As hacking has gotten more destructive and pervasive, a powerful type of tool from companies including CrowdStrike Holdings Inc. and Microsoft Corp. has become a boon for the cybersecurity industry.
Called endpoint detection and response software, it’s designed to spot early signs of malicious activity on laptops, servers and other devices – “endpoints” on a computer network — and block them before intruders can steal data or lock the machines.
But experts say that hackers have developed workarounds for some forms of the technology, allowing them to slip past products that have become the gold standard for protecting critical systems.
For instance, in the past two years, Mandiant, which is part of Alphabet Inc.’s Google Cloud division, has investigated 84 breaches where EDR or other endpoint security software was tampered with or disabled, said Tyler McLellan, a principal threat analyst with the company.
The findings represent the latest evolution of a cat-and-mouse game that’s played out for decades, as hackers adapt their techniques to overcome the newest cybersecurity protections, according to Mark Curphey, who held senior roles at McAfee and Microsoft and now is a cybersecurity entrepreneur in the UK.
“Hacking security protection tools is nothing new,” he said, adding that “the prize, if successful, is access to all of the systems using them, by definition systems worth protecting.”
Investigators from multiple cybersecurity firms said the number of attacks where EDR is disabled or bypassed is small but growing, and that hackers are getting more resourceful in finding ways to circumvent the stronger protections it provides.
Microsoft in December disclosed in a blog post that hackers tricked the company into applying its seal of authenticity to malware, which was then used to disable the company’s EDR and other security tools on victim networks. Microsoft suspended the third-party developer accounts involved in the ruse and said the company is “working on long-term solutions to address these deceptive practices and prevent future customer impacts.”
In February, Arctic Wolf Networks detailed a case it investigated late last year where hackers from the Lorenz ransomware group were initially stymied by the victim’s EDR. The hackers regrouped and deployed a free digital forensics tool that allowed them to access the computers’ memory directly and deploy their ransomware successfully, bypassing the EDR, the company said. Arctic Wolf didn’t identify the victim or the affected EDR.
And in April, Sophos Group disclosed a new piece of malware the UK-based firm discovered that’s been used to disable EDR tools from Microsoft, Sophos itself and several other companies before deploying Lockbit and Medusa Locker ransomware. “EDR bypass and disabling security software is clearly a tactic on the rise,” said Christopher Budd, senior manager of threat research. “Because of the nature of this kind of attack, it’s particularly difficult to detect since it targets the very tools that detect and prevent cyberattacks.”
The market for EDR and other new endpoint security technologies grew 27% to reach $8.6 billion globally last year, led by CrowdStrike and Microsoft, according to IDC.
Adam Meyers, CrowdStrike’s senior vice president of intelligence, said the growing number of attacks against EDR software shows that hackers “have been evolving.” Many of the attacks that CrowdStrike has tracked — against its products and those offered by competitors — involve misconfigurations of client systems or vulnerabilities deep in the software or firmware, signs that hackers are having to work harder to get into target networks, he said.
‘A race to the bottom’
“This is a race to the bottom of the stack,” Meyers said. “We’re trying to go lower and lower and closer and closer to the hardware, and the closer you get to the hardware the harder an attack is to stop.”
A Microsoft representative declined to comment for this story.
A decade ago, antivirus software makers were the dominant suppliers of security products for PCs and other endpoints. Their popularity declined as increasingly advanced attacks exposed the weaknesses of technologies that relied on analysts manually creating digital “signatures” of new strains of malware to block them, according to cybersecurity experts.
The rise of ransomware and other destructive attacks has spurred demand for EDR and similar technologies that aim to detect and block infections earlier. The tools look for more signals of malicious activity and automate many of the time-consuming tasks of investigating and remediating breaches.
One previously unreported incident that Bloomberg News uncovered occurred in October, when Copenhagen, Denmark-based CSIS Security Group investigated the breach of a European manufacturing company.
The hackers exploited a previously unknown weakness in Microsoft’s EDR, and they packaged the malware in such a way that it was detected by the security tool — which alerted the victim’s IT team that the attack had been blocked, according to Jan Kaastrup, chief innovation officer for CSIS who oversaw the investigation. But the hackers weren’t stopped and were able to roam the network for three weeks, he said.
The breach wasn’t discovered until the victim spotted data leaving its corporate network and contacted the Danish security firm. Kaastrup declined to identify the victim but allowed Bloomberg to review an anonymized copy of the incident report. The firm reported the issue to Microsoft, which declined to comment to Bloomberg about the matter.
The lesson from the recent incidents, he said, is simple: technology can only do so much against determined hackers.
“Security software cannot stand alone — you need eyes on-screen combined with technology,” he said. EDR “is much better than antivirus software. So for sure you need it. It’s just not the silver bullet that some think it is.”
By Jordan Robertson / Bloomberg