<— Back

Should Your EDR Be Based in User-mode? You Might Want to Reconsider

Following the largest global IT outage in history this past July, which disrupted numerous services and industries, many took to the public stage to advocate against having endpoint security vendors design and develop agents that are kernel-based.

Unlike legacy signature-based detection, the strength of next gen security solutions, particularly Endpoint Detection and Response (EDR) systems, lies in the visibility and context they provide. Over the years, these capabilities have actually been implemented through monitoring operations in user-mode.

To beat EDRs, attackers and malware developers either try to break execution chains to obscure context or to disrupt visibility by blinding them to the operations executed by a process. Unfortunately, disrupting visibility is relatively straightforward due to a fundamental flaw: the reliance on the same execution environment that is intended to be protected.

The talk will first touch on limitations of purely user-mode EDRs such as lack of boot-time protection and inaccessible processes. It will then explore the main approach used by adversaries in the wild: bypass and evade hooks. The research presented will map all known techniques along with a proposed detection scheme focusing on runtime and forensics indicators, based on reverse engineering and in-depth analysis of each method, to benefit all researchers. Lastly, the talk will cover a less popular tactic used by adversaries which is to completely disarm the protection engine entirely in-process.

By the end of the session, hopefully we’ll successfully debunk the myth that user-mode only EDRs are adequate for comprehensive security.