Endpoint detection and response: The path to security maturity starts with visibility

By Rene Holt
Looking to set off on the right foot with endpoint detection and response? Prioritize visibility into your systems.

For organizations considering adoption of an endpoint detection and response (EDR) solution, MITRE Engenuity’s most recent ATT&CK® Evaluation provides a singular glimpse into how a prospective EDR tool stands in the face of sophisticated threats. The work of the MITRE Engenuity team particularly shines in how thoroughly it emulates the documented tactics and techniques employed by the most sophisticated of adversaries – advanced persistent threat (APT) groups.

While turning the spotlight on the techniques used by APT groups certainly makes sense for the security strategy of some organizations, taking full advantage of this insight requires a level of maturity – or sufficiently trained, in-house IT staff specifically dedicated to this task – that not many organizations have, or are ready for. The tough reality for most organizations is that they may have only one or two IT administrators … and they are managing security part time, along with their many other responsibilities. This can make an evaluation that concentrates on APT groups somewhat of a tight focus for organizations without such highly trained security staff.

However, as APT groups find their easiest targets among unprepared organizations, the emulated techniques speak to the gamut of security practices – from basic configurations and policies all the way to advanced fine-tuning and optimization – that should be in place to protect against even the most common threats. Such organizations may discover when first using EDR that security practice falls short of industry standards. In this way – starting with catching up on their security – the ATT&CK Evaluations and EDR can provide actionable insight even to less mature organizations.

A robust EDR solution starts with visibility into endpoints

Leveraging EDR for improved security is not an add-on that you just tack on to your existing systems. EDR builds directly on endpoint security because it relies on it for both visibility and basic protection. The low-level events that an endpoint security product monitors are included in those that an EDR tool also analyzes and presents to a security defender.

Where EDR differs from endpoint security is in the level of visibility into the analytic logic running behind the scenes. For endpoint security products, this is more or less a closed book. Yes, IT administrators should have a number of configuration options either to increase the detection sensitivity if they are more risk averse, or to create exceptions suited to their particular environments. But the detection technologies themselves employ proprietary knowledge and ask for your trust to analyze events and make the protection decisions.

With EDR, ESET’s philosophy is to make its analytic logic an open book. The built-in rule set applied to collected events is open to the purview of security defenders so that they can take an active role in manually analyzing those events and participate in the decisions about what constitutes a threat and what does not. The key action that should characterize an EDR solution, as well as endpoint security software, is to grant a balanced and focused view into the security state of your environment that can best inform your protection decisions.

Designing an endpoint protection platform is a balancing act

Security has a strong dependence on visibility, but this dependence is not indiscriminate. Designing an endpoint security product that scans everything all the time or an EDR solution that alerts on everything works directly against usability, performance, efficiency, and other goals that a security product should have. The most effective security solutions must certainly monitor a ton of low-level events happening on endpoints, but not without prioritization.

Careful design decisions have to be made about which application programming interfaces (APIs) to monitor, what behaviors are considered suspicious or outright malicious, when the threshold for a suspicious chain of events has been reached and it should no longer be allowed to continue, how to avoid false positives, where to minimize impacts on performance, and so on. These choices directly impact which layers of protection a product offers, what kinds of detection technology are used at each layer, and, ultimately, when malicious activity will eventually be flagged and stopped in its tracks.

When designing an EDR rule set, you could monitor all events on an endpoint – at least, all those visible to the endpoint security software deployed on it – but that would not only overload your EDR events database with an avalanche of data, but it would also fail to prioritize events that are likely indications of an attack that security defenders should investigate.

Testing endpoint protection in the Carbanak and FIN7 ATT&CK Evaluation

The impact of these design choices is well illustrated in the protection scenario of the latest ATT&CK Evaluation emulating the Carbanak and FIN7 APT groups. In Test 12, for example, ESET Endpoint Security responded in the very first step of the attack by quarantining samcat.exe because it was identified as Mimikatz, an open-source password dumping tool.

In contrast, in Test 15, ESET Endpoint Security blocked the attack in its penultimate step when it identified a rundll32.exe process as Meterpreter, a reverse shell commonly used in penetration testing. Other vendors blocked the attack at the same or an earlier step, or did not detect any of the techniques used in the attack at all.

