What is Advanced Endpoint Detection & Response and why do you need it?

During the halcyon days of the 80s and the 90s, the biggest threat to computer security was the humble virus.

Networking and internet access wasn't common, so these naughty programs, typically made by bored computer nerds looking to show off their programming prowess, spread mainly via floppy disks and the odd bulletin board system. The virus would attach itself to your computer’s files so when you copied a file and gave it to someone else, their files would become infected too - replicating itself in a new host like a biological virus. Most of the time these viruses would delete data, corrupt system files so the computer didn't work properly, or prank the user of the computer with a funny joke, poem or pithy message. It was a more innocent time.

30 years later and "viruses" are vastly more serious. So much so, they're no longer called viruses as the way they spread and manipulate data has changed. Malware is now the overarching term used to describe software engineered to do something nasty to a computer and dear reader, there are so many damn types of malware to familiarise yourself with:

Ransomware

Also called a cryptolocker, once on your computer it encrypts all your data but doesn't provide you a key to unlock it. Crooks then contact you asking for large sums of money in the form of Bitcoin or other cryptocurrencies for the decryption key. At best, if you don’t pay, you’ll need to restore from a backup. At worst, your files are locked up forever, effectively deleting them and disrupting business until new systems are setup. Ransomware is incredibly lucrative for hackers and is one of the highest cyber security risks right now. In fact, you can read more about one of our client's who experienced a cryptolock attack and the fall out from that in our blog here.

Spyware

This nefarious piece of software sits in the background collecting your data on you and sends everything it harvests back to the hacker that operates the software. They then use that data to either blackmail you or combine it with other public information to guess their way into your accounts. Data collected can include websites you visit, the contents of any communications between you and others and documents/photos/videos stored on your device.

Trojan

Like the ancient city of Troy, trojans are applications that trick their way onto your computer by pretending to be something else. This is a common way to get malware on to your device like ransomware or keyloggers. RATs (Remote Access Trojan) are a common trojan that like the name implies, lets a hacker remotely control a computer and is often associated with “revenge porn” blackmail scams or ex-employees looking to extort a business.

Keyloggers

Similar to spyware but designed to monitor everything you type. Every keystroke is sent back to a hacker who then looks for patterns in the text like netbank.com89078passw$rd. Even in a massive chunk of text containing all the letters and numbers you type over the course of a week, that pattern shows you just logged in to your internet banking (netbank.com), along with the username (89078) and password (passw$rd).

Rootkits

Think of a rootkit as "God mode" on a device. They wiggle their way in like other types of malware (phishing emails, social engineering, etc.) but manage to obtain "root" or administrator access on a device, then use its high level of privileges to embed itself in areas of the device that can ultimately require a new computer as removal is extremely difficult or impossible.

Advanced Persistent Threat (aka APT)

APT is a broad term for “a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period”. These hackers are using bespoke tools and the latest exploits that are unknown to most security researchers, which are so valuable that they’re usually reserved for high-value targets such as activists, governments, law enforcement and so on.

Adware

Unlike the previously mentioned forms of malware that typically want to do something malicious, adware is relatively boring. All they want to do is show you ads, or automatically click on ads. This generates money for the hacker via various online advertising networks. While relatively benign,can be incredibly annoying with popups, website re-direction and general device performance degradation.

Cryptojacking

Mining cryptocurrency is a resource intensive job, often unprofitable once the cost of electricity is factored in. Hackers install cryptocurrency mining software on someone else's computer, which costs them nothing, then direct the fruits of that device's labour to their own cryptocurrency wallet. One computer might not achieve anything profitable, but scale it out to thousands and don’t pay for electricity and it becomes quite lucrative. A hallmark of this attack is an extremely slow, loud and hot computer.

Botnets

If you're a hacker wanting to carry out a denial-of-service attack, mass scale advertising fraud or a successful spam campaign, you need tens of thousands of computers. Paying for them would cost a fortune and be easy to block at the network level If they’re all with the same host, so what do you do? Install malware on random computers around the world using automated tools and use that malware to control them in mass - that group of computers is called a botnet.

With all the various ways to do damage at a hacker's disposal, it's no surprise that the humble anti-virus software employed on most devices simply isn't up to the task of detecting this new and wild world of malware. The best defence is not allowing this crap on your device in the first place, but it's inevitable something will slip through and that's where Endpoint Detection and Response (aka EDR) software comes into play.

An EDR is much more than a fancy anti-virus. There’s so many new pieces of malware popping up daily that it’s likely even the best maintained EDR or anti-virus will miss something, and a breach inevitable. With this design philosophy in mind, an EDR sets up defences and implements safeguards so even if the worst happens, the fallout is limited.

