Structural defects found difficult to patch in most EDR products

According to research findings, attackers can safely settle malware due to structural characteristics found in virtually all endpoint detection and response systems (EDR). Since this is a’root fault’ or a’design error,’ the issue is more severe because it cannot be quickly solved, and a minor update is expected for EDR systems on the market, according to security firm Optive.

EDR products are security tools that are designed to identify and respond to suspicious behavior in endpoint devices. The majority of them are outfitted with signature based malware identification, heuristic analysis, and sandboxing technologies. With such a solution in place, security teams can easily isolate and block infiltrating attacks, preventing them from spreading across the network and making recovery easier.

Furthermore, in EDR products, unusual behaviour data and information are gathered in order to evaluate behavior patterns; this technology is known as hooking. According to Optiv’s technical manager, Matthew Eidelberg, “hooking” is often described as “a technology that enables you to track while a computer program is running.”

image source: exambeam

Hooks are elements that allow hooking or elements generated by hooking, and they are found in an interface called a system call (syscall). As a result, it is possible to run processes that communicate with the operating system, such as requesting resources like memory allocation or file creation.

According to Eidelberg, most EDR products begin inserting hooks into syscalls as soon as the user runs the software. The EDR agent on the endpoint node will track all processes running on the device and identify changes using these hooks. EDR agents compile this data (data gathered by hooking) and send it to the EDR developer’s website for further review.

The issue here is that the hook remains in the world of the recipient. As a result, when a process is created, everything created in the memory field has the same rights as the process’s creator. According to Idelberg, “this ensures the malicious code has the same rights as device DLLs.”

As a result, by exploiting the hooks in the device DLL, the attacker can prevent the malicious code from being detected and blocked by EDR products’ detection and blocking technologies. Furthermore, since the hook is in the system call, attackers will generate malicious system call functions and insert them into the process. In this case, the operating system runs the malicious code of the attackers. This malicious elements will not be detected by EDR products. As a result, neither tracking nor hooking are feasible.

They have published exploits that show how they can insert malicious payloads into endpoints that harm their goods in a study ( optiv insights/source zero/endpoint detection and response how hackers have evolved).

An intruder, according to this, needs a way to gain access to a remote endpoint. In other words, it is currently impractical to achieve the first penetration by Optiv’s proposed’structural defects.’ Optiv emphasized that there are flaws that anyone who successfully infiltrated the first time will use to initiate a second attack. Furthermore, the findings of this analysis have little bearing on EDR solutions that operate in the kernel domain. “Attackers have a hard time getting to hooks in the kernel domain. It’s difficult to execute code in kernel space.”

“An active campaign is underway to assist EDR businesses in understanding this form of attack,” Eidelberg said. “In reality, several businesses have revamped their products to integrate Hooking’s technologies to detect device DLL manipulation. Some vendors have completely moved hooks to the kernel. However, it will take some time for these movements to be accepted by all users.”

As a result, consumer organisations can communicate with the suppliers of the EDR products they’re actually using, and Idelberg advises them to develop detection technologies other than EDR. “Only attackers who have successfully infiltrated will exploit this flaw. You won’t be able to do attacks that circumvent the EDR and plant ransomware if you are more careful of this first time intrusion.