Obviously, the protection tests demonstrated a few gaps existing in endpoint security solutions that did not detect and block certain attacks. But even more, they showed that there was quite a variety as to the stage at which the various attacks were blocked. This variety in response is in large part due to the design decisions that went into the endpoint security products in question.

Making endpoints an open book with EDR

There is a threshold at which the “automated” security provided by endpoint protection is simply not enough to grow your maturity. Endpoint security alone is limited in the sense that it asks you for its trust to provide an automated type of security – a kind of set and forget (but don’t forget too much!) approach to security.

Some threats defy such automated categories of monitoring and detection because, ultimately, behind every cyberthreat lies some imprint of human intelligence, albeit misused. And sometimes the intelligence in question has devised such a novel, targeted, or sneaky attack that only another human intelligence – a security defender – would be able to spot it before too much damage is done.

By wielding an EDR tool, your security defenders are empowered to look at the low-level events being generated by endpoints and monitored by endpoint security products. Armed with familiarity of their environment and with the right filtering of events in place, your defenders can focus on and reconstruct the sequence of steps that an attack took from start to finish.

Testing endpoint detection and response in the Carbanak and FIN7 ATT&CK Evaluation

Whereas the protection scenario of the Carbanak and FIN7 ATT&CK Evaluation assessed endpoint protection, the detection scenarios put endpoint detection and response to the test. ESET’s EDR tool – ESET Enterprise Inspector – detected 100% of the steps in the attack scenarios and 91% of the sub-steps. You can read ESET CTO Juraj Malcho’s full write-up of how ESET Enterprise Inspector fared in the evaluation in the blogpost Know your enemy: MITRE Engenuity’s ATT&CK® Evaluations show the need for balanced approach to EDR use.

For organizations not ready to take on APT groups, however, a main consideration in looking at such an evaluation is how it can help develop their security maturity. Ultimately, a key goal for security engineers is to become familiar with the systems their organization uses and prioritize protection accordingly. This is in addition to basic security practices, which should always be in place. Leveraging EDR is about gaining intimate knowledge of your environment so that you can mature in your security posture – a prerequisite to hunting for APT attacks.

As the evaluation results for ESET Enterprise Inspector demonstrated, ESET’s EDR tool gives a lot of visibility. Yet, while visibility is a critical component of security, it’s only a start. The onus remains on security defenders to know their systems and to know their EDR tool – so that they can best tune it to their environment.

Indeed, many organizations can happen upon a bit of a surprise after first setting up their EDR solution. Has your IT team been setting up employees with local admin accounts on their machines, or giving them free rein to access internal resources, or perhaps even potentially unsafe applications, that they don’t need? Have you secured remote access to your network via tools such as remote monitoring and management (RMM) tools, remote desktop protocol (RDP), TeamViewer, or VNC? The visibility granted by an EDR tool can reveal some of the risky practices and habits that have gone unchecked until now.

Lacking capability or time to manage your EDR?

Best security practice, at least at its basic level, is a well-known playbook, but many organizations have failed to master the plays due to obstacles as simple as lack of capacity – again, those one or two admins doing security part time. What is often described as the rationale for adopting EDR – visibility into APT attacks – assumes a certain level of security maturity to engage at all with this kind of foe.

Another challenge for some organizations is when security sits outside the core business model. As such, these organizations would rather off-load security to a managed services provider, making the level of security maturity strongly dependent on the levels of investment, trust, and expertise in play with that third-party supplier and its ability to understand its clients’ infrastructure and threat models. Where EDR really scintillates for the use case focusing on APT groups is in the hands of very mature organizations, such as banks, that have the budget and regulatory impetus to maintain full security teams.

Conclusion

As an increasing number of enterprises examine EDR as it is widely described by vendors, analysts, and especially in the ATT&CK Evaluations, they should consider the benefits of approaching EDR even with an entry level of security maturity. Simply put, if the move to EDR starts educating your IT admins on better security practice, then the investment will likely be worth the effort. After all, bad habits, whether due to a problem-riddled history of security practice, negligence, or ignorance, are well gotten rid of – even if it takes the alerts in an EDR solution to wake up your organization.

As for the APT groups favored and emulated by the MITRE Engenuity evaluators, each stands as an attractive locus for security staff to understand the composite risks posed by both mature external adversaries and their own organization’s security posture.