Endpoint/Device Security

Here’s how cybercriminals bypass EDR – and why security teams need a defense-in-depth approach


Endpoint detection and response (EDR) represents a newer, more robust approach to detecting malicious activities on endpoints, such as laptops, mobile phones, and IoT devices. Yet, even with all its benefits compared to traditional antivirus software, recent cyberattacks prove that EDR products cannot stand in the way of sophisticated and determined cybercriminals.

A recent study found that almost none of the 26 EDR solutions evaluated could prevent all bypass techniques. Here’s how cybercriminals manage to bypass most EDRs available in the market today:

  • Evasion techniques: After gaining initial access, threat actors naturally search for security tools and processes installed on the compromised device to avoid getting caught. They can then use several different methods to evade detection. For instance, they often inject malicious code into legitimate applications or use code obfuscation to avoid triggering EDRs. The infamous Carbanak Group (FIN7), managed to pull off one of the biggest banking heists in history using a blend of these evasion techniques. Such evasion techniques are also a big part of several open-source frameworks, primarily intended for offensive security operations. Unfortunately, cybercriminals and advanced persistent threat (APT) groups can access them just as easily as cybersecurity teams. Recently, BlackByte, a notorious ransomware threat group, used evasion techniques from the open-source EDRSandblast toolbox and rendered several EDR products useless. Darknet worsens the situation as threat actors share information and evasion techniques among each other. Researchers discovered ties between Carbanak and Black Basta ransomware groups through similarities in their custom EDR evasion techniques. Exploit kits are also available for purchase in the cybercrime underground, offering amateur criminals access to complex EDR bypass techniques.
  • Privilege escalation: In a local privilege escalation attack, a threat actor exploits a vulnerability in a system or an application to gain administrative privileges on a device. With elevated privileges, attackers can simply disable endpoint security solutions, install backdoors, and perform malicious activities without triggering EDR alerts. Like any piece of software, EDRs are not vulnerability-proof. Since EDRs require admin privileges to operate and protect the device, APTs can exploit those vulnerabilities to escalate privileges and gain control over the device. In that sense, EDRs also add to organizations’ already massive attack surface. Ironically, researchers discovered one such vulnerability in the “Tamper Protection” feature of Windows Defender. It could potentially grant attackers with system-level privileges on the compromised system, allowing them to freely tamper with the device’s security settings. The vulnerability has since been patched, but that does not guarantee that more cannot surface in the future.
  • Supply chain attacks: Attackers also bypass EDR by compromising a trusted software vendor and using its software to access a target system. Since the software comes from a trusted source, it can potentially evade security solutions like EDR. It’s called a supply chain attack. APTs often combine it with other evasion techniques to stay under the radar. One of the most high-profile supply chain attacks to date, the Sunburst attack, involved the compromise of the SolarWinds Orion software. For months, attackers managed to evade sophisticated EDR solutions at thousands of SolarWinds customer sites, including those at U.S. government agencies. More recently, the Codecov attack leveraged the same technique to remain undetected for weeks despite affecting several high-profile companies.
  • Blind spots and alert fatigue: EDR products are often limited to the endpoints they are installed on. Lack of network-wide visibility and context awareness can create blindspots. EDR tools need additional information, (such as threat intelligence feeds and network traffic analysis) from other security controls to get a bird’s eye view of operations. On the burnout front, EDRs generate large volumes of data, including many false-positives. Sifting through all of it requires considerable effort, making it difficult for security teams to identify and respond to threats in a timely way.

Adopt a multi-layered, defense-in-depth approach

EDR shortcomings do not imply that they are no longer effective. Modern-day cyberattacks are remarkably sophisticated and multi-pronged. Organizations, too, need multi-layered defense mechanisms. They need to adopt a defense-in-depth approach, ensuring that all security layers operate in a coordinated manner to offer maximum coverage. By implementing multi-tiered security infrastructure that also includes identity and access management (IAM), secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero-trust network access (ZTNA) – all native secure access service edge (SASE) components – organizations can create a robust defense that can identify and respond to threats at different levels of the IT stack.

Organizations also need to correlate networking and security data to create contextual and situational awareness within modern security tools. However, this requires breaking the silos and integrating networking and security functions, much like in SASE architectures. Additionally, organizations must stay up-to-date with the latest threats and evasion tactics and continuously reassess their security posture to stay ahead of the curve. By taking these proactive measures, organizations can better protect their valuable assets and maintain their reputation in the face of an ever-evolving threat landscape.

Etay Maor, senior director, security strategy, Cato Networks

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.