A method of using modern endpoint detection and response (EDR) systems to protect against complex attacks
DOI:
https://doi.org/10.30837/2522-9818.2024.2.182Keywords:
information and communication systems (ICS); EDR system; Security Opertion Center; EDR agent; threat intelligence; EDR policy; detection of vulnerabilities.Abstract
The subject of the research in this article is the architecture of Endpoint Detection and Response and the EDR agent as their base parts in terms of mechanisms for detecting and countering complex attacks on information and communication systems (ICS). The aim of the work is to develop of method for improving the efficiency of using Endpoint Detection and Response (EDR) to reduce the risks of compromising ICS information, industrial, and infrastructure objects by effectively redistributing and utilizing the available EDR mechanisms, the cybersecurity team, and other resources available for implementing security measures in an enterprise, institution, or organization. The article addresses the following tasks: reviewing and analyzing existing EDR systems, analyzing the architecture of EDR solutions and EDR agents, the features of their use, the logic behind the construction of methods and mechanisms for detecting threats to the system from malicious actors and malicious code. The task of providing recommendations for the organization of ICS is also separately addressed in terms of the need to protect the entire ICS and its individual elements, as well as in terms of the available resources (the cybersecurity team, their qualifications and level of awareness of the architecture of EDR solutions) and means (available EDR system elements) for organizing protection. The following methods are used: modeling attack mechanisms, modeling attacker behavior. The following results were obtained: general and specific recommendations were formulated for optimizing the operation of EDR systems and ensuring the effective use of EDR system elements in the information and communication networks of enterprises, organizations, and institutions of various types and orientations depending on the available resources and the information requiring protection. Conclusions: The identified recommendations for the application of EDR mechanisms for protecting information systems and networks allow optimizing the costs of creating a protection infrastructure and implementing security measures, taking into account the characteristics of the available tools and the training and awareness of the cybersecurity team both in terms of response time to threats and the complexity and cost of performing protection tasks.
References
Список літератури
Annual share of organizations affected by ransomware attacks worldwide from 2018 to 2023 URL: https://www.statista.com/statistics/204457/businesses-ransomware-attack-rate/ (дата звернення 24.05.2024).
Журило О., Ляшенко О. Архітектура та системи безпеки IoT на основі туманних обчислень, Сучасний стан наукових досліджень та технологій в промисловості, 2024, Вип. (1(27), С. 54–66. DOI: 10.30837/ITSSI.2024.27.054
Когут Ю. Кібервійна та безпека об’єктів критичної інфраструктури. Сідкон, 2021. 336 с.
Matt Hand. Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems. No Starch Press. 2023. 312 р.
Мерзлікін Є., Бабешко Є. Аналіз кібербезпеки веборієнтованих індустріальних IOT-систем. Сучасний стан наукових досліджень та технологій в промисловості. 2023. Вип. 2(24). С. 131–144. DOI: 10.30837/ITSSI.2023.24.131
Forrester Wave October 2023, URL: https://www.forrester.com/ (дата звернення 24.05.2024).
Баклан Я. А., Сєвєрінов О. В. Аналіз систем захисту кінцевих точок від складних загроз EDR (Endpoint Detection and Response). Сучасні напрями розвитку інформаційно-комунікаційних технологій та засобів управління: матеріали дванадцятої міжнар. наук.-практ. конф. 2022. Баку–Харків–Жиліна. 141 р. URL: https://openarchive.nure.ua/handle/document/24142
ISO/IEC 27035:2011 Information technology. Security techniques. Information security incident management, 2011.
Crowdstrike October 2023, URL: https://www.crowdstrike.com/ (дата звернення 24.05.2024).
