Speakers in this issue
EDR terminal detection and response is a new intelligent and rapid active defense concept, which brings enterprises the value of visibility, defense, detection, traceability and response of the full path of attack. Among them, threat visibility is the first step, and the vast majority of the bearers of all kinds of cyberspace sabotage activities are malicious code, whether it is an executable file visible to the naked eye, a piece of code injected into a system process, or a few lines of shellcode that only "flashes" in memory, whether it can be "seen" determines the feasibility and upper limit of detection and defense. Threats "seen" necessarily require comprehensive data, and full-stack data collection can be described as the cornerstone of EDR capabilities and black soil.
Why data is collected in EDR
Or so important in endpoint protection software
Data collection is the most closely related capability of endpoint security software to the operating system and even hardware. From a functional point of view, it is necessary to monitor and record the behavior, resources, operating status and other aspects of the system; From the perspective of importance, the information captured by data collection is the lower foundation of the core business of terminal security protection software, and the accuracy, efficiency and completeness of the collected information determine the effectiveness of behavior judgment, disposal and traceability. The data collection content includes simple file hash information, digital signatures of executable programs, key API calls, access to sensitive resources, and even thread call stacks, CPU execution instruction sequences, etc., so that more abundant information can meet complex security requirements and not miss clues of malicious behavior.
Where data collection plays a key role
1 Real-time monitoring and protection
Data collection can monitor the activities on the terminal device in real time, including but not limited to process operations, file operations, registry operations, network connections, etc., and use these data content as the input of the behavior detection engine to achieve the protection of the host according to the rules, that is, HIPS (Host-based Intrusion Prevention System, Host Intrusion Prevention System), which is also one of the key capabilities of most terminal security protection software. The process startup and file operations can be coordinated with the virus scanning engine to achieve the basic capabilities of real-time virus protection.
2 Threat detection
A variety of data sources collected can help EDR products realize the abstraction of malware behavior, through the expression of the main operation object, to describe a variety of process behavior, system behavior, a large number of descriptions gathered into a graph, and then through the detection engine can identify such as malicious script execution, process knockout, shellcode abnormal external connection and other behaviors, further can determine blackmail, mining, lateral movement and other attack scenarios, so as to discover known threats and unknown threats in the environment. Facilitate improved security defenses.
3 Threat response
In terminal security protection software, especially EDR products, through HIPS rule detection, virus killing, linkage and other means, the target malicious program can be identified, but in the disposal process, simple cleanup of the target file often does not achieve the best effect, a variety of persistent means can make the malicious program repeatedly generated, frequent attacks, trigger malicious behavior. With the ability of data collection, the behavior of malicious programs at each stage from initial access to persistence, from persistence to command execution can be recorded, and even the coordinated operation of multiple terminals can be achieved, so that it is easier to clean up the entire execution link in the disposal stage, so as to effectively eliminate the threat and prevent further proliferation.
What behavioral information needs to be collected for data collection
The operating system provides ways to access and modify different system resources, and typically includes the following collection items for resources and sensitive operations that are often exposed to security risks:
Process behavior, file behavior, registry behavior, network connections, DNS access, kernel object creation
A piece of malicious code and a malicious module are generally carried by independent processes or using system processes, and malicious processes have multiple ways to access resources, such as ransomware usually frequently renaming and deleting files; The persistence process requires manipulation of startup items such as the registry; Trojan stealing of suspicious network connections and access to private files; Program mining will initiate special DNS domain name requests, and many malicious programs will also create their own kernel objects, such as mutexes, pipes, etc.
Log in, sign out
The login and logout information of the system can be used to assist in analyzing the cracking process, such as the login failure data and login source of audit history.
Startup items increase
Through persistence, malicious programs can continue to survive the restart of the operating system and trigger the execution of malicious code, the main means include the increase of registry startup entries, the increase of boot directory files, the creation of system services, the installation of kernel modules, etc.
API calls, system calls
API call collection, that is, recording the API corresponding to some important behaviors in the system, such as network download, permission modification, memory modification, process injection, hook setting, etc., although these behaviors do not represent malicious behavior, but are often used in the execution process of malicious programs. The collection of system calls is similar to API call collection, in order to identify a certain access to resources, control, and modification of system configuration that occurs in the system.
What data collection methods or means are available in the industry
Based on the operating system and processor capabilities, there are a variety of data collection methods in Windows and Linux, because of the different technologies used, there are great differences in stability, reliability and compatibility, Figure 1-1 to Windows system data collection methods as an example for a simple comparison.
Figure 1-1 Comparison of data acquisition methods in Windows system
Huawei devices detect and respond to EDR data collection
Huawei's terminal detection and response EDR products combine the above acquisition technologies, including Windows kernel drivers, API Hooks, ETW, and other auxiliary acquisition technologies, and draw on the advantages of multiple technologies to monitor system processes, threads, registry, files, networks, DNS requests, API calls, etc., and the basic architecture is shown in Figure 1-2.
