Dr. Srinidhi Varadarajan, Chief Scientist, Elastio
Effective security isn’t an ‘either/or’ choice. While strong endpoint detection and response (EDR/XDR) perimeter defenses are crucial for blocking initial attacks, Elastio serves as an essential layer of defense for safeguarding critical enterprise data. What sets it apart is its ability to detect threats that bypass EDR/XDR defenses, enabling it to uniquely find those cases that slip through. The strongest security posture involves combining these solutions to protect both your perimeter and your data. In this blog, we will go into greater detail about how and why additional steps must be taken to ensure your ability to recover quickly from a ransomware attack.
Unmasking the Vulnerabilities: How Malware Sneaks Past EDR and XDR Solutions
EDR and XDR solutions form the first line of perimeter defense by using agents on end-point devices and VMs to detect malicious activity as it is occurring in real time. These solutions are very sophisticated, employing a mix of signature scanning, pattern detection, and AI to classify anomalous behavior specifically associated with malware. However, perimeter defenses are susceptible to bypass, particularly kernel bypass. In Windows systems, this is typically achieved by exploiting vulnerable kernel drivers (e.g., ioctl attacks), which bypasses strong Windows kernel driver signing techniques, resulting in malware within the kernel. These driver vulnerabilities are common given the large number of Windows devices, found at a rate of many a week and not particularly expensive to buy in malware markets.
With malware within the kernel, metrics obtained by EDR/XDR solutions (all of which also have kernel components) to determine malicious activity are no longer correct – they are spoofed. The spoofing involves hiding entire directory trees, masking processes from the list of running processes, and masking malware registry entries from being seen. In addition, kernel to user DLL injection is now possible, resulting in user-level DLL hijacking that shows running processes a clean view of the system state. An example is the security tool Hidden, which is used by multiple active malware (e.g., HiddenGh0st RAT). While the tool was intended for security researchers and required manual disabling of driver signing, malware packages exploit driver vulnerabilities to avoid the manual step and deposit the rootkit payload directly into the kernel. At this point, XDR solutions are running blind and largely rely upon malware authors making a mistake and triggering a tripwire.
Similar techniques exist for Linux as well, both in user-land hijacking using LD_PRELOAD (equivalent of DLL injection) as well as kernel hijacking using loadable kernel modules. VFS is a common hook point, since it enables kernel malware to spoof filesystem activity. While application security systems such as apparmor can correctly catch such bypass, they are rarely configured (in many cases disabled) correctly for custom packages, leaving pathways for malware injection. Fundamentally, malware gets to test against state-of-the-art EDR/XDR solutions and only has to be right once to bypass perimeter defenses.
Beyond Perimeter Defense: Elastio’s Revolutionary Approach to Ransomware Detection and Recovery
The vast majority of successful high-profile attacks involved systems with functioning state-of-the-art XDR solutions deployed on them that still failed to detect the attack. For example, the after action report from the City of Dallas attack in May 2023 shows that their XDR solution (page 4 event timeline), failed to detect malware from the threat actor Royal for nearly a month as it spread across the network. More tellingly, even after the threat actor detonated ransomware, causing IT to shut down and rebuild affected systems, one of the systems was reinfected during the rebuild phase right through the XDR deployed on the rebuilt system. The lesson here is that perimeter defenses alone are not sufficient.
In contrast to perimeter defense systems, Elastio focuses on ensuring that malware doesn’t get into immutable backups, which are the last line of defense against a ransomware attack. Elastio operates without end-point agents that can be bypassed and scans storage snapshots of the endpoint before the backup system ingests them. The fundamental difference here is that snapshots are taken by the underlying virtualization platform and completely outside the control of the malware affected end-point. The strong separation provided by the hypervisor in a cloud platform ensures that snapshots faithfully represent the storage state of the system1– the snapshot data Elastio operates on has clear provenance that cannot be changed or obfuscated by malware. This enables Elastio to unmask directory and registry hiding techniques used by malware, since they no longer work in an external snapshot. Elastio scans from an isolated clean environment that is not filtered by active malware, enabling comprehensive analysis and accurate, actionable intelligence on malware presence and ransomware detonation, however well hidden.
Breaking Down the Differences: Endpoint Protection Solutions vs. Elastio’s Data Resilience Platform
End Point Protection Solutions | Elastio Data Resilience Platform | Details |
EDR runs on the production server and is designed to protect against hackers. | Elastio is designed to operate on snapshots off-host. | Elastio provides a crucial level of recovery protection when perimeter and EDR defenses fail. |
EDR is designed to block malware as it is deposited on the server. | Elastio is designed to detect active ransomware and malware in data, ensuring it’s clean, uncompromised, and recoverable. | Detecting active ransomware necessitates thorough file inspection across multiple points in time. This task cannot be performed at the endpoint due to its performance impact and the absence of overtime analysis. |
EDR can be circumvented by malicious actors. | Elastio operates where a rootkit doesn’t operate, unmasking it and enabling detection. | Many techniques are used to bypass EDR – many of which also bypass driver signing. At this point, EDR cannot see parts of the file system, masked processes, and masked registry entries. |
About Elastio
Elastio detects and precisely identifies ransomware in your data and assures rapid post-attack recovery. Our data resilience platform protects against cyber attacks when traditional cloud security measures fail. Elastio’s agentless deep file inspection continuously monitors business-critical data to identify threats and enable quick response to compromises and infected files. Elastio provides best-in-class application protection and recovery and delivers immediate time-to-value.
1As an aside, we note that malware sometimes attack the VSS subsystem in Windows resulting in unusable app consistent snapshots. Elastio checks for snapshot and filesystem corruption as the first stage of snapshot scan to defeat this attack vector.