Sponsored For the longest time it seemed that modern endpoint detection and response (EDR) was getting on top of the worst malware, only for that certainty to evaporate in a single day in June 2017 thanks to a strange malware event remembered as the NotPetya attack.
A lot of virtual ink has flowed on the origins of NotPetya but the most important aspect of its behaviour for anyone involved in endpoint defence EDR was the stunning speed with which it turned entire networks of computers into boxes uselessly pushing warm air. The word ‘fast’ gets bandied around a lot in malware incidents but for once this was no hyperbole, reportedly downing an entire Ukrainian bank in 45 seconds and a network running part of the country’s transit system in a third of that time.
That means the infection unfolded in roughly 15 seconds to less than a minute. As with the equally swift WannaCry infection which had encrypted at least 200,000 computers in 150 countries only weeks earlier, this was far faster than EDR systems of the time - and the teams fielding the alerts generated by them - could possibly react. Security Operations Centre (SoC) teams couldn’t even ask employees to turn their computers off.
What perished with WannaCry and NotPetya was the idea that methodical, manual review taking hours or days was any longer a viable defence strategy. A generation of commercial ransomware since then has only heightened the sense of crisis. Somehow, endpoint protection needs to detect and respond within seconds, not the old standard of minutes or hours.
But if not EDR, what then? The industry’s answer was more and better EDR, plus new options such as managed detection and response (MDR) and extended detection and response (XDR), which as its name suggests adds a wider range of data points to the detection mix.
The hitch is that ransomware hasn’t stood still in the last four years, reaching record levels in the second half of 2020 according to detections by security company Fortinet. Looking at the graphs published by the company in its 2H 2020 Global Threat Landscape Report, the spike to 17,000 detections per day during December looks more like a mass pile-on than the sinister, crafted ransomware campaigns defenders have come to expect. Self-evidently, the criminals believe ransomware works.
“It’s not just that data is stolen or inaccessible but that core systems become unavailable. Hospitals are unable to accept patients. This is not a financial impact, it’s human life we’re talking about,” points out Fortinet’s senior vice president of product marketing, David Finger. “It impacts critical infrastructure, manufacturing, the food supply chain. These are things we depend on.”
For Finger, the missing link for EDR in coping with this onslaught is the need for tools which don’t overwhelm and confuse IT teams. In the case of Fortinet’s FortiEDR, a big design goal was to make EDR easy to use for non-specialists. This sounds obvious but recent generations of tools were often deployed by specialists in areas such as forensics, the sort of skills that are expensive to hire. Rather than detect and alert, solutions today need to detect and contain.
“We’ve continued on this path, making EDR easy to use and more understandable. The industry has also offered these technologies as services such as MDR, which makes them accessible to anyone.”
Another EDR development was the realization that what happens on the endpoint isn’t the only battle. “The endpoint is the ultimate source of truth because that’s where the malware lands and runs. But how did it get there? Where else did it move? Who was patient zero?”
In FortiEDR’s case, enhanced XDR/EDR studies email activity, network traffic, and any unexplained use of credentials, or what’s going on in the cloud. If it spots something unusual, the system uses playbook routines to automate response while minimizing disruption.
This includes deleting malware files, temporarily isolating an endpoint from the network while this happens. Depending on the automation playbook used by the organisation, the next stage would be to roll back the endpoint to a previous safe state without having to take the computer offline for manual inspection.
Under the hood, detection involves technologies such as code tracing, which allows the system to monitor endpoint activity for small changes. It is this ability to watch and understand every system in terms of its code state that makes it possible to roll it back to a safe state.
“It’s almost a middle ground between prevention and detection versus response because we’re in a place to detect and defuse the activity rather than simply detect and manually carry out remediation. This is real-time containment,” says Finger.
It doesn’t, he stresses, remove the need for forensics but it puts the organisation ahead of the game. By the time a human becomes involved, a multitude of malware components will have been isolated from causing damage or from communicating with one another.
This level of EDR defence can be surprisingly granular, right down to blocking access to the filesystem, suspending outbound communication, and monitoring memory state for newer fileless attacks. It’s like a series of layers, the first of which monitors file and registry access for signs that might indicate encryption or exfiltration while looking for additional events that connect this to outbound communication. All of this is logged so that a bigger picture can be pieced together at higher levels should the state of that computer need further investigation.
This has come into sharper focus as ever more automation depends on AI, a technology that is now becoming part of the EDR and XDR arsenal.
“We all know that expertise is in short supply. FortiEDR has harnessed AI to carry out the alert triage that’s normally done by a security analyst.” However, Finger cautions that customers should carefully assess how rival vendors implement this, asking how they developed a model replicating the actions of a human analyst, and how they train the model over time.
A big challenge for all EDR vendors has been proving any of this works under real-world conditions. In 2018 MITRE (famous for its Enterprise ATT&CK framework) threw EDR and endpoint defence a lifeline when it launched the Engenuity ATT&CK evaluations, designed to test the effectiveness of cybersecurity products using an open methodology whose criteria customers could peer into for themselves (the organisation never interprets test results itself).
The concept behind Engenuity is to pit products against a threat that precisely mirrors a real one. This is done by modelling the techniques and tactics (TTPs) of known threat groups, for example FIN7 and Carbanak in the April 2021 tests.
This covers 20 attack stages in total, plus 170 sub-steps. With threat group profiles updated each year, it’s arguable that this is now the best anti-malware assessment framework ever devised short of real world conditions.
“The benefit of MITRE testing is it opens up the box and lets you see what a product does as well as how it does it,” agrees Finger. But the flipside of this depth is that the recent test focused on only two campaigns. In a real world of hundreds of TTP routines at least, this was a small sample set, he says.
A particular issue is that Engenuity is based on replaying representative campaigns, so tested products may have and use previous knowledge of the file or file family or TTP pattern. FortiEDR, by contrast, demonstrated its ability to block suspicious files based on their behaviour, not prior knowledge of their existence.
“One of the benefits of having a behavioral based system rather than based on patterns gleaned from threat intelligence is even if we’ve not seen the ransomware before, we know what ransomware-like activity looks like.”
Mass file encryption is the perfect example. “There are not many applications that legitimately encrypt multiple files at one time,” observes Finger.
The idea of monitoring the filesystem isn’t that big an innovation (Windows 10 claims to be able to do this, for instance) but the way FortiEDR does this job turns out to be a well of sophistication, using a routine to compare the entropy of a newly created file to an original copy. If the file has been encrypted, the difference between the two will stand out like a beacon without having to rely on filesystem hooks.
“That’s why we’re big fans of MITRE because unlike other testing that will just give you a score, it takes you under the covers to understand not only was something blocked but why was it blocked.”
It follows, then, that if a system can block one ransomware campaign based on behaver at the point it is encrypting files, it will be able to stop future ransomware campaign attempting the same thing in future, including unknown ones.
For too long, the problem with endpoint security has been the problem of black box security customers were asked to rely on without understanding how it worked or being able to measure its effectiveness against real-world threats.
However imperfectly, the Engenuity ATT&CK evaluations have the potential to demystify this realm. It only tests one part of a security system but it’s an important start. The next generation of EDR will be stronger for this.
This article is sponsored by Fortinet.