There has been an increase in hacking activity over the past few years, which has led to the development of a powerful type of tool from companies such as CrowdStrike Holdings Inc. and Microsoft Corp., which is proving to be a boon for the cybersecurity industry.
The software is called endpoint detection and response software, and it's designed to detect early signs of malicious activity on laptops, servers, and other devices - called "endpoints" on a computer network - and block them before intruders have a chance to steal data or lock it up.
Nonetheless, experts have said that hackers have found ways around some forms of the technology, allowing them to slip past products that have emerged as the gold standard for protecting critical systems, despite the fact that they have developed workarounds.
According to Tyler McLellan, a principal threat analyst at Mandiant, which is part of Alphabet Inc.'s Google Cloud division, the company has investigated 84 incidents where EDR or other types of endpoint security software have been tampered with or disabled, over the past two years.
As hackers have adapted their techniques over the years to overpower the newest cybersecurity protections, the findings represent the latest evolution of a cat-and-mouse game that has played out for decades, according to Mark Curphey, a former senior executive at McAfee and Microsoft and now a cybersecurity entrepreneur in the UK.
“Attaining access to all the systems that use security protection tools is nothing new,” he pointed out, adding that “if successful, the prize is access to all the systems that use those tools, and by definition, those systems are worth protecting.”
Researchers from a number of cybersecurity firms have reported that the number of attacks involving EDR bypassing or disabling has declined in the past few years but has grown in recent years, and hackers are getting more resourceful in finding ways to circumvent the stronger protections provided by EDR.
There was recently a disclosure by Microsoft in a blog post that hackers had fooled the company into applying its seal of authenticity to malware that was then used on victim networks to disable the company's EDR and other security tools. There are three third-party developer accounts that were involved in the ruse and Microsoft has suspended those accounts. The company said that it is working on a long-term solution to address these deceptive practices and prevent future customer issues.
This year, Arctic Wolf Networks released a report on a case it investigated in which hackers were initially thwarted by the victim's endpoint device for the Lorenz ransomware group late last year. In response, the hackers regrouped and deployed a free digital forensics tool, which allowed them to access the computer's memory directly, and deploy their ransomware successfully, thus bypassing the EDR, the company said. The victim and the affected EDR were not identified by Arctic Wolf.
The UK-based company Sophos Group reported in April that it had discovered a new piece of malware that was being used to disable the EDR tools from Microsoft, Sophos Group itself as well as several other companies before deploying Lockbit and Medusa Locker ransomware infections. "The use of EDR bypass and the disabling of security software is clearly a tactic that is on the rise," according to Christopher Budd, senior manager of threat research at Intel Security. "It is especially difficult to detect this kind of attack since it targets the very tools that are used in the detection and prevention of cyber-attacks due to the nature of the attack."
IDC estimates that the market for EDR and other new endpoint security technologies grew 27% to reach $8.6 billion worldwide last year, led by CrowdStrike and Microsoft, according to IDC.
CrowdStrike's senior vice president of intelligence, Adam Meyers, said that the increasing number of attacks on EDR software indicates that hackers "have been evolving." CrowdStrike has noted that many of the attacks it has tracked – against its products and those of competitors – involve misconfigurations of client systems or vulnerabilities within the software or firmware of the products, which is a sign that hackers are working harder to get into target networks.
"I think this is a race to the bottom of the stack," Meyers said. "At this point, we are trying to go lower and lower and closer and closer to the hardware, and the closer and closer we get to the hardware, the harder it is to stop an attack."
The Microsoft representative who was contacted for this article declined to comment.
The makers of antivirus software were the largest suppliers of security products for PCs and other endpoints a decade ago. There has been a decline in their popularity as increasingly sophisticated attacks have revealed the vulnerabilities of technologies that depend on analysts manually creating digital signatures of new strains of malware to block them, according to cybersecurity experts.
The rise of ransomware and other destructive attacks in recent years has spurred a demand for EDR and similar technologies that are aimed at detecting and blocking infections at an earlier stage. By using these tools, you will be able to detect more signs of malicious activity and automate many of the time-consuming tasks that need to be done in investigating and resolving breaches.
A previously unreported incident discovered in October was an investigation into a breach of a European manufacturing company by Copenhagen, Denmark-based CSIS Security Group, which is located in Copenhagen.
According to Jan Kaastrup, the chief innovation officer for CSIS, who oversaw the investigation, the hackers exploited a previously unknown vulnerability in Microsoft's EDR and packaged the malware in such a way that it was detected by the security tool. As a result, the victim's IT team received an alert that the attack had been blocked, a sign that the attack had been thwarted. In spite of this, the hackers weren't stopped and were able to roam the network for three weeks without being detected, according to him.
After spotting that data was being sent out of the victim's corporate network, the victim notified the Danish security firm that the breach had occurred. Despite Kaastrup declining to identify the victim, he allowed Bloomberg to review an anonymous copy of the incident report that he provided. Microsoft was notified about the issue by the firm but declined to comment about it on Bloomberg as a result.
There is one lesson to be learned from the recent incidents, he says: technology can only do so much against hackers who are determined to succeed.
"In addition to the software, you need eyes on the screen combined with technology to ensure that security is maintained," he said. "Compared to antivirus software, EDR is a much better solution. It is a given that you will need it for sure. Despite what some people think, it is not a silver bullet in the sense that some claim it to be."
As a leading independent research provider, TradeAlgo keeps you connected from anywhere.