EDR Introduction
Generally, dwell time refers to the length of time an attacker is able to roam free on your network without being detected. It is a number calculated by adding the mean time of detection with the mean time of repair according to firewall. The average global dwell time in 2020 was 56 days that means that on average an attacker had nearly two months inside a network before being cut off. EDR is a tools that attempt to shorten that dwell time by detecting and responding to threats quicker and EDR focuses on detection and response at the endpoint level.
EDR stands for endpoint detection and response, and as an endpoint client that’s not just focused on the prevention of breaches, but in detection and mitigation that happens after the execution of malware has already occurred. In other words, detecting malware that the antivirus engine didn’t detect and the tools for containment or mitigation when those are detected.
Essentially, there as two types of infected endpoint, pre-infection and post-infection, Pre-infection is where your traditional anti-virus tools generally live. This might use tools like virus signatures and machine learning to prevent known malware from ever executing on the machine. However, as cyber security professionals know that this is not very effective, even the best antivirus engines are only known to block between 50% to 60% of the real world threats that we see on a daily basis. This is where we move to post-infection or post-execution tools, and in this stage is all about detecting and responding to threats that have already been executed on the machine.
For example, we know traditional antivirus is looking at signatures of known malware those signatures can easily be modified just enough to sneak past antibiotic signatures. However, if we look at the behavior of the malware itself, it does not change no matter how much the malware is obfuscated. This is where detection portion of post-infection comes into play by looking at the behavior of an unknown file once it’s executed.
If that behavior is highly suspicious or known bad, then we want to diffuse or contain it as much as possible. This is where we generally attack ransomware by trying to stop the unknown file from ever encrypting files on the disk. On the response stage which is where we automate playbooks and quarantine users, isolate devices or roll back changes depending on what our playbooks may dictate. A key component of the EDR process is the ability to use forensics to facilitate the threat hunting process.
This could be as simple as searching your EDR clients for a YARA rule or a specific process or combing through recorded events on the endpoint itself. This can vary from vendor to vendor, but most EDR tools record forensic data when the file passes the pre-execution phase. The forensic data could include metadata like OS processes that were modified when a file was open. This is fundamentally how many EDR vendors were able to assist in finding the impact of the SolarWinds License breach, by looking through common metadata across the infected endpoints.
The ultimate goal of the post-infection phase is to minimize the dwell time between when an incident occurred and when that breach was ultimately contained and remediated. In 2020 the average dwell time was 56 days which is actually down 28 from the previous year. In part because of the adaptation of EDR across so many organizations.
EDR Products
As an ultimate solution to leverage EDR on the network, Kaspersky EDR and Symantec EDR solution would be recommended. These products contain various features which can be enabled using specific licenses.