Deploying EDR during or following an attack, not only helps to contain the threat, but also limits propagation, and improves visibility of the Information System.
From investigation to remediation, let’s take a closer look at the benefits of EDR when deployed when a cyber crisis strikes an Information System.
During or after an attack: the perks of EDR
When an Information System (IS) is attacked, the actions to prioritize will depend on how the attack is detected, and its stage of progress.
Here are some examples of how a cyber incident can be identified:
- a security tool (other than EDR) detects the compromise of one or more workstations or servers;
- a security tool identifies a network attack at the edge;
- an internal user notices suspicious behavior on his workstation;
- the CISO or ISD are notified by a third party;
- a ransomware message appears on all or part of the computer system (here, the attacker has succeeded in his plan, but we shall see that the deployment of EDR is still relevant)…
In the event of a proven security incident, EDR can perform a number of different functions, depending on the situation.
Case 1: deploying EDR to counter an attack with no visible impact
In this case, the attacker generally seeks to infiltrate the IS undetected, generally for purposes of espionage, data theft, targeting external service providers (contractors, supply chains…), etc. EDR can then be used to monitor the attacker, in particular by adding context-specific rules, for example to track his movements, understand his objective, or make sure he is aware of any entry points and backdoors before remediation.
However, the deployment of EDR needs to be approached with care, because in order to catch the attacker off guard, you need to be able to remain unobtrusive. There are therefore strategic choices to be made regarding the deployment method to make the most ofEDR in this particular context. For example: deployment on certain parts of the IS where the attacker is not yet present, to monitor possible lateralization; deployment in detection mode without blocking at first…
Case 2: deploying EDR following an attack with visible impact
In the case of an attack with a visible impact, EDR enables toinvestigate by collecting data, monitor your IS to guard against new incidents, and take remediationmeasures… A more proactive approach than in the case of an attack with no visible impact.
In the case of ransomware, for example, the need to deploy EDR may seem obvious, but the IS still needs to be in a state to do so. We also need to bear in mind the phenomenon of Shadow IT – increasingly widespread – which can raise additional questions, not least as to whether all endpoints will be properly covered if a EDR is put in place.
If it is not possible to deploy EDR in the traditional way, in particular via centralized deployment tools (GPO, SCCM…), in cases where the IS is no longer operational, more traditional methods may be necessary (USB key, machine by machine…).
In any case, deploying EDR at this critical stage will enable investigations to be launched to understand what the attacker has done: how he got in, what he may have exfiltrated… and limit over-infection.
Now that we’ve seen the different situations and the many questions that arise from them, let’s go a step further to understand the capabilities of EDR deployed on the fly. A true all-in-one tool to support analysts, it centralizes all the actions required to overcome an attack and reinforce IS resilience: collection, remediation and monitoring.
The role of EDR in supporting analysts’ work in the event of an attack
During or after an attack, cyber analysts can rely on EDR for investigation and remediation. In practice, as soon as it is deployed, it enables the following actions:
- Global or specific detection (by adding attack-specific rules and IOCs – IP or hash);
- Investigation to understand what happened, where the attacker went and what he is doing;
- Remediationfor example via:
- file deletion,
- process stop,
- file quarantine,
- deletion of services or scheduled tasks…
What’s more, EDR provides a level of visibility over the entire installed base that was inevitably lacking in the past (let’s take this opportunity to remind ourselves of the importance of IS mapping), which is useful insofar as an attacker generally seeks to lateralize into the IS.
In the context of an investigation, one of the most important points to validate upstream is the ability of EDR to be operational without restarting workstations. Restarting could result in the loss of data useful for investigations, such as traces left by the attacker. Losing these traces would make understanding the situation even more complex, in an already highly charged context.
Another point to consider: if EDR is deployed in response to an incident, the artifacts linked to the incident itself will be less exhaustive, and it will take longer to reconstruct all the actions linked to the attack.
This may require forensic analysis work, but this would have been less time-consuming and tedious ifEDR had been deployed before the attack occurred. The same applies if a SIEM was already in place before the attack: it helps to retrieve logs, but here too, the analysis work will be more time-consuming than it would have been with EDR. In fact, a SIEM collects very large volumes of data, not only from endpoints, and it is therefore necessary to process them in order to concentrate on those that are relevant in the context of the attack. In short, it’s far more strategic to include EDR in your cyber roadmap, rather than waiting for an attack to come along.
What’s more, once deployed, how does EDR protect the IS over the long term?
Limit the spread of a threat and anticipate future attacks with EDR
As we mentioned earlier, in addition to its detection capabilities, EDR offers the possibility of adding additional incident-specific IOCs and rules to limit propagation and amplify analysts’ visibility. With this in mind, HarfangLab’s EDR uses standard formats such as YARA and Sigma, already used by many CERTs. This makes it easy to learn, and if you need to upgrade your skills in these formats, these skills can be acquired and reused in other contexts.
In the event of a ransomware attack, the deployment of EDR can protect workstations that have not yet been affected. EDR also limits the risk of over-infection, when attackers attempt to encrypt the IS several times. A 2022 Cymulate study shows that 66% of organizations that are attacked are likely to be attacked again!
Finally, EDR also provides data for post-mortem analysis, so that you can learn from the incident and better protect yourself in the future!
“In the event of a machine (workstation or server) being compromised, isolation is an obvious reflex, but this action may not be sufficient, as a global approach is required. Isolation should not be seen as the end of remediation, as it is potentially the starting point or one of the steps in an investigation.”
Emeric Boit, Lead CTI – HarfangLab
In conclusion, if an attack occurs in the absence of EDR, it won’t raise the alarm or identify the threat, but once deployed it will enable :
- contain the threat,
- facilitate investigations,
- support the work of analysts,
- optimize IS visibility,
- increase the level of protection against future attacks.
EDR deployment in the event of an attack: testimonial
“Our customer fell victim to ransomware deployed across the entire domain, workstations and servers, via two linked Active Directories. The situation was so compromised that we set out to save the furniture… but not the walls! We were faced with two scenarios.
Firstly, for the application servers, there was no question of redeploying them, so we installed EDR on the fly, very often by hand using the HarfangLab installer. We also had to recreate some of the servers from scratch, with EDR installed as standard, before migrating files that had not been encrypted. As for the workstations, they were installed via GPO.
EDR enabled us to search for threats by IOC, we were also able to search for local sessions that the attacker might have left behind, and we relied heavily on jobs to scan files with YARA as they migrated.
As far as applications are concerned (telephony, print servers, etc.), these are special environments where you can’t set up too restrictive a policy, otherwise nothing works. We therefore applied blocking policies on a case-by-case basis, and once all the necessary processes had been whitelisted, we configured everything else to block.
Finally, we applied the most restrictive policy possible to workstations, using Sigma rules and a maximum of telemetry. We then deployed protection scripts on the servers, via the HarfangLab API.
This feature is much appreciated by users and IS managers alike, as it automatically reinforces restrictions during weekends and non-working hours, and relaxes policies the rest of the time to allow business teams to use applications.
Overall, the solution is very easy to learn, and the interface is perfectly clear. As soon as EDR is deployed, all the information needed for investigation and remediation comes up, and it can also be used to launch scans. This is reassuring, especially in the heat of the moment when you need to act very quickly. An attack is a trying time, and having a tool that’s easy to get to grips with helps to limit stress and save time – that’s really valuable!”
Nicolas Zisswiller, Managing Partner & Olivier Moreau, Devops – Aktea
How can you organize your teams and communicate effectively in a crisis?