Welcome back, aspiring cyberwarriors!
When you’re working on cyber operations, you’ll often come across security tools that can interfere with your plans. Among these, endpoint detection and response (EDR) tools are probably the biggest headache during the post-exploitation part of an attack.
In this article, we will delve into the essential components of endpoint detection and response (EDR) systems and examine how they identify malicious activity across various environments. We’ll discuss common design features, explain what extended detection and response (XDR) entails, and provide a hands-on installation guide for Wazuh XDR. Let’s get rolling!
Step #1: What is Endpoint Detection and Response (EDR)?
EDR is a tool that monitors endpoints for potential threats and takes quick action to address them. Endpoints are all the devices connected to a network, such as smartphones, desktops, laptops, virtual machines, and IoT devices. These devices can give hackers several ways to attack an organization. EDR solutions help security teams find and fix threats on these devices before they can spread across the network.
Step #2: Why Do We Need an EDR When We Already Have Antivirus (AV) on Our Endpoints?
Both antivirus software (AV) and Endpoint Detection and Response (EDR) serve the same purpose: protecting endpoints where they are installed. However, they significantly differ in the level of protection they offer.
Imagine a data center as an endpoint that requires protection. One layer of security is the access control system at the main entrance. Security personnel check each person’s badge and cross-reference it against a list of authorized individuals before allowing entry. This access control system (AV) monitors everyone attempting to enter. It denies access to anyone whose credentials match a database of known unauthorized individuals. While this sounds like effective protection, it has limitations. What happens if someone who has never been flagged before, perhaps carrying a hidden USB device or acting as an insider threat, gains entry by posing as a legitimate technician? The access control system would allow them through, creating an undetected threat within the data center.
This is where EDR comes into play. In this analogy, the EDR represents the security staff and surveillance systems deployed throughout the data center. These personnel constantly monitor cameras, track access logs, analyze network activity, and observe movements across every server aisle, power room, and restricted area. Unlike the access control system, the internal security team enhances the data center’s protection through continuous monitoring.
While antivirus software may detect some basic threats, EDR is essential for identifying advanced threats that can bypass standard detection methods. Unlike AV, which relies primarily on signature-based detection, EDR continuously monitors and records endpoint behavior. It also provides organization-wide visibility across all activities.
Step #3: The Components of an EDR
Let’s take a closer look at the core elements of Endpoint Detection and Response (EDR): the agent, telemetry, and sensors.
The Agent
The EDR agent is an application that collects data from sensor components, analyzes activities to identify potential threats, and forwards telemetry to a main server for further analysis. If malicious activity is detected, the agent can respond by logging an alert, blocking the action, or misleading the attacker by providing false information.
Telemetry
Telemetry refers to the raw data generated by sensors or the host system, which is analyzed to detect malicious activity. Every action taken by the system generates telemetry, which serves as data points for the EDR’s alerting logic.
Sensors
In the context of EDR, sensors are the components that detect activities and convert them into telemetry.
Those on the offensive side aim to disrupt the flow of telemetry from sensors, reducing the data points an EDR can use for alerts or blocking operations. The goal is to create a false negative by understanding the components and data collected by EDR sensors, allowing for informed decision-making and effective evasion strategies.
Step #4: Brittle vs Robust Detections
Brittle detections focus on specific types of malware by looking for exact strings or hashes. They’re great for spotting a particular version of a malicious file, but even a small change can lead to a miss. While they usually have low false-positive rates, they often can’t detect variations of the same threat. Setting them up is pretty straightforward, which helps security teams jump on changes quickly. For instance, a detection rule for the original Mimikatz works well because it rarely triggers false alarms. But if an attacker simply renames “mimikatz.exe” to something like “mimidogz.exe,” they can easily bypass these detections.
On the other side, robust detections use machine learning to identify broader behaviors. They aim to spot more general attack techniques, which helps reduce missed threats but can lead to more false positives. While many prefer robust detections, they’re more difficult to implement and require careful consideration of the acceptable level of false-positive noise. Balancing the need to catch real threats while keeping false alarms low is a challenge. That’s why a lot of endpoint detection and response (EDR) systems mix brittle signatures for obvious threats with robust detections for wider coverage.
Step #5: How Does an EDR Find Advanced Threats That Antivirus Software Might Not Catch?
Behavioral Analysis
Behavioral analysis is where EDR really sets itself apart from traditional antivirus. Instead of just looking for known patterns like a regular antivirus does, EDR uses behavioral analysis and machine learning to spot threats based on what they’re actually doing.
Indicators of Attack vs Indicators of Compromise
When it comes to detecting threats, there’s a big difference between Indicators of Attack and Indicators of Compromise. Traditional antivirus programs mainly focus on IOCs, which are specific bad file hashes, suspicious domains, or dodgy IP addresses. The downside is that by the time we identify an IOC, the damage has usually already been done. Just relying on these known bad indicators can lead to what’s called silent failure, where data breaches slip through unnoticed. To really protect against threats, you need to look at IOAs, which focus on intent and the sequence of events. For example, a Word document that triggers PowerShell, which then connects to an external server. Even if each action seems harmless on its own, the sequence as a whole tells a different story.