Some basic tasks of an EDR include:

Continuous Data Collection and Analytics

The EDR software learns what normal operation is on your device (logged in users, running applications, installed drivers, system loadings, etc.) so when something unusual pops up, it does something about it. Vendors of EDR software collect samples from a wide range of customers to get range of what "normal" is and use that data to train machine learning algorithms.

Real-Time Detection

An EDR works in real-time so it's always running to spot anomalies caused by cyberattacks. Using collected data to establish a baseline, as soon as something unusual happens, like a phishing attack, malware disguised as a business application or a brute force attack on your infrastructure, the EDR can alert you or if there's a strong indicator of malicious activity, take steps to automatically intervene.

Automated Threat Response

Rather than waiting for something to happen, many EDR platforms will implement automated tasks to either stop a cybersecurity incident or remediate any damage done. This could include deleting suspicious programs/files, isolating processes, blocking internet connectivity to certain resources and restoring data from backups.

You've likely got a sort-of EDR already running on your computer, good old Microsoft Defender. It comes with Windows by default, costs nothing and includes the basics of an EDR like real-time scanning, basic phishing protection for Internet Explorer/Edge, parental controls and a built-in firewall. It's better than nothing, but a dedicated EDR will do a superior job and protect you from a wider array of threats - ransomware in particular.

To put into perspective why it's so important to have a solution that's capable of detecting ransomware, here's some facts:

The Australian Cyber Security Centre (ACSC) assesses that "ransomware remains the most destructive cybercrime threat". That's not paraphrasing, that's a quote. Of all the hacking nonsense they see, ransomware is what they want us to be the most aware of and ready for.

Compared to 2019/2020, the 2020/2021 reporting year saw a 75% increase in ransomware. Hackers don't care what industry you're in. All Australian industry sectors have reported ransomware attacks to the ACSC, with the education and training industry the highest reporting.

Coverware's Quarterly Ransomware Report found that despite organisations like the ACSC explicitly stating not to pay the ransoms associated with ransomware attacks, the average ransom paid in Q2 was US$228,125 and the median ransom paid US$36,360.

The effects of a ransomware attack can be catastrophic. Some high profile examples of successful ransomware attacks include:

Maersk

The Danish shipping company was hit with the NotPetya cryptolocker in 2017. It infected "50,000 infected endpoints and thousands of applications and servers across 600 sites in 130 countries", bringing their operations to a halt, which in turn had a severe impact on global container movements. Maersk estimates this incident cost them US$300m to remediate.

University Hospital of Düsseldorf

Deployment of the DoppelPaymer ransomware kit led this German hospital to de-register from providing emergency care and incoming patients being diverted to other hospitals. A 78-year-old woman suffering from an aortic aneurysm presented to the emergency department only to be turned away and diverted to a hospital 32km away. That delay in treatment lead to her death.

Colonial Pipeline

One of the USA's largest fuel pipelines, servicing 45% of the US east-coast's fuel supply, was taken offline for six days by a hacking group called Darkside in 2021. It caused the price of fuel in the US to skyrocket and ultimately the pipeline operator paid the US$4.4m ransom to get the fuel flowing again.

After reading all that, it should be clear by now that protecting your organisation against ransomware is a good idea.

Windows Defender, bless its little digital socks, just isn't up to scratch. Neither is anti-virus software. Let's compare it to FortiTech's EDR platform of choice - Malwarebytes Endpoint Detection and Response:

Centralised cloud management console so you get a view of all your organisation's devices (aka endpoints) in a single area.

  • Phishing detection, so if a link or an attachment in an email isn't what it seems, Malwarebytes can prevent access and avoid installing malware.
  • Remote access brute force attacks are back in fashion with the rise of working from home. Malwarebytes can detect this activity and block it.
  • Superior threat detection in Malwarebytes often catches zero-day (i.e: fresh) malware that Defender can miss and provides live scanning of downloads.
  • Blacklisting and whitelisting of applications so only specific applications can run or known bad applications are blocked.

Unlike Microsoft's free Defender software, Malwarebytes costs money. Currently the price is $7.50 ex. GST per device a month.

EDR software should be installed on every device in your organisation, like desktops, laptops, smartphones, tablets and servers.

When applied to a few dozen devices it adds up, but running around the wild west that is the internet without a strong EDR like Malwarebytes is akin to leaving the doors on your car unlocked and the windows down, leaving it parked outside a bikie clubhouse all night and then acting all surprised next morning that the car is gone.

In 2023, with all the cybersecurity threats facing organisations, it's a small price to pay for an additional layer of protection.

That rounds up our blog on Advanced Endpoint Detection & Response, feel free to check out our other blogs or call us on 1300 778 078 to discuss how we can help implement a cyber security strategy for your business.