Endpoint Detection and Response

Endpoint Detection and Response

EDR is designed to protect endpoints from malicious code and penetration by attackers. The difference between EDR and conventional anti-virus products lies in the logging of important activities on the endpoint and a wide range of incident resolution options.


 


 

Our Story

Over the course of a several-month analysis of its network traffic, one Czech banking institution detected several anomalies pointing to the possible presence of an attacker in their network. However, they were not sure whether it was the case of false positive or not and they did not have any tools at their disposal that could help them to solve this problem. Thus, they contacted us to see whether we could lend them a helping hand in this matter.

Together with the customer, we agreed on the implementation of Endpoint Detection and Response (EDR) solution for monitoring of suspicious activities on endpoints and servers and helping to detect whether an attacker has access to any of their internal end systems or not. The solution was successfully installed in course of one morning, and after lunch, we already had several results indicating the presence of an attacker on important customer's servers.

We immediately configured a stricter detection mode for monitoring network activities from these servers, launched processes, and executed commands. Due to this information, we could confirm that the attacker has access to these servers, what activities he has been performing, and how he entered the systems after only two hours. We temporarily blocked all network communication from these servers with EDR and removed all attacker's remnants, including the backdoors he was using to access the systems.

Logs of running processes revealed that the attacker used a publicly available RDP to sign in and that he used it in order to enter the network for the first time. We discovered a compromised account that was used to sign in and recommended the customer to change the passwords as well as to reconfigure this RDP service to become unavailable from the Internet.

With EDR solution, we obtained all the information we needed to help us with tracking down the attacker and to remove his traces from all infected systems. At present, our customer has an EDR solution deployed as a replacement for an antivirus product and the monitoring is performed by our Cyber Defense Center.

Solution Description

Products from the Endpoint Detection and Response (EDR) family are designed to protect endpoints from malicious code and penetration by attackers. The difference between EDR and conventional anti-virus products lies in the logging of important activities on the endpoint and a wide range of incident resolution options. With EDR solution, it is possible to gather information about endpoint activities, such as information about:

  • parent processes,
  • commands made at the command line or by PowerShell,
  • downloaded files and their reputation,
  • changes in registers,
  • DNS requests and network communication in general,
  • changes in the file system.

 

With EDR system, an analyst gets the possibility to connect remotely to the endpoint and therefore is able to force the termination of a malicious process, delete files or download them for detailed analysis, or even completely block the network communication on the infected station.

When It Is Hard to Manage Internally

Correct assessment of all security events can be time and capacity consuming. That is the reason why we also offer the services provided by our SOC Cyber Defense Center. Our analysts evaluate security incidents and can respond immediately in the event any issues occur.

Key Features

    • Detection of exploits, common and fileless malware, zero-day malware,
    • Analysis of running processes,
    • Detection of attacks misusing legitimate tools (e.g. PowerShell or WMI),
    • Detection of attacks using MITRE ATT&CK techniques,
    • Checks of executed commands entered at CMD and PowerShell,
    • Discovering and blocking the attacker's attempt to penetrate the endpoint,
    • Making own YARA rules,
    • Tool for IoCs search,
    • Possibility to terminate a process or block network communication.

References

If you are interested in finding out more about how we work, don’t hesitate to ask one of the following companies for a reference. They represent selected and approved recent references only.

  • Expobank
  • PPA Controll