Common Endpoint (NGAV/EDR) Mistakes And How To Avoid Them

June 15, 2020

We perform hundreds of offensive security engagements such as penetration testing and red teaming every year.  During these engagements, we commonly exploit vulnerabilities to obtain some initial level of access and perform post-exploitation to demonstrate what an attacker could do and how far they could go.  Along the way, we have encountered just about every security control imaginable; IPS, WAF/RASP, NGFWs, deception, anti-reconnaissance, and last but not least, endpoint security software such as EDR and NGAV solutions.

I’ve witnessed our team evade what I consider to be even the most advanced and effective endpoint security controls on the market. We’ve been up against the majority of endpoint security solutions available in a wide variety of situations. In almost every case, our team finds a way to bypass or work through these controls.

Despite grandiose claims and aggressive marketing by vendors desperately trying to grab market share in a very crowded space, the reality is that any endpoint security solution can be beaten given proper time and resources. History has proven that security controls can and will be bypassed, and endpoint security controls are no exception.

Are some endpoint security controls not as effective as the vendor claims them to be? Are some vendors better than others? Are there gaps in the deployment of these solutions?  Are they misconfigured? The short answer is yes on all accounts.  The real questions here are “why” and, more importantly “what” can your organization do to avoid the issues we often encounter with endpoint security solutions?

I’ll attempt to answer these questions in two parts below, the first focusing on issues we see in the deployment, configuration, and ongoing management of various endpoint security solutions. The second part being how to properly evaluate and ultimately select the correct solution for your organization.

Endpoint security software issues that we take advantage of during offensive engagements

DEPLOYMENT COVERAGE GAPS

  • Most organizations don’t have endpoint security controls deployed everywhere within their environment. 
  • We often find and exploit systems that have no endpoint security software running, even in environments where they have 98% of systems covered, we locate and use the other 2%.
  • You might be surprised at some of the systems that we often encounter with no NGAV or EDR deployed on them:
    • Domain Controllers
    • Database Servers
    • DMZ Servers
    • Linux Servers
    • Citrix / Other Remote Access Services
    • Third-party systems not internally managed
  • Organizations often don’t have a real-time mechanism in place that identifies all systems in your environment that do not have endpoint security software installed or that exhibit issues. 
Configuration Issues
  • Policies are too complicated; many policies for many different types of systems
    • What starts as organized becomes a mess over time. Too many different policies become difficult to manage.
  • Policies and configurations are often not tested offensively, in real-world conditions
    • What the sales engineer provided for your evaluation, and what you need are two different things.
    • We often find gaps in these configurations on penetration tests even when a proper solution is deployed. It’s not that the solution is inadequate, the configuration is.
  • Exclusions/Exemptions
    • These are often lax and there are typically too many of them.
      • Exclusions/exemptions that apply across all hosts in the environment.
        • For example, wildcard directories and files: “*/tools/*” or “C:\Windows\System32\*”
Ongoing Management Issues
  • It’s common to see many events that are not being triaged
    • Alert fatigue translates into critical alerts being lost in the noise or worse, observed but ignored.
  • We often see that there is very little ongoing management or maintenance of these solutions after they are deployed 
    • “Set it and forget it” isn’t a valid strategy, yet we see this ALL THE TIME.
    • You need to read release notes to understand what is changing and why.
  • Agent Updates
    • Most solutions can automatically upgrade agents on endpoints.
    • However, there are issues in almost every environment that need to be addressed.
You may have the wrong solution
  • A panacea does not exist today, not even close, but some solutions are better than others. 
  • Many of these endpoint security solutions are getting better, and on a given day/week, one is better than another.
  • Still, we encounter some vendor’s products that are terribly deficient and far behind the pack.  

My thoughts on the endpoint security solutions landscape

The buyer still needs to beware

Although we have seen some much-needed improvement and maturity in the endpoint security solutions space, at the end of the day vendors want to sell you stuff and their salespeople are under pressure to do so. It’s not uncommon for these vendors to make inflated claims about their solution.

Some solutions are better than others

“Better” is a subjective term. My definition of “better” in this case refers to how well the solution detects and protects endpoints against real-world threats.  It also takes into consideration the amount of effort it takes an organization to maintain the solution. If you can’t realistically manage a solution in your environment, the efficacy is irrelevant.

The effectiveness of endpoint security solutions changes rapidly

Much like with legacy endpoint AV solutions, it’s all a moving target.  A solution that is stellar today can be deficient tomorrow.  Since attacker TTPs change rapidly, vendors must play catch up constantly, and some do that better than others. Still, no vendor is perfect.

Recommendations for selecting the right endpoint security solution for your environment

  • Reference MITRE’s ATT&CK Evaluations at https://attackevals.mitre.org/
    • This is a great, objective, and free resource to understand the differences in efficacy across endpoint security solutions within the context of common attacks.
  • Consider a “bake-off” between multiple endpoint security solutions within your environment.
    • Most of these solutions are very easy to test.  They usually consist of a cloud-based console and an agent.  Use that to your advantage and see how they perform in your environment.
    • Start with attempting execution of common, open-source implants and payloads. Then work into obfuscation and bypass techniques.
  • A third-party evaluation of solutions
    • Before you buy a solution, engage an objective third party (not your reseller) with offensive skills to help you test the efficacy of the solution(s). A few days of attempting various payloads against a solution can be very revealing.
  • Ask your vendor to provide multiple references of similar size and vertical to your organization. 
  • This seems basic, but so few companies ask for references from vendors and follow them up.
  • Ask about their experience, both positive and negative, with the solution.  o Inquire about the challenges they have encountered in operationalizing the solution.
  • Match the solution you select to your team’s capacity
    • Most security teams are already extremely busy. Some solutions take more time to manage on a day to day basis.
    • Make sure and take your current workload into consideration when selecting an endpoint security solution.

Hopefully, you found this information to be useful to you and your organization.  If you have any questions or need any clarification regarding anything in this post, please feel free to contact me.