How Threat Actors Are Killing EDR (and What You Can Do About It)

Your organization’s EDR tools are good. They’re so good that attackers have shifted their techniques to evade them.

Instead of dropping malware on an endpoint to get inside an organization, threat actors are increasingly exploiting compromised credentials, software vulnerabilities (including zero-days), supply chain attacks, and weaknesses in cloud security to gain initial access. In fact, the number of cyberattacks that started with malware dropped from 60% in 2019 to 25% in 2023, according to The CrowdStrike 2024 Global Threat Report. (See our summary of the CrowdStrike report.)

Let that number sink in: only 25% of attacks observed by CrowdStrike in 2023 started with malware.

As attacks progress, threat actors are finding creative new ways to not only circumvent EDR controls on devices they seek to compromise, but to outright kill those controls as they move laterally across an organization’s network, according to the June 2024 CyberThreat Report from Trellix.

Trellix points to two EDR killer tools in its June 2024 CyberThreat Report: one used by the D0nut ransomware gang and another known as “Terminator” that was used in an attack campaign targeting telecom companies in January 2024.

How EDR Killer Tools Work

Trellix reports that the Terminator EDR killer uses a vulnerable Windows driver, CVE-2021-31728, that’s part of the MalwareFox anti-malware product from Zemana “to execute arbitrary code from within the Windows kernel.” Other EDR killers, including Aukill and TrueSightKiller, work in a similar manner, where they leverage vulnerable drivers to execute malicious code at the kernel level.

The uptick in EDR evasion and disabling techniques reported by Trellix, CrowdStrike, and others has prompted some cybersecurity experts to suggest that organizations are over-reliant on EDR. As John Fokker, the Head of Cyber Threat Intelligence at Trellix, put it in the June 2024 CyberThreat Report, “...if EDR is taken offline, what’s an organization and their CISO to do?”

RevealX: Your Next Essential Line of Defense

When attackers disable or otherwise get around your EDR controls, RevealX™ NDR can give your organization visibility and detection capabilities to stop the attack that you can’t get from your SIEM, IDS/IPS, or firewall.

RevealX monitors an organization’s network traffic–both north-south and east-west, and even encrypted network traffic–in real time, and it sits out of band, so it won’t degrade network performance. It captures transaction logs, netflow data, and full packets across more layers of the network (OSI layers 2-7) than competing NDR solutions, and it stores this data for 90 days to facilitate investigations and root cause analysis.

Full packet capture fuels more accurate detections and accelerates response by providing richer context and metadata about what’s happening on an organization’s network. With RevealX, you can tell what every packet is doing anywhere on your network at any given time: where it’s going, where it came from, and what is being said across both sides of the conversation. This definitive level of detail is particularly helpful to organizations that need to comply with rigorous incident reporting regulations.

RevealX then applies cloud-based machine learning to network data to distinguish suspicious network behavior from normal, benign traffic. In addition to behavior-based machine learning detections, RevealX provides four other layers of network-based detection, including network indicator detections, routinely exploited vulnerability detections, and emerging exploit and signature-based network malware detections through its IDS module (see image below).

The five layers of network-based detection provided by RevealX

RevealX NDR: The Best Kept Secret in Cybersecurity

Security sensitive organizations have made RevealX a cornerstone of their security architectures because they understand the unique combination of passive network monitoring, full packet capture, protocol fluency, and decryption is an attacker’s worst nightmare.

As one of our customers, a security executive for a large insurance company, recently put it, “I’ve always been an advocate for looking at network-level data, and I’ve always said that from an attacker’s perspective, the one place where they can’t change what’s going on is on the network. Once an attacker compromises a host, you can’t trust what you see, but anything that passes the network is 100% real, and that’s how you catch attackers and figure out what they’re doing.”