Arfeen A., Ahmed S., Khan M. A., Jafri, S. F. A. Endpoint Detection and Response: A Malware Identification Solution. International Conference on Cyber Warfare and Security (ICCWS). 2021. DOI: 10.1109/ICCWS53234.2021.9703010
Сєвєрінов О. В., Хрєнов А. Г., Поляков А. О. Аналіз сучасних методів атак на автоматизовані системи управління військами та інформаційні мережі. Системи обробки інформації. 2015. Вип. 9. С. 101–104. URL: http://nbuv.gov.ua/UJRN/soi_2015_9_24
Exploring the History of Antivirus: Fusion Computing. URL: https://fusioncomputing.ca/history-of-antivirus/ (дата звернення 21.03.2024).
Сєвєрінов О. В., Шевцов В. О., Сокол-Кутиловська А. С. Аналіз сучасних методів атак на електронні ресурси органів управління. Системи озброєння і військова техніка. 2017. Вип. 1. С. 65–67. URL: http://nbuv.gov.ua/UJRN/soivt_2017_1_13 (дата звернення 21.03.2024).
Ушатов В., Сєвєрінов О. В. Проблеми оперативного виявлення і реагування на інциденти інформаційної безпеки Global Cyber Security Forum: матеріали Першого міжнародного науково-практичного форуму, 2019 С. 104–105. URL: https://openarchive.nure.ua/bitstreams/c2575d95-c877-47e6-aef8-2c19e286d900/download (дата звернення 21.03.2024).
FZE B. B. History of antivirus software. UKEssays. 2023. URL: https://us.ukessays.com/essays/information-technology/history-of-antivirus-software.php
Zhuravchak D., Dudykevych, V., Tolkachova, A. Дослідження структури системи виявлення та протидії атакам вірусів-вимагачів на базі endpoint detection and response. Електронне фахове наукове видання «Кібербезпека: освіта, наука, техніка». 2023. Вип. 3(19), С 69–82. DOI: https://doi.org/10.28925/2663-4023.2023.19.6982
Зубок В. Ю., Гончар С. Ф., Єрмошин В. В., Карасюк Г. О. Архітектурно-функціональне порівняння відомих платформ та систем кіберзахисту промислових об’єктів. Електронне моделювання, 2022, Вип. 44. Том 3. 65 с. DOI: 10.15407/emodel.44.03.065
Коробейнікова Т., Федорченко В. Системний моніторинг мережевої безпеки в тріаді SIEM-EDR-NDR. Grail of Science. 2023 Вип. 27. С. 354–360. DOI: https://doi.org/10.36074/grail-of-science.12.05.2023.055
References
"Annual share of organizations affected by ransomware attacks worldwide from 2018 to 2023", available at https://www.statista.com/statistics/204457/businesses-ransomware-attack-rate/ (last accessed 24.05.2024).
Zhurilo, O. and Lyashenko, O. (2024), "Architecture and security systems of IoT based on fog computing", ["Arkhitektura ta systemy bezpeky IoT na osnovi tumannykh obchyslen"], Modern State of Scientific Research and Technologies in Industry, No 1(27), P. 54–66. DOI: 10.30837/ITSSI.2024.27.054
Kogut, Y. (2021), Cyber warfare and security of critical infrastructure objects, [Kiberviina ta bezpeka obiektiv krytychnoi infrastruktury], Sidkon, 336 p.
Hand, M. (2023), Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems, No Starch Press, 312 p.
Merzlikin, Y., Babeshko, Y. (2023), "Cybersecurity analysis of web-oriented industrial IoT systems" ["Analiz kiberbezpeky veboriientovanykh industrialnykh iot-system"], Modern State of Scientific Research and Technologies in Industry, No. 2(24), P. 131–144. DOI: 10.30837/ITSSI.2023.24.131
"Forrester Wave October 2023", available at: https://www.forrester.com/ (last accessed: 24.05.2024).
Baklan, Y. and Severinov, O. (2022), "Analysis of endpoint protection systems against complex threats EDR (Endpoint Detection and Response)" ["Analiz system zakhystu kintsevykh tochok vid skladnykh zahroz EDR (Endpoint Detection and Response)"], Modern Trends in the Development of Information and Communication Technologies and Management Tools: materials of the twelfth international scientific-practical conference 2022, Baku Kharkiv Zhilina, 141 р., available at: https://openarchive.nure.ua/handle/document/24142
"ISO/IEC 27035:2011 Information technology. Security techniques. Information security incident management", 2011.
