Blog
Enhancing MSSP security from EDR Wiper
By BUFFERZONE Team, 16/09/2024
Target: IT Professionals (Elementary)
Tags: Isolation, Safe Workspace®, Safe Browser, EDR Wiper, Protection by containment™
The cybersecurity landscape is constantly in flux, with threat actors continually developing more sophisticated tools to evade detection and wreak havoc. One such evolution that has caught the attention of security experts is transforming the PoorTry Windows driver into a full-featured Endpoint Detection and Response (EDR) wiper [1]. This development is alarming; it underscores the pressing need for advanced defensive strategies, notably endpoint application isolation, to protect against such potent threats by minimizing the endpoint attack surface.
Understanding the Threat: The PoorTry EDR Wiper
The PoorTry Windows driver [1], once a relatively minor tool in the cybercriminal’s arsenal, has evolved into a powerful EDR wiper. EDR wipers are designed to target and disable endpoint security solutions [2], effectively blinding an organization’s defenses before unleashing a more destructive payload. By neutralizing EDR [2] solutions, attackers can move undetected within a network, exfiltrating data or deploying ransomware with little resistance.
What makes the PoorTry wiper particularly dangerous is its sophistication. It can bypass security mechanisms, disable key protection features, and render endpoint defenses useless. This transformation highlights a disturbing trend: attackers increasingly focus on dismantling security tools as a precursor to launching full-scale attacks.
The Role of Endpoint Application Isolation in Defense
Traditional security measures are no longer sufficient in the face of such advanced threats. This is where endpoint application isolation comes into play. Application isolation involves executing potentially malicious or untrusted applications in a controlled, isolated environment. Application isolation technology ensures that even if an application is compromised, the damage is contained, preventing it from accessing critical system components or spreading throughout the network.
Isolation creates a virtual environment where applications can run without interacting with the underlying system or other applications. This approach not only contains the threat but also provides valuable insights into the behavior of suspicious programs, allowing security teams to respond more effectively.
The Role of Isolation Technology in Enhancing Endpoint Security
Due to these bypass techniques’ advanced nature, relying on EDR solutions is inadequate, and an innovative approach is needed. Utilizing isolation technology can provide a significant advantage in minimizing the attack surface for users. By segregating critical applications and processes from the rest of the system, isolation technology adds an extra layer of defense that decreases endpoint risk.
Isolation technology comes with the following benefits:
- Containment of Threats: Isolation technology isolates potentially harmful activities from the enterprise network, containing any malicious activity so that the EDR can actively scan the isolated area without being bypassed.
- Reduced Attack Surface: By isolating applications like browsers, removable media, office files, email links, and attachments, you minimize the pathways for attackers to reach critical system resources. Isolation limits the attack’s surface, making it more challenging for malicious actors to gain a foothold in your network.
- Protection Against Zero-Day Exploits: Zero-day vulnerabilities pose a significant risk as they are unknown and unpatched. Isolation technology can mitigate this threat by ensuring that even if a zero-day exploit is used, the attack is confined to a controlled environment, preventing it from spreading or accessing sensitive data.
- Simplified Management and Response: Isolated environments can be quickly reset to a known good state in one click after an attack or suspicious activity is detected. This simplification in remediation efforts allows for faster recovery and minimizes downtime and disruption to business operations.
Safe in the Digital World Through Isolation
To defend against new threats and EDR attacks, individuals and organizations must implement proactive security measures, as detecting abnormal behavior is often too late when dealing with zero-day attacks. That is why we developed BUFFERZONE® Safe Workspace®, a set of zero-trust solutions including Safe Mail, NoCloud™ Artificial Intelligence (AI) Anti-Phishing, SafeBridge® Content Disarm and Reconstruction (CDR), and Safe Browser. Safe Browser is a secure browsing solution that separates your existing Browser from trusted enterprise resources, providing isolation and protection.
Safe Mail is a Microsoft Outlook plugin that utilizes BUFFERZONE® Safe Workspace®, that it’s strategic concept is Protection by containment™, to open links and attachments safely within a secure virtual container. This container isolates browsing and file activity, safeguarding your computer from evasive attacks. This sophisticated Zero-day exploit attack is contained and will not be able to penetrate the organization and steal sensitive data. Furthermore, the isolation restricts lateral movement within the organization, and your existing security controls can scan the isolated zone, adding extra layers of protection.
Conclusion
Today, managed security service providers (MSSP) rely on EDR as a significant part of their stack. While EDR solutions are essential for detecting and responding to endpoint threats, they are not a silver bullet. Attackers are continually evolving their techniques to bypass these defenses, necessitating additional layers of security. Isolation technology offers a robust complementary approach, containing threats, reducing the attack surface, and providing enhanced visibility and control. Integrating isolation technology with your EDR strategy can significantly reduce your endpoint risk and bolster your overall cybersecurity posture, making the MSSP job much more straightforward and ensuring that the endpoint stays secure.
References
[1] Bill Toulas, PoorTry Windows driver evolves into a full-featured EDR wiper, Bleeping Computer, https://www.bleepingcomputer.com/news/security/poortry-windows-driver-evolves-into-a-full-featured-edr-wiper/
[2] BUFFERZONE, Stop Worrying and Start Isolating – EDR Bypassing Is a Real Threat, https://bufferzonesecurity.com/stop-worrying-and-start-isolating-edr-bypassing-is-a-real-threat/