EDR sheet, explained

August 7, 2016 in EDR

In my last post I published the EDR sheet; it generated quite a good response and I have received a lot of emails and some comments on Twitter which I was not able to answer today, but will follow-up on them soon.

It turns out that the sheet is actually useful to many people – and to my personal satisfaction the very common ‘thank you’ focuses on two aspects:

  • great collaboration
  • good list of questions to ask vendors

If you look at the sheet, the columns represent features that are a ‘must-ask’ category for any EDR solution. If you do IR, forensics, or even asset inventory using the EDR tool, many answers to these questions can often get swept under the carpet, but the reality is that they are actually the most important answers to cover. You want a tool that simply works and has the richest set of features.

Here’s a more detailed explanation of the columns:

  • Intercept Host Events – this is a difference between being able to detect suspicious activity on the spot (just in time) vs. post-mortem; if you intercept Windows API or system services and appropriate rules correlate data retrieved from these intercepted events as-they-happen you hold in hand a key to a very efficient threat hunting & detecting badness the moment it occurs; on the other hand, if the tool only offers post-mortem inspection, this is your good old forensics model at work; not good enough for today’s world
  • Volatile Data Snapshots (VDS) – while good old forensics may not be necessarily needed all the time, light forensics is very very welcome; and this includes gathering volatile data from the systems suspected to be in trouble; ability to pull this data quickly pretty much solves 99% of the IR tickets (commodity malware, PUA/PUP, near-miss type of events, etc.)
  • VDS based on Physical RAM analysis – the way you collect Volatile Data Snapshots is important; if you do it via Windows APIs, or even NT APIs it is always possible to subvert their results with hooking; if the solution takes a physical memory dump and then parses it (same as volatility, rekall, redline do), you are in for a really powerful IR solution – one that can detect the most sneaky malware today no matter how hidden
  • Physical Mem Dump acquisition – related to the previous point; if the solution can acquire a physical memory dump this is a big YES
  • $MFT dump acquisition or metadata extract – Same as physical memory, the ability to extract data about the file system directly from $MFT on NTFS systems is a big YES as well; it bypasses rootkits, ACLs, and also explores deleted and orphaned $MFT entries + potentially other hidden stuff (alternate data streams, extended attributes); the support for other file systems supported natively is very desired as well
  • Full Packet capture – pretty much self-explanatory; if the EDR can capture full packets which you then can analyze this is a big win; it’s very expensive though (storage-wise), so if this is a functionality than can be enabled on-demand it’s even better
  • Kernel Mode coverage – events happening on the system can be monitored on different levels; if the EDR intercepts these events on the kernel mode level (a bit of a simplification here by avoiding the topic of hypervisors, and VDIs), this is a big win; can help to detect dodgy kernel drivers, user-mode evasions, and other nasty stuff (OS file modification/replacement, MBR writing, writing of ADS and extended attributes, etc.)
  • Supports Sweeps (IOCs) – sweeps come handy if you want to look for very specific artifacts across the whole company; a file name, a process name, a Registry key/value, etc.; if the tool can do it with a few clicks, then it’s a big asset for the investigators; this particular column focuses on sweeps done by the vendor on regular basis f.ex. looking for web shells, APT, ransomware, etc.
  • Supports Custom Sweeps (IOCs) – as the above, except it allows you to define your own IOCs and also run them on regular basis
  • Supports queries – the EDR tool is mainly focused on IR, but it has a one, great feature which is a bit hidden – it’s a very good asset inventory + if properly supported, offers the best way to find programs, files, processes on them quickly; while IOCs are quite painful to develop (who likes XML), querying is intuitive and is similar to ‘googling around’:
    • show me all systems that have a process named ‘foo.exe’ currently running
    • show me all laptops that do not have the proxy client running
    • show me all systems where registry key/value for the policy XYZ has been changed to downgrade the security posture of the workstation
    • show me all users running torrent clients
    • etc.
  • Supports more complex queries – some tools offer queries focused on forensic primitives (process exists or not, file exists or not, etc.); others, support a bit more advanced logic f.ex. allow to cross-reference events – this comes very handy if there is a parent-child relationship between the events; something that immediately comes to mind is process spawning another process; ability to query for stuff like this is a big YES for any threat hunter
  • Does it send alerts? – I personally hate dashboards; they are hiding too many details, and we do need these gore details. if you want to act on something you need tickets with all the possible information in it; if the EDR can alert you on some ‘funny’ stuff going on, then you have a new efficient event provider for your IR ticketing system
  • IR capabilities when endpoint off premises – in the ideal world, everyone is connected all the time. in reality, people travel, use VPN (or not), go for holidays, their laptops get stolen, etc. etc. – the EDR tool should somehow take it into account and at least provide ‘Plan B’ capabilities; f.ex. it could take regular snapshots of volatile data which could be then stored on the EDR server; any attempt to analyze the offline system would redirect queries to that latest snapshot; not ideal, but better than nothing; it could also alert the IR staff when the system goes online again, or perhaps even let the user know (via SMS, or a voice message) that s/he should connect the system back to the network and contact IR team
  • Insider Threat Detection – there is always someone in a large company doing something ‘funny’; sending credit card data home, sending clients info home, sending proprietary code home, using external storage sites, and so on and so forth… if the EDR can somehow target suspicious activities of such individuals then it’s yet another win
  • Supports Asset Inventory – this is pretty much a built-in feature of any EDR; it’s just sometimes not very well exposed; having an EXPORT functionality at last for all the monitored devices + include their real status (agent installed, actually working, etc.) is going to help the IR team a lot
  • Historical data (f.ex. snapshots) – ability to compare snapshots of the same system taken at a different time (f.ex. every 24h) is a blessing; it could become a really BIG contributor to any threat hunting activities – imagine looking at diffs of the system, applying some regexes and discovering new suspicious files added to the system on daily basis; lots of potential here
  • Forensically sound? – if the EDR agent affects the investigated system, it contaminates it; for typical IR gigs it’s not a biggie, but if you need to run a full-blown investigation it could matter (especially if case is taken to court); the less intrusive the solution, the better; of course, practicalities often dictate what trade-offs are made; f.ex. if the memory dump is acquired, it’s hard to transfer it off the system; it’s too slow and too expensive; hence, many solutions acquire the memory dump locally (evidence contamination equivalent to a size of physical memory dump f.ex. if the system is 32G RAM, then file system gets contaminates with this large file!)
  • Self-Protection – EDR – same as AV- means nothing if it can be disabled, or bypassed; if the tool prevents regular users to mess around with it that’s already a win; if the protection is enhanced to prevent more advanced tricks (delete on reboot, add exclusions, etc.) – even better
  • Remediation capabilities f.ex. isolation, live console – this is just one column, but a very loaded question really… what can you do using the tool to remediate the system; can you take it offline? can you kill, or suspend a process? Can you remove the Registry key/value? Can you bypass watchdog threads re-creating malicious artifacts? etc.

The rest of the columns are feed-, plugin, and API- oriented. I will come back to them in another post.

As a side note, I will most likely transfer the sheet to Google Sheets – a number of people suggested it.

Comments are closed.