In February 2022, EclecticIQ announced the EclecticIQ Endpoint Response 3.5.1 release. Endpoint Response is an osquery-based Endpoint Detection and Response (EDR) product which provides enhanced response capabilities on macOS in the 3.5.1 release.
EDR are not new to the endpoint security market. In today’s ever-changing threat landscape where polymorphic and fileless attacks are gaining prominence, Endpoint Protection Products (EPPs) and signature-based products, such as Anti-Viruses are unable to meet current security demands. Endpoint Detection and Response (EDRs) focus on detecting malicious activity instead of merely bad signatures. It is easy to detect bad signatures consistently but detecting harmful activity is not easy. So, if detection of bad behaviors is difficult, how does one respond to such threats?
To put things in perspective, let us take the case of MITRE Technique T1055 (Process Injection) to evade process-based defenses using a sub-technique (for example, Process Injection or Process Hollowing) in which a well-known process is launched with malicious code mapped into it. The commonly used rule to detect such behaviors would be to monitor parent-child relationships but such rules can (and will) trigger a lot of false positive alerts. Triaging each of these alerts requires additional data and context around the activity done by the parent and child processes. Streaming this amount of data, building context, and matching alerts with known indicators or signatures (offer the most definitive answer), is not an easy task and requires a lot of resources and leaves behind the gaps through which the attack can succeed. This is a daily conundrum that security practitioners struggle with!
We believe the answer lies in the R of EDR. The R is somewhat misunderstood with a unidimensional connotation of remediation to it; rather, it is an offensive action in response to an attack, for example, kill the process, delete the file, or isolate the endpoint and reimage it.
At EclecticIQ, we believe R has multiple components before the remedial action is initiated. This philosophy is incorporated in the design of our endpoint solution, and it is what makes us stand out in the market. Hence, it is a big deal for us that the 3.5.1 release provides response parity on all the supported operating systems.
Let us take you on this journey of deconstructing R in EclecticIQ Endpoint Response!
.png?width=1501&height=786&name=Deconstr_R_in_EDR_img2%20(1).png)
R is enRichment
If the telemetry on which behavioral rules are triggered is enriched with additional information that builds the context around the behavior (at minimal to no additional cost), it could significantly simplify an analyst's life. The EclecticIQ Endpoint Response agent (based on osquery) through its SQL interface allows this to happen quite easily. For example. the following simple query can be created to capture the telemetry that gives the parent-child relationship for every process created on the system.
select parent_process, path from win_process_events where action='PROC_CREATE';
This query provides the process and its parent's name. The name can act as an indicator on which a detection rule can be created for an alert depending on the threat intelligence feeds. Most EDRs would allow an analyst to do so in some form and then an interface upstream to create rules for alerting. However, as we have seen, this is only the needed component and not sufficient to perform timely detection.
In the EclecticIQ Endpoint Response agent, each process is identified by a globally unique ID and the agent captures a wide variety of events from all processes. Additionally, the agent acts as an extension to the osquery agent, enabling the power of osquery's SQL interface to capture the real time data collected by the agent exported through its 20+ additional tables.
With the additional tables of EclecticIQ Endpoint Response, above query can be created as follows:
select wpe.*,wfe.* from win_process_events wpe join win_file_events wfe on wpe.parent_process_guid=wfe.process_guid and wpe.action='PROC_CREATE';
Using this query, not only provides details of the parent-child relationship, but at the same cost we are able to collect the files (with their hashes) touched by the parent process. This allows an analyst to understand all the file system activity the process performed before launching a potentially suspicious process and significantly enriches the telemetry. The queries could be further enhanced by additional joins with the hash table to compute the hashes of the executables backing these processes.
But why stop at enriching a process creation activity with just the file events telemetry, when an analyst can enrich it with socket events, SSL events (preferred method for most malware to communicate these days), or any of the multiple real-time events supported by the agent? The same query can be extended to capture activities of child processes in the result. You can make the query extremely granular by using additional SQL constraints to monitor the launches of only well-known processes (such as, svchost.exe or cmd.exe).
The list could go on and on! The beauty of this extensible platform is that analysts can not only collect data on the behavior of interest, but can also enrich it at the same time with information needed for threat intelligence. Additionally, if the SQL syntax was not powerful enough, the osquery component of the agent provides for other enrichment options through decorator or discovery queries.
R is Reconnaissance (Investigation)
In most cases, the context created with relational telemetry is powerful enough to detect with high fidelity. But what happens if there are no bad signatures available? Or worst, what if there is no relational telemetry available because of how the operating system works?
Consider an example where a user is duped into inserting a malicious USB (such as Rubber Ducky) to steal credentials. The attacker then uses the stolen credentials to log into the network and install a potential backdoor malware as a service (that possibly disables the Anti-Virus) and enables data exfiltration or remote shell access.
Perhaps at a certain point, an EDR alert is triggered but due to the lack of relationships between these activities, it can be cumbersome to find the next link in the chain of events, especially if the EDR is limited in its ability to allow an extended, flexible, and easy to use query language.
With the embedded osquery agent of the EclecticIQ Endpoint Response agent, a wide variety of endpoint properties can be easily queried regardless of a relational starting point. These could be about:
- USB devices seen by the system
- Running (or installed services) on the system
- Scheduled tasks and their details of the system
- State of the anti-virus on the system
- Changes in the /etc/hosts file or any of the other 200+ data points which extensively cover every Persistence or Defensive Evasion tactics of the MITRE ATT&CK matrix.
The Live Query interface available in EclecticIQ Endpoint Response allows for this additional Reconnaissance in response to an alert. Although such an action can be scheduled with the existing queries, but it might not be necessary unless an alert is observed. This keeps the endpoint agent light and responsive. The decision is with the analysts using EclecticIQ Endpoint Response to choose the level of information they wish to collect automatically or on-demand.
R is Remediation
Response is about Remediation. Remediation may imply actions, such as deletion of an offending file or termination of a malicious process or could refer to complex stateful actions that may require a script to execute on the endpoint device. EclecticIQ Endpoint Response provides both sets of capabilities while ensuring extensibility of response actions for an Incident Responder. A responder can choose the response action from a library of existing out-of-box actions or can decide to create Batch, Shell, or PowerShell scripts to perform complex actions.
R is pRevention
Last but not least, attackers don’t stop at one endpoint or system. Instead, they run campaigns simultaneously. While indicators or signs from a system can help detect the intrusion, true value is gained when detection knowledge is used to prevent an attack from spreading. The blocking engine in EclecticIQ Endpoint Response enables you to do just that!
EclecticIQ Endpoint Response allows you to block file and registry operations and process launches. You can also terminate processes, as needed. Using blocking rules, you can configure the EclecticIQ Endpoint Response agent to prevent actions, operations, or events from taking place on a system.
EclecticIQ Endpoint Response enables accomplished community tools to come together, such as osquery with the EclecticIQ Extension that works like the Sysmon tool, detection engine with YARA, and scripting languages, such as Shell and PowerShell. To summarize, EclecticIQ Endpoint Response offers features that allow you to:
- Enrich telemetry data to make quick and informed decisions
- Perform diagnostics and investigate alerts to identify the issue
- Act on data by deleting files, terminating processes, and executing scripts
- Define rules to proactively block malicious actions from happening
It builds the foundation for a collaborative Endpoint Detection and eXtended Response platform!
To learn more, visit EclecticIQ Endpoint Response or contact info@eclecticiq.com
