Bypassing EDR: The Evolving Tactics of Attackers

As enterprises bolster their cybersecurity measures, one of the most common defenses deployed is Endpoint Detection and Response (EDR). EDR solutions are designed to detect, investigate, and respond to suspicious activities on endpoints. However, as cyber threats grow more sophisticated, attackers continually develop new techniques to evade detection. In this ongoing battle against cyber threats, EDR remains a critical component of any robust security strategy. Nonetheless, to achieve comprehensive security and be prepared for breaches, additional strategies are needed to complement EDR and address emerging vulnerabilities effectively. 

Let Us First Understand How EDR Works 

EDR systems function by deploying agents on local devices across the network. Each agent operates independently, continuously monitoring its assigned device for suspicious activities and gathering detailed data. This information is sent to a centralized hub where it undergoes analysis. Advanced technologies such as artificial intelligence (AI) and machine learning (ML) are employed to process and interpret the data. The statistical models developed from this analysis help to detect potential threats in real time. EDR solutions offer ongoing monitoring and data collection to identify and address threats as they occur, providing valuable insights into endpoint activities and attempted cyberattacks. By examining processes, programs, and file access details, EDR software aims to prevent malicious activities and enhance the security team’s understanding of the threats targeting their organization. 

How Do Attackers Bypass EDR? 

1. Fileless Malware and In-Memory Attacks have emerged as some of the most sophisticated threats in contemporary cybersecurity. Fileless attacks evade detection by executing malicious code directly in system memory without creating detectable files on disk. This method allows attackers to bypass conventional security tools that rely on file-based scanning. Recent attacks have highlighted the growing prevalence and danger of these techniques. Researchers from the Wiz cloud security company discovered a Python-based fileless malware that was targeting cloud workloads in 2023. Dubbed PyLoose, the attack consisted of Python code that loaded an XMRig Miner directly into memory. The researchers said that they found approximately 200 instances of PyLoose being used for cryptomining. 
   

2. Living Off the Land (LOTL) represents a sophisticated and stealthy approach to cyber-attacks, where adversaries exploit existing system tools and legitimate administrative utilities to execute their malicious activities, thereby evading traditional detection mechanisms. Unlike fileless malware, which specifically avoids creating files on disk by operating entirely in memory, LOTL encompasses a broader range of tactics where attackers use legitimate system features for various attack phases. For example, the Astaroth malware, active since late 2022, showcases LOTL techniques by leveraging built-in tools such as PowerShell and Windows Management Instrumentation (WMI) for its operations. While Astaroth does employ fileless methods to avoid disk-based detection, its primary strategy involves using these legitimate utilities to execute commands and facilitate data exfiltration, blending its activities with normal system processes. This approach contrasts with traditional in-memory malware that focuses solely on executing malicious payloads in RAM, emphasizing the need for advanced detection methods that address both fileless operations and the abuse of legitimate system tools.  
   

3. Encryption and Obfuscation are advanced techniques employed by attackers to evade detection by security systems, particularly EDR solutions. By encrypting or obfuscating malicious payloads, attackers can obscure the true nature of their code, making it difficult for security tools to analyze and detect threats effectively. Encryption involves encoding the payload into a format that is unreadable without the correct decryption key, while obfuscation involves altering the code’s appearance or structure to confuse analysis tools and reverse engineers. Encryption involves encoding the payload into an unreadable format without the proper decryption key, while obfuscation alters the code’s appearance or structure to confuse analysis tools and reverse engineers. A notable example of these techniques in action is the Cluster Bomb campaign, which was observed in 2023. Attackers used sophisticated encryption to conceal their ransomware payloads and obfuscation to alter the code’s structure, effectively evading traditional security measures. The Cluster Bomb malware was encrypted with a complex algorithm that prevented traditional EDR systems from analyzing its contents during initial infection stages. Additionally, the attackers used obfuscation techniques to continually modify the code structure, making it challenging for security tools to recognize and respond to the threat. By employing these tactics, the Cluster Bomb campaign effectively bypassed conventional security measures, underscoring the need for advanced detection strategies capable of addressing both encrypted and obfuscated threats. 
   

4. Supply Chain Attacks involve compromising software or updates from trusted vendors to infiltrate target systems. By embedding malicious code within legitimate software or updates, attackers exploit the trust between vendors and their clients, making detection challenging for EDR solutions as the code appears to be from a trusted source. The 2021 Kaseya ransomware attack is a notable example of a supply chain attack where traditional EDR systems were effectively bypassed. Attackers exploited vulnerabilities in Kaseya’s VSA (Virtual System Administrator) software, which is widely used for IT management and monitoring. By embedding malicious code into a routine software update, the attackers distributed ransomware to Kaseya’s clients, impacting hundreds of organizations globally. The compromised updates were trusted by EDR solutions, which failed to flag the embedded malware as suspicious due to its association with a legitimate source. For a detailed breakdown of this attack, you can refer to PurpleSec’s breach report. 
   

