Blog
Stop Worrying and Start Isolating – EDR Bypassing Is a Real Threat
By BUFFERZONE Team, 19/06/2024
Target: IT Professionals (Elementary)
Tags: Isolation, Safe Workspace®, Safe Browser, Zero-day, Protection by containment™
In the evolving landscape of cybersecurity, Endpoint Detection and Response (EDR) systems have become crucial in identifying and mitigating threats at the endpoint level.
However, despite their advanced capabilities, EDR solutions are not infallible [1,2]. Cyber attackers continuously develop sophisticated techniques to bypass these defenses,
making it imperative to enhance endpoint security with additional measures like isolation technology. This blog will delve into common EDR bypassing techniques and explain
how isolation technology can significantly reduce your endpoint risk.
Attackers [2] employ various techniques to bypass Endpoint Detection and Response (EDR) systems. One such method involves using direct syscalls [4], where attackers directly
call assembly instructions to interact with the OS kernel. This approach bypasses EDR monitoring, which typically tracks specific syscall functions executed by programs.
Another notable technique involves using SysWhispers[3], an antivirus and EDR evasion tool. Despite its initial success and surprise effectiveness, EDR systems can detect the
attacks facilitated by SysWhispers.
Additional bypass strategies include command-and-control frameworks employing the Fork&Run method [4]. This technique spawns sacrificial processes to perform malicious
actions, then terminates them, allowing attackers to retrieve the output and move on. However, creating and injecting tooling into new processes generates numerous indicators,
and EDR tools are adept at detecting remote process injection, which is crucial for this attack method to succeed.
The Role of Isolation Technology in Enhancing Endpoint Security
Due to these bypass techniques’ advanced nature, relying on EDR solutions is inadequate, and an innovative approach is needed. Utilizing isolation technology can provide a significant
advantage in minimizing the attack surface for users. By segregating critical applications and processes from the rest of the system, isolation technology adds an extra layer of defense that decreases endpoint risk.
Isolation technology comes with the following benefits:
- Containment of Threats: Isolation technology isolates potentially harmful activities from the enterprise network, containing any malicious activity so that the EDR can actively
scan the isolated area without being bypassed. - Reduced Attack Surface: By isolating applications like browsers, removable media, office files, email links, and attachments, you minimize the pathways for attackers to reach
critical system resources. Isolation limits the attack’s surface, making it more challenging for malicious actors to gain a foothold in your network. - Protection Against Zero-Day Exploits: Zero-day vulnerabilities pose a significant risk as they are unknown and unpatched. Isolation technology can mitigate this threat by
ensuring that even if a zero-day exploit is used, the attack is confined to a controlled environment, preventing it from spreading or accessing sensitive data. - Simplified Management and Response: Isolated environments can be quickly reset to a known good state in one click after an attack or suspicious activity is detected. This simplification in remediation efforts allows for faster recovery and minimizes downtime and disruption to business operations.
Staying Safe in the Digital World Through Isolation
To defend against new browser threats, individuals and organizations must implement proactive security measures, as detecting abnormal behavior is often too late when dealing with
zero-day attacks. That is why we developed BUFFERZONE® Safe Workspace®, that it’s strategic concept Protection by containment™ is a set of zero-trust solutions including Safe Mail, NoCloud™ Artificial Intelligence (AI) Anti-Phishing,
SafeBridge® Content Disarm and Reconstruction (CDR), and Safe Browser. Safe Browser is a secure browsing solution that separates your existing Browser from trusted enterprise
resources, providing isolation and protection.
Safe Mail is a Microsoft Outlook plugin that utilizes BUFFERZONE® Safe Workspace® to open links and attachments safely within a secure virtual container.
This container isolates browsing and file activity, safeguarding your computer from evasive attacks. This sophisticated Zero-day exploit attack is contained and will not be able to
penetrate the organization and steal sensitive data. Furthermore, the isolation restricts lateral movement within the organization, and your existing security controls can scan the
isolated zone, adding extra layers of protection.
Conclusion
While EDR solutions are essential for detecting and responding to endpoint threats, they are not a silver bullet. Attackers are continually evolving their techniques to bypass these
defenses, necessitating additional layers of security. Isolation technology offers a robust complementary approach, containing threats, reducing the attack surface, and providing
enhanced visibility and control. By integrating isolation technology with your EDR strategy, you can significantly reduce your endpoint risk and bolster your overall cybersecurity
posture.
References
[1] https://www.csoonline.com/article/2142372/cisos-may-be-too-reliant-on-edr-xdr-defenses.html
[2] https://www.techtarget.com/searchsecurity/feature/The-reality-behind-bypassing-EDR-attempts
[3] https://github.com/jthuraisamy/SysWhispers
[4] https://nostarch.com/evading-edr