Explaining EDR & Proactive Threat Hunting...

An analogy to explain these essential cyber security requirements

Posted on 3 June 2016

border control and cyber security1

Necessity is the mother of invention, and with new breaches reported on a near-daily basis, the evolutionary arms race between hackers and cyber-defenders has led to the rapid disruption of the traditional managed security service provider (MSSP) market. As vendors scramble to stay relevant, this has led to a sea of sales messages and acronyms - including the advent of ‘EDR and proactive threat hunting’.

Breaking this down, we have EDR (Endpoint Detection and Response), the word proactive (the mainstay of copyright teams globally), and threat hunting (why wouldn’t you want that) … but marketing aside, what does this actually mean?

The easiest way to explain EDR and proactive threat hunting is to use an analogy. Let’s liken the corporate IT network to a country, and use the UK as illustration.

ID Check Point

The UK goes to great lengths to stop known foreign criminals entering the country.

There is the expectation that, individuals who are known to have performed illegal activities in the past, maybe a potential risk to society if allowed into the country. To mitigate this risk, the UK Border Agency check everyone’s passport arriving at international airports, and if there’s a match against the database, entry to the country is denied.

This is much like your traditional MSSP vendor monitoring an organisation’s internet ingress points for known or suspected ‘bad’ IP traffic. The danger is that, if the criminal has a new passport with a new name, they may be able to get through the border in the same way that a moderately capable attacker would spin up a new IP address or flip some bits in their malware to target an organization.  Indeed, in the 2015 Verizon breach report, over 80% of malware samples associated with breaches were unique to that organization.

Is that it then? Is any criminal with a new passport guaranteed to get through?

Behavior Analyzed

The answer is no. Thankfully, the UK Border Agency staff receive extensive training to help them spot suspicious behavior which may indicate that someone is not who they say they are.

In the same way, IT security vendors have evolved to address the problem with the widespread deployment of heuristics and behavioral analytics run against inbound files. For example – ‘This file says it does ‘x’, but actually hidden inside it does ‘y’ so it must be blocked’

The problem with this approach is that each vendor will plug just one or perhaps a handful of attack paths with its specific technology, and even then, being driven by automation, they cannot be accurate 100% of the time.

Breaches occur almost daily, week in week out from relatively unsophisticated attackers, proving this approach fails.

Alternative Entry Point

Going back to the original analogy, and taking the example of an advanced criminal who is well resourced and persistent. The criminal wants to get into the UK, and to guarantee their success at doing so, they plan to land deep inside the country, parachuting in, and thereby bypassing all border controls entirely.

If anyone did spot them on landing, they would have a new passport anyway. This is how modern cyber threat actors operate; they go straight for the users’ endpoints with custom malware in phishing campaigns, USB sticks or watering hole attacks, bypassing the security controls to establish a foothold on the network.

Eyes and Ears Everywhere

EDR and proactive threat hunting is different. It assumes that the above scenarios will play out, that the perimeter will be breached, and that compromise is inevitable.

In terms of border control in the UK, an EDR tool is the equivalent to the Border Agency going door-to-door to every single house in the country, every single minute, to check whether there is anyone new or different on the premises (anomaly based analysis).

This intelligence is then utilized by the Serious Organized Crime Agency (SOCA) to guide their agents through counties, into towns, narrowing down to streets, and ending up at the specific house where a new or different person is deemed to be – this is the equivalent to proactive threat hunting.

Once at the house, the SOCA agents need to determine where the person has come from (network traffic analysis) and what they have done since arriving (log analysis and further EDR).

Rather than just relying on a passport check at the airport.

While it unrealistic to implement these draconian controls in countries – after all, the analogy can only go so far, thankfully corporate networks are a different story. Managed EDR threat hunting services are readily deployable, and affordable, so the electronic ‘foreign criminals’ looking to infiltrate the enterprise has nowhere safe to hide.

To find out more visit Countercept at Infosecurity Europe – Stand B260.

Infosecurity Europe Logo white sm