Machine Learning and AI-Driven Detection
Instead of relying on signatures or familiar patterns, modern endpoint detection and response tools use AI to analyze behavior and spot anything unusual or malicious, even if it’s a brand-new type of threat. These EDR platforms are trained on vast amounts of data, covering both safe and harmful behaviors, enabling them to make informed guesses about whether a sequence of actions might lead to trouble. They achieve remarkable detection accuracy of about 97.3 percent while keeping false positives down to 0.8 percent, a huge drop from the 45 percent that traditional rule-based methods had.
Fileless Malware Detection
One of the dangerous tactics out there is fileless malware, which is problematic because it doesn’t save anything to disk, so traditional scanners can’t catch it. Instead, it runs entirely in memory, often by hijacking normal system processes. EDR can spot this evasive malware residing in memory, alongside other malicious activities that misuse legitimate tools and even zero-day exploits before they become widely known. By monitoring process behavior at the kernel level rather than just scanning disk files, EDR can detect when a legitimate tool like PowerShell or WMI is used for malicious purposes.
Living-off-the-Land Detection (LOLBins)
Closely related to fileless techniques is the concept of “living off the land” where attackers avoid bringing their own tools entirely and instead abuse built-in operating system utilities, things like certutil.exe, mshta.exe, or regsvr32.exe, to carry out malicious actions. Attackers change their tools constantly, but their techniques stay consistent, so EDR focuses on behavioral analysis to spot and stop harmful activity.
MITRE ATT&CK Framework Integration
A lot of EDR tools now tie into the MITRE ATT&CK framework, which is basically a massive list of known attack techniques, organized by the attack stage where they typically occur. By aligning endpoint activity with this framework, EDR can provide insights not just into suspicious activity but also where it fits into the attack chain. This makes it a lot quicker to investigate and respond.
Forensic Timeline Reconstruction
If something does manage to slip past the defenses, EDRs can still save the day. They allow analysts to piece together attack timelines, visualize how the attacker moved around, and dig into what went wrong.
Step #6: From EDR to XDR
Now that we understand how EDR works, let’s discuss a recent development: XDR, or Extended Detection and Response. While an EDR focuses on a single endpoint, which is a significant improvement over basic antivirus solutions, it still has its limitations. Endpoints do not operate in isolation; devices communicate over networks, users log in through identity systems, and data flows in and out of cloud services. All of these entry points can serve as potential attack paths, and traditional EDR solutions often fail to monitor these broader contexts.
XDR steps in by pulling data or telemetry from across the tech environment, not just endpoints. It monitors the network, cloud environments, email gateways, identity systems, and endpoints simultaneously. This allows it to connect the dots and make it easier to catch threats that move between different layers to evade detection. To put it simply, if an EDR is like a security team watching cameras in a server room, an XDR is more like a fully integrated security operations center scanning every entrance, loading dock, communication line, and visitor management system throughout the entire building. It can automatically link suspicious activity when the same person shows up in different areas.
These days, many security platforms blur the lines between EDR and XDR, offering both in-depth endpoint protection and broader visibility across the entire environment in a single package. One notable open-source example of this kind of platform is Wazuh, which we’ll explore next.
Step #7: Installing and Configuring Wazuh
Wazuh is a free and open-source security platform that combines SIEM, EDR, and XDR capabilities into a single deployable stack. It consists of two main parts: a central server that ingests and analyses security data, and lightweight agents installed on the endpoints you want to monitor.
For this walkthrough, you will need two machines: one to act as the Wazuh server (I’ll be using a fresh installation of Ubuntu 24) and at least one endpoint to monitor, which can be a Windows or Linux machine. Both should be able to reach each other over the network.
To get started, run the official Wazuh installation script:
ubuntu> curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Once the assistant finishes the installation, the output displays the access credentials and a confirmation that the installation was successful.
Let’s open a web browser and sign in to the Wazuh dashboard. You will see a webpage as shown below.
We currently lack information because we need to add an agent to the manager. To do so, click the “Deploy new agent” button.
You’ll need to specify your target endpoint OS and the server’s IP address. After that, this wizard will present the commands to install the agent on the target endpoint.
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.1-1_amd64.deb && \
sudo WAZUH_MANAGER='IP' WAZUH_AGENT_NAME='Name' dpkg -i ./wazuh-agent_4.14.1-1_amd64.deb
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agentWithin a minute or two of starting the agent, your endpoint should appear in the list with a status of Active.
You are now collecting live telemetry from that machine.
Summary
What we have covered in this article is the full journey from understanding what an EDR is and why it matters, through building a practical mental model of how its components fit together, to getting our hands dirty with a real open-source deployment of Wazuh. In later articles, we will explore Wazuh in action and, most importantly, will see how EDR/XDR can be secured and attacked.
Source: HackersArise
Source Link: https://hackers-arise.com/edr-xdr-for-cyberwarriors-how-endpoints-are-monitored-attacked-and-defended/