5. Polymorphism and Metamorphism are two techniques used by malware to evade detection and analysis by security systems. Polymorphism involves the malware altering its code structure each time it executes, while maintaining its original functionality. This method enables the malware to generate unique instances of itself, making it harder for signature-based detection systems to identify and block it. An example of polymorphism is the Storm Worm, which changes its code each time it infects a new system, thus evading traditional antivirus detection. 
   
   Metamorphic viruses continuously alter their code as they spread, making it difficult for static signature-based virus scanners to detect them. This transformation can lead to a new class of malware that is statistically nearly undetectable. Additionally, these viruses employ code obfuscation techniques to complicate deeper static analysis and can even outsmart dynamic analysers, such as emulators, by changing their behavior when they recognize that they are being run in a controlled environment. 
   
   An example of a metamorphic virus is Z0mbie’s Win95/Zmist, released in 2000. This virus was known for its complexity and was described by experts as “one of the most complex binary viruses ever written.” Zmist employed entry-point obscuring (EPO) techniques, a polymorphic decryptor, and unique methods like code integration and inserting jump instructions between code segments. Its sophisticated camouflage made it highly effective against traditional detection methods, highlighting the challenges of advanced metamorphic malware. 
   

6. Rootkits represent a particularly insidious form of malware designed to evade detection by EDR systems through deep system infiltration. For instance, the LockBit ransomware exemplifies this technique by utilizing tools like TDSSKiller to silently disable EDR protections. LockBit employs rootkit techniques to manipulate system processes at a kernel level, effectively hiding its activities from traditional security measures. Similarly, the Linux stealth rootkit analyzed by Sandfly Security demonstrates how such malware integrates itself into the operating system, making use of advanced evasion methods to escape detection. These rootkits exploit vulnerabilities in EDR systems by operating below the radar of conventional monitoring tools. 
   

7. BYOVD (Bring Your Own Vulnerable Driver) is an advanced tactic used by cybercriminals to bypass EDR systems and other security measures. This method involves exploiting known vulnerabilities in legitimate drivers that are already installed on the target system. By leveraging these vulnerable drivers, attackers can execute malicious code or disable security features without triggering alarms. For instance, the recent RansomHub ransomware variant employs BYOVD to silently neutralize EDR protections by embedding its payload within vulnerable drivers, effectively evading detection. This technique underscores the growing sophistication of attack strategies and highlights the need for security solutions that can address not only new and emerging threats but also exploitations of existing, trusted system components. 
   

How Do We Defend Against EDR Bypass?  

Even with a robust array of security solutions deployed on endpoints—such as host-based firewalls, VPNs, intrusion prevention systems (IPS), data loss prevention (DLP) agents, etc. EDR systems can still be bypassed by sophisticated attackers. When EDR is circumvented, it signals that the compromised system is no longer protected. While immediate remediation options for the breached system may be limited, the larger concern is the risk of lateral movement by the attacker. This is where Pervasive Microsegmentation plays a crucial role. By segmenting the network, microsegmentation reduces the attack surface and limits the attacker’s ability to move laterally to other systems. For instance, if an attacker successfully compromises a single system (patient zero) and scans the network to identify additional targets, microsegmentation ensures that those identified systems remain isolated and secure, thereby containing the breach. This approach helps protect the rest of the organization and its critical assets, even when one segment is compromised. Embracing a zero-trust strategy, where a breach is assumed and containment is prioritized, enhances this protective layer. Microsegmentation offers a dual-layer defense strategy. Even if one segment is breached, the other segment still remains secure and continues to protect the network from the compromised segment. 

What else does microsegmentation provide: 

1. Contain Breaches: Limits the spread of threats within the network, reducing the impact of potential breaches. 

2. Minimize Attack Surface and Blast Radius: Reduces exposure by dividing the network into smaller, isolated segments. 

3. Enable Granular Controls: Provides detailed access controls and policies for each segment, enhancing security and reducing unauthorized access. 

4. Enhance Visibility: Offers deeper insight into network traffic and interactions, aiding in the detection of anomalies. 

5. Adapt Security Measures: Allows for flexible adjustments to security based on evolving threats. 

6. Isolate Threats: Restricts attacker movement within the network, protecting critical assets and sensitive data. 

7. Extend Protection: Safeguards applications and data beyond just the endpoint level. 

In conclusion, while EDR plays a crucial role in identifying and responding to threats at the endpoint level, their effectiveness can be complemented significantly by implementing microsegmentation. Microsegmentation adds an extra layer of defense by dividing the network into isolated segments, which helps to contain and limit the spread of breaches. This approach not only enhances the ability to manage and isolate threats but also ensures that even if an endpoint is compromised, the impact on the broader network is minimized. By integrating microsegmentation with EDR, organizations can achieve a more robust and comprehensive security posture, effectively protecting critical assets and adapting to the evolving landscape of cyber threats. Microsegmentation fortifies your defenses by creating resilient barriers that contain breaches and safeguard your network, making it a vital complement to EDR solutions. 

To discover how microsegmentation can enhance your security strategy and work seamlessly with your existing EDR solutions, contact us today.