Post thumbnail

Endpoint – Where the Interesting Stuff Takes Place

The endpoint has always been the ultimate attackers’ playground where their skills are put to the best testing. Discovering new exploitable vulnerabilities, finding creative ways to manipulate processes without getting discovered by AV and other advanced prevention products, scraping credentials from memory… there’s nothing like owning the endpoint.

EDR – the Category Built with Advanced Attackers in Mind

2012 was a turning point year where endpoint protection started to capture the attention of the security industry. Until then, there were just signature-based AV solutions and we all know what that means…

Well, it was too good to last long. Eventually the awakening arrived and protecting the endpoint became the hottest place in the advanced protection town. The most impactful result of this realization was the Endpoint Detection and Response category which pioneered the ‘assumed breach’ concept – attackers will ultimately find their way inside so instead of blindingly relying on prevention measures let’s create a technology that specializes at detecting the bad guys once they are inside.

How? Each vendor had its secret sauce but roughly speaking, all EDR solutions operate under the (correct) assumption that malicious activity entails anomalies that do not otherwise occur. Hence mapping these anomalies common denominators can render a powerful tool to unveil the presence of attackers that successfully bypassed the perimeter and endpoint protection means.

And EDR actually did a good job. Today organizations possess detection, investigation and remediation capabilities that far surpass those from five years ago, forcing attackers to strain themselves if wanting to operate under the radar until completing their goals. Indeed, I can definitely say that the lives of my “fellow” hackers became harder.

But unfortunately, not enough.

The Dark Side of EDR

Quite ironically, the industry has shifted from one extremity (assuming that signature-based AV is enough) to another – assuming that endpoint based protection equals breach protection, which is equally far from the truth.

To understand why that is, we need to make a little trip under the attacker’s hood. The advanced attacks – and remember that these are the attacks against which EDR was developed in the first place – involve multiple stages from the initial compromise until the malicious task completion. The most prominent of them are privilege escalation, credential theft, lateral movement, data access and data exfiltration. Getting an initial foothold in the endpoint is just the beginning.

Now, let’s have a short EDR recap. Remember I’ve said that EDR detect malicious presence via the anomalies it generates? Well that’s only partly true. The more precise description is that EDR identifies anomalies of a certain types – the ones that manifest in unusual process execution.

Make no mistake, these are a significant part of the attacker’s toolkit, but still they are not the only ones. And basically, every stage in advanced attacks – credential theft, lateral movement or data exfiltration – can be fully executed without triggering any process execution anomalies.

That is not to say that there wouldn’t be any anomalies in these cases – there definitely are. But they are anomalies in network traffic and user behavior. Two tremendously important attack surfaces that EDR don’t deal with at all.

EDR Missing Links – Network Traffic and User Behavior

Let’s be more concrete and illustrate with an actual example.

Suppose I’m and attacker, and I’ve successfully compromised an endpoint. It’s a nice start, but the chances are slim that this random endpoint contains the sensitive data I’m after. So, I start looking for user account credentials – preferably high privileged ones – with which I can access additional machines on the targeted environment.

I can do that by attempting to dump password hashes from memory (there are various open source tools to that like Mimikatz and other). This entails a process anomaly and thus would be either prevented or detected by all common EDR solutions.

However, if as an attacker I know that there is an EDR in place, I can take an alternative root and harvest the same hashes from the network traffic with a LLNMR\NetBIOS attack.  In this case, the anomaly would occur only in the network traffic but will leave no trace in process execution.

There are dozens of examples like that across all parts of the advanced attack lifecycle. So, the way I see it, EDR narrows the range of tools attackers can use but still leaves many critical ones unattended. To summarize – endpoint detection and response is great, but to get something really powerful you have to go beyond just the endpoint

Cynet 360  – The Next Generation of EDR

The logical step for EDR is to expand the Detection and Response part  – the ‘DR’ if you will – over network traffic and user behavior as well. This was the vision that inspired us in creating Cynet 360.

We thought – if we want to create something that can really count as the next generation of EDR, it should continuously monitor processes, network traffic and user activity, providing full coverage of the attack vectors that are used in today’s advanced attacks.

This means essentially all the capabilities of an EDR, expanded and integrated with User Behavior Analytics and Network Analytics – users, network and endpoint protection in a single platform.

Being already in the motion of creating cool stuff, we continued to think what other capabilities make sense to be included on this new next-gen platform – deception was a natural fit. There’s nothing more annoying for attackers than decoy nodes or assets…

So, we implemented a robust deception layer that enables operators to plant decoy nodes, data files, passwords, network shares, etc. and deceive attackers into luring their presence.

See All Activity, Protect Against All Threats

But the true power is not just incremental value of process-based threats plus network-based threat plus user-based threats. The more advanced the attacker is, the better he is at concealing his presence and activity. So there are many attacks that are invisible if you only look at processes or traffic or user behavior. It’s only by joining these signals together to form a context that you can identify that there’s something malicious going on. Cynet 360 automates the creation of this context to unveil multiple threats that are invisible without integrated visibility into all process, network and user activity.

No protection is one hundred percent bulletproof, but you must have guards across all the main roads. Can attackers bypass them? I guess the answer is yes, if they are skilled, determined and resourceful enough. But if you monitor all the main anomaly paths, it would force them to work really hard – more than most of them would want to.

EDR was an amazing step in making organizations more secure but by is not enough for sound breach protection by itself. Cynet 360 is the next generation, taking all the good EDR has and complementing it with network and user protection to truly defend the entire environment.