Organizations spend billions defending against easy-to-evade malware
Organizations spend billions defending against easy-to-evade malware
Expand
Getty Images/Aurich Lawson
Last year, companies spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection to detect and block malware targeting devices connected to the Internet. network. EDRs, as they are commonly called, represent a new approach to malware detection. Static analysis, one of the two more traditional methods, looks for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code in a secure "sandbox" to analyze what it is doing to confirm it is safe before allowing it full access to the system.
EDRs, which are expected to generate $18 billion in revenue by 2031 and are sold by dozens of security companies, take an entirely different approach. Rather than analyzing the structure or execution of code in advance, EDRs monitor the behavior of code as it runs inside a machine or network. In theory, it can stop an ongoing ransomware attack by detecting that a process running on hundreds of machines in the last 15 minutes encrypts files en masse. Unlike static and dynamic analysis, EDR is like a security guard that uses machine learning to keep tabs on activities inside a machine or network in real time.
Enlarge
Nohl and Gimenez
Streamlined EDR evasion
Despite the buzz around EDRs, new research suggests that the protection they offer isn't that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate that EDR evasion adds only an additional week of development time to the typical infection of a large organizational network. Indeed, two fairly basic circumvention techniques, especially when combined, seem to work on most EDRs available in the industry.
"EDR evasion is well documented, but more of an art than a science," Karsten Nohl, chief scientist at SRLabs in Berlin, wrote in an email. "What's new is the idea that the combination of several well-known techniques produces malware that evades all of the EDRs we've tested. This allows the attacker to streamline their EDR evasion efforts."< /p>
Malicious and benign applications use code libraries to interact with the operating system kernel. To do this, the libraries make a call directly to the kernel. EDRs work by interrupting this normal flow of execution. Instead of calling the kernel, the library first calls the EDR, which then collects information about the program and its behavior. To break this flow of execution, EDRs partially overwrite libraries with additional code called "hooks".
Nohl and fellow SRLabs researcher Jorge Gimenez tested three widely used EDRs sold by Symantec, SentinelOne, and Microsoft, a sample that they say accurately represents offerings in the market as a whole. To the researchers' surprise, they found that all three were circumvented using one or both of the fairly simple evasion techniques.
The techniques target hooks used by BDUs. The first method bypasses the hook function and instead makes direct calls to the kernel system. While successful against all three EDRs tested, this hook avoidance has the potential to arouse suspicion in some EDRs, so it's not foolproof.
Last year, companies spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection to detect and block malware targeting devices connected to the Internet. network. EDRs, as they are commonly called, represent a new approach to malware detection. Static analysis, one of the two more traditional methods, looks for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code in a secure "sandbox" to analyze what it is doing to confirm it is safe before allowing it full access to the system.
EDRs, which are expected to generate $18 billion in revenue by 2031 and are sold by dozens of security companies, take an entirely different approach. Rather than analyzing the structure or execution of code in advance, EDRs monitor the behavior of code as it runs inside a machine or network. In theory, it can stop an ongoing ransomware attack by detecting that a process running on hundreds of machines in the last 15 minutes encrypts files en masse. Unlike static and dynamic analysis, EDR is like a security guard that uses machine learning to keep tabs on activities inside a machine or network in real time.
Enlarge
Nohl and Gimenez
Streamlined EDR evasion
Despite the buzz around EDRs, new research suggests that the protection they offer isn't that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate that EDR evasion adds only an additional week of development time to the typical infection of a large organizational network. Indeed, two fairly basic circumvention techniques, especially when combined, seem to work on most EDRs available in the industry.
"EDR evasion is well documented, but more of an art than a science," Karsten Nohl, chief scientist at SRLabs in Berlin, wrote in an email. "What's new is the idea that the combination of several well-known techniques produces malware that evades all of the EDRs we've tested. This allows the attacker to streamline their EDR evasion efforts."< /p>
Malicious and benign applications use code libraries to interact with the operating system kernel. To do this, the libraries make a call directly to the kernel. EDRs work by interrupting this normal flow of execution. Instead of calling the kernel, the library first calls the EDR, which then collects information about the program and its behavior. To break this flow of execution, EDRs partially overwrite libraries with additional code called "hooks".
Nohl and fellow SRLabs researcher Jorge Gimenez tested three widely used EDRs sold by Symantec, SentinelOne, and Microsoft, a sample that they say accurately represents offerings in the market as a whole. To the researchers' surprise, they found that all three were circumvented using one or both of the fairly simple evasion techniques.
The techniques target hooks used by BDUs. The first method bypasses the hook function and instead makes direct calls to the kernel system. While successful against all three EDRs tested, this hook avoidance has the potential to arouse suspicion in some EDRs, so it's not foolproof.
Expand
Getty Images/Aurich Lawson
Enlarge
Nohl and Gimenez
