Search
Close this search box.

EDR Software ‘Easy to Bypass’ for Ransomware Operations

The author

Endpoint detection and response (EDR) capability is widely touted as an essential part of defense against ransomware. Unfortunately, it doesn’t always work as well as planned.

Instead of scanning devices for known malicious code, EDR software watches for unusual activity that looks like a hacker is trying to infiltrate a network. Or behavior that looks like the beginning of a ransomware attack, like large numbers of files being encrypted or having their file extensions changed.

When it detects something like this, it alerts security staff. Many EDR offerings can also take automatic action to quarantine affected systems. But first they have to detect that something isn’t quite right.

Security researchers at SRLabs discovered that combining “two fairly basic bypass techniques” could fool “three widely used EDRs sold by Symantec, SentinelOne, and Microsoft.”

The presence of EDR does slow hackers down, though, as it takes about a week longer for a criminal organization to penetrate a large enterprise network than if no EDR was used. “Overall, EDRs are adding about 12% or one week of hacking effort when compromising a large corporation—judged from the typical execution time of a red team exercise,” says Karsten Nohl, one of the researchers behind the discovery.

While this is far from ideal, it’s not necessarily a catastrophe. Organizations shouldn’t be relying on any individual security product or feature as their sole defense against ransomware in the first place. Layering several different types of protection is the only realistic way to secure a network.

Expect vendors with EDR offerings to revamp their detection methods in response to this news. But in the interim, make sure that EDR isn’t your only line of defense, and that your backups are up-to-date and stored offline.

Sign Up For Our Newsletter

Don’t worry, we hate spam too!

Get The Latest On Ransomware Right In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too
Share via
Copy link
Powered by Social Snap