Figure 1-2 Huawei device detection and response EDR data acquisition architecture
In the data acquisition architecture, EDR kernel mode monitors system processes, files, registry, network and other resources, and completes data filtering through kernel event filters. User-mode processes events generated by the kernel, and also actively collects events such as DNS requests and CPU usage, and receives API call events from outside the EDR process.
According to the specific implementation of data collection, Huawei device detection and response EDR data acquisition has six characteristics in terms of functionality and security, as shown in Figure 1-3.
Figure 1-3 Huawei's device detection and response EDR data acquisition characteristics
1 Data integrity
In EDR scenarios, data integrity is particularly important when it comes to detection, disposal, traceability, and forensics, including process relationships, command lines, event trigger time, file modification process, movement process, file real type and HASH changes, registry changes, network connection information, DNS request information, etc. used to establish the process tree. One of the important differences between Huawei's terminal detection and response EDR and traditional EPP (Endpoint Protection Platform) products is that the data collection capability must meet the requirements of process call chain construction and threat graph construction, and must contain complete event subject information, object information, and detailed types of behaviors, so that the security system can analyze, handle, and trace threats after they are found.
2. Deep acquisition
As the security confrontation enters a white-hot stage, the basic data collection capabilities have become difficult to deal with advanced threats, and a variety of bypass and evasion methods are emerging one after another, so it is necessary to continue to obtain the commanding heights of the offensive and defensive territory, and can dynamically respond to unpredictable attack methods. Huawei Device Detection and Response EDR provides a variety of points on malware generalization behavior, from process behavior to thread behavior, from file behavior to memory behavior, from shallow to deep. Full coverage on the attack path, from network connection to burst logon, from registry changes to startup entry increases, from coarse to thin.
In order to ensure the effectiveness of data collection and to resist countermeasures such as bypass and tampering, multi-faceted self-protection capabilities such as processes, files, registries, and services are also built inside data collection.
3. Behavior abstraction
In Huawei's device detection and response EDR, in addition to conventional data collection capabilities, it also includes composite behavior collection composed of multiple individual events, which is abstracted from kernel collection and API call collection. This method can directly identify behavioral anomalies inside the collector without reducing the confidence level, and reduce the complexity of downstream detection engine rules, such as the following two types:
- Injection behavior collection: In terminal devices, injection behavior is composed of multiple different events, and the endpoint security software usually provides these events directly to the detection engine for judgment processing, which will lead to a long event processing process and degraded performance. In Huawei's device detection and response EDR, most of the injection behaviors can be directly identified within the data acquisition engine and effectively determined in advance.
- Shellcode collection: With the help of security expert capabilities, continuous Shellcode method tracking and analysis for Metasploit and Cobalt Strike, multi-point monitoring of memory changes, shellcode generation, and code execution, combined with key data extraction, the data collection engine directly abstracts the malicious shellcode execution behavior with high confidence.
4. High performance
In a variety of collection technologies, such as file event collection, registry event collection, and API call collection, performance has become one of the technical challenges of data collection due to the placement of many collection points. Huawei has made a lot of optimizations and innovations in device detection and response EDR, and the kernel and user-mode modules have built-in filtering engines, which can efficiently filter multiple elements such as subjects, objects, and behaviors, and realize screening at the forefront of data collection, combined with trusted process trees and patented threat map noise reduction technology, and control data reporting of a single terminal below 20MB/day, ensuring that key data is not discarded and meeting the needs of downstream detection and protection services.
5. Refined control
For lightweight security protection scenarios, Huawei's device detection and response EDR provides refined switch control for data collection, and the collection function can be turned on, off, or partially turned off, further reducing resource consumption. When there is a limitation on bandwidth, the purpose of flexible control of data reporting can also be achieved.
6. Multi-platform support
In addition to the Windows platform, Huawei terminal detection and response EDR also supports Linux platform data collection, based on BPF (Berkeley Packet Filter) high-performance data collection, while taking into account differentiated operating system versions, with the help of kernel modules and system callback mechanisms, in files, processes, networks, DNS requests and other aspects to build data collection and protection technology, for upper-layer extortion, mining, Trojans, Detection and protection scenarios such as lateral movement provide the capability foundation.
Conclusion
Huawei Device Detection and Response EDR Data Collection uses file and network filtering, kernel monitoring, API Hooks, and log collection mechanisms to perceive system anomalies and risks in multiple dimensions, providing full-stack depth visual data for detection, disposal, and traceability, easily coping with ransomware, mining, Trojans, and other unknown threats, and providing black soil for building endpoint security capabilities.