"Crowdstrike October 2023", available at: https://www.crowdstrike.com/ (last accessed: 24.05. 2024)
Arfeen, A., Ahmed, S., Khan, M., Jafri, S. (2021), "Endpoint Detection and Response: A Malware Identification Solution". International Conference on Cyber Warfare and Security (ICCWS). DOI: 10.1109/ICCWS53234.2021.9703010
Severinov, O., Khrenov, A. and Polyakov, A. (2015), "Analysis of modern attack methods on automated control systems and information networks", ["Analiz suchasnykh metodiv atak na avtomatyzovani systemy upravlinnia viiskamy ta informatsiini merezhi"], Information Processing Systems, No. 9, P. 101–104. available at: http://nbuv.gov.ua/UJRN/soi_2015_9_24
"Fusion Computing 'Exploring the History of Antivirus: Fusion Computing", available at: https://fusioncomputing.ca/history-of-antivirus/ (last accessed: 21.03.2024).
Severinov, O., Shevtsov, V., Sokol-Kutilovska, A. (2017), "Analysis of modern attack methods on electronic resources of management bodies" ["Analiz suchasnykh metodiv atak na elektronni resursy orhaniv upravlinnia"], Weapons and Military Equipment Systems, No 1, P. 65–67. available at: http://nbuv.gov.ua/UJRN/soivt_2017_1_13 (last accessed 21.03.2024).
Ushatov, V. and Severinov, O. V. (2019), "Problems of prompt detection and response to information security incidents" ["Problemy operatyvnoho vyiavlennia i reahuvannia na intsydenty informatsiinoi bezpeky"], Global Cyber Security Forum: materials of the First International Scientific and Practical Forum, P. 104–105. available at: https://openarchive.nure.ua/bitstreams/c2575d95-c877-47e6-aef8-2c19e286d900/download (last accessed 21.03.2024).
FZE, B. B. "History of antivirus software, UKEssays". 2023, available at: https://us.ukessays.com/essays/information-technology/history-of-antivirus-software.php
Zhuravchak, D., Dudykevych, V. and Tolkachova, A. (2023), "Research on the structure of the system for detecting and countering ransomware attacks based on endpoint detection and response", ["Doslidzhennia struktury systemy vyiavlennia ta protydii atakam virusiv-vymahachiv na bazi endpoint detection and response"], Electronic Professional Scientific Publication "Cybersecurity: Education, Science, Technology", No 3(19), P. 69–82. DOI: 10.28925/2663-4023.2023.19.6982
Zubok, V., Honchar, S., Yermoshyn, V. and Karasyuk, H. (2022), "Architectural and functional comparison of known platforms and industrial cybersecurity systems", ["Arkhitekturno-funktsionalne porivniannia vidomykh platform ta system kiberzakhystu promyslovykh obiektiv"], Electronic Modeling, No 44, Vol. 3, 65 р. DOI: 10.15407/emodel.44.03.065
Korobeinikova, T., Fedorchenko, V. (2023), "System network security monitoring in the triad SIEM-EDR-NDR", ["Systemnyi monitorynh merezhevoi bezpeky v triadi SIEM-EDR-NDR"], Grail of Science, No. 27, P. 354–360. DOI: 10.36074/grail-of-science.12.05.2023.055
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Our journal abides by the Creative Commons copyright rights and permissions for open access journals.
Authors who publish with this journal agree to the following terms:
Authors hold the copyright without restrictions and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
Authors are able to enter into separate, additional contractual arrangements for the non-commercial and non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
Authors are permitted and encouraged to post their published work online (e.g., in institutional repositories or on their website) as it can lead to productive exchanges, as well as earlier and greater citation of published work.
