...
Extortion criminals first focused on the speed of their attack, to turn the latency into a liability. This is expressed during attacks in a couple ways. The first being that, the attackers sped up their efficiency to ensure that irreversible attack actions were completed before the analytic server could respond. We saw see that a great deal on tightly scoped tasks, such as credential theft - gone (to the attacker’s server) in a flashwith small pieces of very important data such as passwords.
It is really important to note here that we are discussing detection and responses response strategies which, by their nature, wait for the attack to be underway. A non-cybersecurity analogy would be detecting the more desirable detection of bank robbers outside the bank, and locking the door, versus a less desirable stance of the bank relying on taking action before the robbers can steal too much money, or, with extortion, take too many hostagesto stop the robbers after a certain amount of cash was stolen from the safe.
Longer running tasks like encryption required a combination of speed with 2 other tactics - parallel and distributed computing. The attackers realized that , on a system, running multiple extortion programs meant that any endpoint security tool had to inspect the behavior of each process, which takes time. So, if 5000 files could be accessed on the network at one time in parallel on a system instead of 500 with one program, that’s much better for the attacker. In fact, many of the endpoint security solution are setup to inspect one program, wait for that inspection to finish, then move onto the next one.
The extortionists do not have 10, 25, or 50 malware programs running just on one machine though. They leveraged distributed computing methods to have the extortion run on many machines all at the same time. The most the Cyber Crucible has seen at once was around 75 machines. Now any type of security tool has to inspect 50 programs, across 75 machines - so 3,750 programs. That in itself is not a challenge for cloud computing, but remember that each program is, in the meantime, encrypting up to thousand of files per second.
As if this isn’t bad enough, some attackers began implementing a chess-like strategy, in which the extortion tools were monitored and controlled locally by a parent “commander” program. This commander would re-spawn extortion tools if they were killed. Like in a lot of science fiction, killed “enemy soldiers” (extortion software) were instantly replaced by fresh “troops”.
By this point in the extortion tool and tradecraft evolution, any tool that relied on remote analytic computing, and the latencies involved, are simply overwhelmed. Modern attacker tactics also no longer encrypt every piece of data in a business, so, by . By the time defenders “catch up”, the attacker’s goals are likely already accomplished.
...
Around 80% of EDR and XDR solutions require access to remote analytic servers to function optimally. Without The norm is that these tools are barely functioning without access to the remote (usually cloud-based) “brain”, these tools are severely diminished in capability.
Attackers have combined the latency vulnerability discussed earlier, to conduct fast attacks on the EDR and XDR platforms that are completed long before “response” can be takensoftware.
A common attack now seen is that the attackers gain access to adjust firewall rules, and block the endpoint security tools from accessing their analytic servers. The net effect is that the EDR/XDR tools lack the ability to analyze and respond to the extortion attack activities, making the attackers' job that much easier.
While the resiliency of endpoint tools from being tampered with by attackers is certainly a recurring issue vendors prefer to not discuss openly, in this caseExploits against EDR and XDR software are certainly seen against endpoint software. In this case, though, the EDR or XDR can remain intact and unexploited, installed, running - and almost completely ineffective.
What All This Means to Cyber Crucible - IS it an EDR or XDR?
...