“EDR evasion is well-documented, but more as a craft than a science,” Karsten Nohl, chief scientist at Berlin-based SRLabs, wrote in an email. “What’s new is the insight that combining several well-known techniques yields malware that evades all EDRs that we tested. This allows the hacker to streamline their EDR evasion efforts.”
Both malicious and benign apps use code libraries to interact with the OS kernel. To do this, the libraries make a call directly to the kernel. EDRs work by interrupting this normal execution flow. Instead of calling the kernel, the library first calls the EDR, which then collects information about the program and its behavior. To interrupt this execution flow, EDRs partly overwrite the libraries with additional code known as “hooks.”
Nohl and fellow SRLabs researcher Jorge Gimenez tested three widely used EDRs sold by Symantec, SentinelOne, and Microsoft, a sampling they believe fairly represents the offerings in the market as a whole. To the researchers’ surprise, they found that all three were bypassed by using one or both of two fairly simple evasion techniques.
The techniques take aim at the hooks the EDRs use. The first method goes around the hook function and instead makes direct kernel system calls. While successful against all three EDRs tested, this hook avoidance has the potential to arouse the suspicion of some EDRs, so it’s not foolproof.
The second technique, when implemented in a dynamic link library file, also worked against all three EDRs. It involves using only fragments of the hooked functions to keep from triggering the hooks. To do this, the malware makes indirect system calls. (A third technique involving unhooking functions worked against one EDR but was too suspicious to fool the other two test subjects.)
In a lab, the researchers packed two commonly used pieces of malware—one called Cobalt Strike and the other Silver—inside both an .exe and .dll file using each bypass technique. One of the EDRS—the researchers aren’t identifying which one—failed to detect any of the samples. The other two EDRs failed to detect samples that came from the .dll file when they used either technique. For good measure, the researchers also tested a common antivirus solution.
The researchers estimated that the typical baseline time required for the malware compromise of a major corporate or organizational network is about eight weeks by a team of four experts. While EDR evasion is believed to slow the process, the revelation that two relatively simple techniques can reliably bypass this protection means that the malware developers may not require much additional work as some might believe.
“Overall, EDRs are adding about 12 percent or one week of hacking effort when compromising a large corporation—judged from the typical execution time of a red team exercise,” Nohl wrote.
The researchers presented their findings last week at the Hack in the Box security conference in Singapore. Nohl said EDR makers should focus on detecting malicious behavior more generically rather than triggering only on specific behavior of the most popular hacking tools, such as Cobalt Strike. This overfocus on specific behavior makes EDR evasion “too easy for hackers using more bespoke tooling,” Nohl wrote.
“Complementary to better EDRs on endpoints, we still see potential in dynamic analysis within sandboxes,” he added. “These can run in the cloud or attached to email gateways or web proxies and filter out malware before it even reaches the endpoint.”