Remaining Invisible in the Age of EDR

EDR products are becoming a necessary solution in the security stack. In this session you will learn the short comings of EDR, so you can make informed strategic decisions. Threat actors often operate in a black box mentality, utilizing techniques and procedures that will not be detected against a wide spectrum of anti-malware controls, rather than avoiding detection from a specific set of controls, with high success. This shift in thinking has yielded new, very sophisticated techniques to evade detection on disk and in memory. These techniques extend beyond the traditional initial compromise vectors and are often utilized in all post-exploitation techniques to prevent any type of detection. With these advanced attacks, the landscape has had to shift from looking for signature and heuristic based threats but to detecting behavioural ones. With the implementation of these next generation EDR products to detect all these types of bleed edge techniques, how are attackers still so successful? We’ll start by examining the issues that ALL EDRs face in their current deployment and how hackers can take advantage of this to completely bypass the product and blind them to their malicious activities. We will look from the perspective of EDRs as a whole; most of these flaws are present in all of them. Once we understand the systemic issues and how attackers can abuse them, we’ll focus on several techniques developed and deployed in the wild that are highly successful. We’ll conclude with some new techniques that will be introduced into ScareCrow 2.0 being released after the talk.