Close

Request Demo

BUFFERZONE is available to Enterprise companies only. Please fill out the form below and we’ll contact you shortly


    Virtual Desktops

    VDI is vulnerable to advanced threats just like physical endpoints

    Blog

    Back

    Stop Worrying and Start Isolating – EDR Bypassing Is a Real Threat

    By BUFFERZONE Team, 19/06/2024

    Target: IT Professionals (Elementary)

    Tags: Isolation, Safe Workspace®, Safe Browser, Zero-day

    In the evolving landscape of cybersecurity, Endpoint Detection and Response (EDR) systems have become crucial in identifying and mitigating threats at the endpoint level.
    However, despite their advanced capabilities, EDR solutions are not infallible [1,2]. Cyber attackers continuously develop sophisticated techniques to bypass these defenses,
    making it imperative to enhance endpoint security with additional measures like isolation technology. This blog will delve into common EDR bypassing techniques and explain
    how isolation technology can significantly reduce your endpoint risk.

    Attackers [2] employ various techniques to bypass Endpoint Detection and Response (EDR) systems. One such method involves using direct syscalls [4], where attackers directly
    call assembly instructions to interact with the OS kernel. This approach bypasses EDR monitoring, which typically tracks specific syscall functions executed by programs.

    Another notable technique involves using SysWhispers[3], an antivirus and EDR evasion tool. Despite its initial success and surprise effectiveness, EDR systems can detect the
    attacks facilitated by SysWhispers.

    Additional bypass strategies include command-and-control frameworks employing the Fork&Run method [4]. This technique spawns sacrificial processes to perform malicious
    actions, then terminates them, allowing attackers to retrieve the output and move on. However, creating and injecting tooling into new processes generates numerous indicators,
    and EDR tools are adept at detecting remote process injection, which is crucial for this attack method to succeed.

    The Role of Isolation Technology in Enhancing Endpoint Security

    Due to these bypass techniques’ advanced nature, relying on EDR solutions is inadequate, and an innovative approach is needed. Utilizing isolation technology can provide a significant
    advantage in minimizing the attack surface for users. By segregating critical applications and processes from the rest of the system, isolation technology adds an extra layer of defense that decreases endpoint risk.

    Isolation technology comes with the following benefits:

    1. Containment of Threats: Isolation technology isolates potentially harmful activities from the enterprise network, containing any malicious activity so that the EDR can actively
      scan the isolated area without being bypassed.
    2. Reduced Attack Surface: By isolating applications like browsers, removable media, office files, email links, and attachments, you minimize the pathways for attackers to reach
      critical system resources. Isolation limits the attack’s surface, making it more challenging for malicious actors to gain a foothold in your network.
    3. Protection Against Zero-Day Exploits: Zero-day vulnerabilities pose a significant risk as they are unknown and unpatched. Isolation technology can mitigate this threat by
      ensuring that even if a zero-day exploit is used, the attack is confined to a controlled environment, preventing it from spreading or accessing sensitive data.
    4. Simplified Management and Response: Isolated environments can be quickly reset to a known good state in one click after an attack or suspicious activity is detected. This simplification in remediation efforts allows for faster recovery and minimizes downtime and disruption to business operations.

     

    Staying Safe in the Digital World Through Isolation

    To defend against new browser threats, individuals and organizations must implement proactive security measures, as detecting abnormal behavior is often too late when dealing with
    zero-day attacks. That is why we developed BUFFERZONE® Safe Workspace®, a set of zero-trust solutions including Safe Mail, NoCloud™ Artificial Intelligence (AI) Anti-Phishing,
    SafeBridge® Content Disarm and Reconstruction (CDR), and Safe Browser. Safe Browser is a secure browsing solution that separates your existing Browser from trusted enterprise
    resources, providing isolation and protection.

    Safe Mail is a Microsoft Outlook plugin that utilizes BUFFERZONE® Safe Workspace® to open links and attachments safely within a secure virtual container.
    This container isolates browsing and file activity, safeguarding your computer from evasive attacks. This sophisticated Zero-day exploit attack is contained and will not be able to
    penetrate the organization and steal sensitive data. Furthermore, the isolation restricts lateral movement within the organization, and your existing security controls can scan the
    isolated zone, adding extra layers of protection.

     Conclusion

    While EDR solutions are essential for detecting and responding to endpoint threats, they are not a silver bullet. Attackers are continually evolving their techniques to bypass these
    defenses, necessitating additional layers of security. Isolation technology offers a robust complementary approach, containing threats, reducing the attack surface, and providing
    enhanced visibility and control. By integrating isolation technology with your EDR strategy, you can significantly reduce your endpoint risk and bolster your overall cybersecurity
    posture.

     

    References

    [1] https://www.csoonline.com/article/2142372/cisos-may-be-too-reliant-on-edr-xdr-defenses.html

    [2] https://www.techtarget.com/searchsecurity/feature/The-reality-behind-bypassing-EDR-attempts

    [3] https://github.com/jthuraisamy/SysWhispers

    [4] https://nostarch.com/evading-edr