Responding to the Exigent Emergence of EDR Silencers

Cyber threat actors consistently adjust their techniques, tactics, and procedures (TTPs) to find new and unsuspecting ways to access target environments and disrupt their operations. In most instances, this is done for financial gain. One significant challenge facing businesses—and cybersecurity teams, more specifically—is maintaining the ability to respond quickly to new and emerging threats for which a thin catalog of Indicators of Compromise (IoC) or an undeveloped threat response playbook exists.

One specific way threat actors have been seen carrying out malicious attacks on businesses is by using EDR Silencers. Understanding this emerging threat is crucial because many organizations that invest in their cyber defenses utilize some EDR (Endpoint Detection and Response) tool to help prevent ransomware and other cyber intrusions. To effectively defend against Silencers, business leaders must understand the usage of their own EDR tools, develop plans for potential tool failure, and enhance overall preparedness for cyberattacks, including this specific and other emerging threats.

For organizations without the bandwidth to both stay alert to changes in threat tactics and implement effective responses, working with a 24/7 Security Operations Center (SOC) can make an impactful difference. A SOC team is essential for combating cyber threats as it provides continuous monitoring and real-time threat remediation, helping ensure that environments are protected even outside standard business hours when most cyberattacks occur (1). Partnering with a dedicated SOC can bring the experience of certified analysts and engineers to your defense and integrate advanced security tools to prevent threat actors from gaining a foothold, allowing your IT team to focus on core business objectives, not unceasing threat research.

What are Endpoint Detection and Response Tools?

An “endpoint” is a broad term for any physical device that connects to an organization’s more extensive digital network, including laptops, mobile phones, servers, or device sensors. A detection and response (EDR) tool refers to the software installed on the endpoint, which continuously collects data so a user or system manager (IT team, for instance) can monitor for and respond to threats and other suspicious activity. These systems incorporate rules-based automated response and analysis capabilities derived from data gathered during threat hunting and previous engagements, as well as accumulated and shared knowledge throughout the cybersecurity community.

It is important to note that EDR systems are merely one layer of a comprehensive cybersecurity program. However, they are vital and effective when configured properly and actively monitored on a 24/7/365 basis. There is no guaranteed protection or prevention of all cyberattacks throughout the cybersecurity landscape. Although EDR tools can provide exceptional defense, it is crucial for there to be an experienced team of humans in place to respond immediately if the tool fails or a threat actor devises a new TTP that obfuscates toolset capabilities.

What is an EDR Silencer, and how does it work?

In our current context, an EDR Silencer is any tool designed to evade detection by standard EDR systems. The original detection by 趋势科技 was of a specific tool called “EDRSilencer,” which is becoming a deonym for any tool fitting the category (2). This emerging threat was initially crafted for use by Red Teams, ‘ethical hackers’ who work together to simulate a cyberattack to test and improve an organization’s security defenses (3). EDR Silencers have since been co-opted by threat actors to use for nefarious purposes, continuing a trend of open-source cybersecurity tools being used this way (see Cobalt Strike, for an example).

EDR Silencers increase the stealthiness of threat actors, contributing to an increased likelihood of their moving laterally within a compromised environment. This tool typically uses Windows Filtering Platform (WFP) to prevent the EDR agents from successfully identifying and reporting specific detections as security events to security teams engaged in active monitoring. In other words, it blocks the EDRs ability to send an alert, thus indicating that all is well in the environment and the monitoring team takes no action. However, this is only the case if the EDR Silencer has been coded explicitly to ‘evade’ a specific EDR tool. To overcome the impact of these silencers, security teams can enhance their detection capabilities with additional coded software; a tool called “EDRNoiseMaker” is specifically constructed to detect EDR Silencers.

Responding to this emerging threat

EDR Silencers are a relatively new phenomenon in the cyber threat landscape. Their existence, however, indicates a significant and not uncommon trend of threat actors continuously attempting to devise ways to obfuscate current cybersecurity defenses. While no singular tool or toolset – take EDRs, for instance –can provide total cyber security, there are demonstrated ways to enhance overall cyber resilience in the face of EDR Silencers and other new and emerging TTPs.

• Enhanced security program development: a developed and practiced Incident Response plan is necessary for when the unthinkable occurs. This program should also include consistent employee training around phishing and social engineering attacks.
• 24/7 active monitoring: working with a cybersecurity-focused organization that engages in continuous threat hunting and active monitoring of digital environments, including endpoints, can help organizations stay ahead of threat actors.
• Risk and vulnerability assessments: organizations must regularly assess their cyber maturity for security gaps, unpatched vulnerabilities, and other weaknesses that could be easily exploited by threat actors or emerging malicious software.
• Secured backup systems: It is wise business practice to ensure that all business-critical data is backed up in a digital network separate from the main digital environment in case cyber defenses are breached.

Because the cybersecurity landscape changes quickly and consistently, it is best for organizations that do not maintain an internal 24/7 cybersecurity team to work closely with an organization that does to help implement the most appropriate solutions for the organization. Maintaining a multi-layered defense is necessary, not just for EDRSilencer related issues, but also for optimized security posture, as threat actors constantly develop new TTPs.

Understanding threats like EDR Silencers is crucial in the evolving cyber landscape. EDR tools are vital but not foolproof, and these silencers are designed to evade detection. Organizations should develop Incident Response plans, ensure 24/7 monitoring, conduct regular risk assessments and maintain secure backups. Employee training on phishing and social engineering is essential. Collaborating with specialized cybersecurity firms for continuous threat monitoring and adopting a comprehensive defense strategy enhances overall cyber resilience, helping businesses stay ahead of emerging threats and protect their digital environments.

Sources

1. https://insight.scmagazineuk.com/businesses-commonly-attacked-outside-of-working-hours
2. https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
3. https://www.speartip.com/adversary-services/#redteamengagement

https://detect.fyi/detection-of-edrsilencer-120c34da5b0b

https://github.com/netero1010/EDRSilencer

The information in this newsletter publication was compiled from sources believed to be reliable for informational purposes only. This is intended as a general description of certain types of managed security services, including incident response, continuous security monitoring, and advisory services available to qualified customers through SpearTip, LLC, as part of Zurich Resilience Solutions, which is part of the Commercial Insurance Business of Zurich Insurance Group.? SpearTip, LLC does not guarantee any particular outcome. The opinions expressed herein are those of SpearTip, LLC as of the date of the release and are subject to change without notice. This document has been produced solely for informational purposes. No representation or warranty, express or implied, is made by Zurich Insurance Company Ltd or any of its affiliated companies (collectively, Zurich Insurance Group) as to their accuracy or completeness. This document is not intended to be legal, underwriting, financial, investment or any other type of professional advice. Zurich Insurance Group disclaims any and all liability whatsoever resulting from the use of or reliance upon this document. Nothing express or implied in this document is intended to create legal relations between the reader and any member of Zurich Insurance Group. Certain statements in this document are forward-looking statements, including, but not limited to, statements that are predictions of or indicate future events, trends, plans, developments or objectives. Undue reliance should not be placed on such statements because, by their nature, they are subject to known and unknown risks and uncertainties and can be affected by numerous unforeseeable factors. The subject matter of this document is also not tied to any specific service offering or an insurance product nor will it ensure coverage under any insurance policy. No member of Zurich Insurance Group accepts any liability for any loss arising from the use or distribution of this document. This document does not constitute an offer or an invitation for the sale or purchase of securities in any jurisdiction.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright ? 2024 SpearTip, LLC