Endpoint detection and response (EDR) capability is widely touted as an essential part of defense against ransomware. Unfortunately, it doesn’t always work as well as planned.
Instead of scanning devices for known malicious code, EDR software watches for unusual activity that looks like a hacker is trying to infiltrate a network. Or behavior that looks like the beginning of a ransomware attack, like large numbers of files being encrypted or having their file extensions changed.
When it detects something like this, it alerts security staff. Many EDR offerings can also take automatic action to quarantine affected systems. But first they have to detect that something isn’t quite right.
Security researchers at SRLabs discovered that combining “two fairly basic bypass techniques” could fool “three widely used EDRs sold by Symantec, SentinelOne, and Microsoft.”
The presence of EDR does slow hackers down, though, as it takes about a week longer for a criminal organization to penetrate a large enterprise network than if no EDR was used. "Overall, EDRs are adding about 12% or one week of hacking effort when compromising a large corporation—judged from the typical execution time of a red team exercise," says Karsten Nohl, one of the researchers behind the discovery.
While this is far from ideal, it’s not necessarily a catastrophe. Organizations shouldn’t be relying on any individual security product or feature as their sole defense against ransomware in the first place. Layering several different types of protection is the only realistic way to secure a network.
Expect vendors with EDR offerings to revamp their detection methods in response to this news. But in the interim, make sure that EDR isn’t your only line of defense, and that your backups are up-to-date and stored offline.