Challenges of Threat Hunting with Endpoint Detection (EDR)

Last week in a Live Webinar we looked at the pitfalls of relying solely on Endpoint Detection (EDR) software for proactive threat hunting and examined some of the common misconceptions about the comprehensiveness of the data collected by many EDR solutions. The intention was not to discredit EDR or to say a forensic state analysis (FSA) approach is better, but to reflect on the different approaches to threat hunting which might be more appropriate for your use case.

If you couldn’t join us here’s quick overview of what was covered. We invite you to watch the recording for the full scoop.

Threat Hunting with EDR

EDR can be extremely powerful for detection of attacks and the rapid response actions needed to contain them, but can you proactively hunt a persistent compromise with it? Sure. But usually not alone.

First off, it needs to be understood that the automated detection and categorization capabilities of EDR platforms would have to be successfully bypassed for a persistent adversary to be present on the systems (Yes, this happens. Hackers are very good and only getting better at this.). What then is available for hunters are the more granular logs of endpoint activity that has been collected by the EDR solution. These logs can be very powerful when searching for specific adversary behaviors or historical events when leveraging a new threat intel report with something listed for you to search for. This type of hunting is called “Historical Search” and is the most widely used but basic hunting technique.

Unfortunately, most EDR solutions make for poor proactive threat hunting platforms; additional analytics solutions are usually required to perform the more advanced analysis required to hunt for post-compromise behaviors. Therefore, in most cases, you need to think of EDR as a log source to a log/data analytics solution (i.e. ELK, Splunk, or a specialized Security Intelligence platform).

Top 3 Challenges of Hunting with EDR

When looking at EDR + Analytics, there are still some limitations:

1.    EDR coverage needs to be comprehensive (across all workstations and servers):

  • May not be available on the affected device (non-complaint host or disabled)
  • May be expensive to retain data for all devices for the required 6+ months needed for hunting

2.    Not all host activity is recorded (e.g. code execution exploits that bypass EDR traps)

  • A single system has millions of events happening under the hood. Sysinternal’s Process Monitor can collect 5000 events per second, whereas most EDRs collect around ~30 events per minute to limit host impact.

3.    Primary EDR hunt strategy is Historical Search (yielding limited results), more advanced proactive hunting requires experienced security personnel well versed in tools, techniques and procedures (TTPs) of the attackers to do behavior matching (i.e. X type of attack produces Y behavior, expressed in the EDR logs as Z).

Forensic State Analysis, a better approach to proactive hunting

Infocyte leverages Forensic State Analysis (FSA) – the use of live host forensic data (volatile and non-volatile) to determine the compromise state of a system or set of systems. FSA does not rely on logs or monitoring changes to a system over time. It assumes the device is already compromised and seeks to validate systems through a comprehensive deep host inspection.

Why state analysis?

  • If an adversary is embedded in a network, they will most likely reside on an endpoint or server as a beachhead or have indicators of compromise there. Therefore, endpoint inspection is of utmost importance.
  • Second, persistent adversaries might not be active during your assessment window; dormant malware doesn’t have any “behavior” to analyze, it requires state analysis of persistence mechanisms (autostarts).
  • And third, focused forensic collection has no time-dependency. As a real-time monitoring tool, it can only look forward, not backward or the current state. Therefore, EDR is required to be installed and working during the initial attack for the logs to be most useful.

FSA + EDR, Better Together

Ultimately, EDR technologies are an important step in the maturity of a security organization. The centralized logging of endpoint behaviors is required to determine root cause of a compromise and can be very useful in identifying the impact of a breach. FSA enables scalable host inspection to find malware, backdoors, scripts, and rogue accounts present on your systems – this type of finding can focus your search parameters within your store of logs and enable a much simpler and more effective proactive hunt capability.

Watch the recording to learn the top reasons why threat hunting with FSA can be more effective and efficient than sifting through EDR logs alone, as well as how EDR and FSA complement each other to provide more powerful threat hunting capabilities.