A method of using modern endpoint detection and response (EDR) systems to protect against complex attacks

Authors

DOI:

https://doi.org/10.30837/2522-9818.2024.2.182

Keywords:

information and communication systems (ICS); EDR system; Security Opertion Center; EDR agent; threat intelligence; EDR policy; detection of vulnerabilities.

Abstract

The subject of the research in this article is the architecture of Endpoint Detection and Response  and the EDR agent as their base parts in terms of mechanisms for detecting and countering complex attacks on information and communication systems (ICS). The aim of the work is to develop of method for improving the efficiency of using Endpoint Detection and Response (EDR) to reduce the risks of compromising ICS information, industrial, and infrastructure objects by effectively redistributing and utilizing the available EDR mechanisms, the cybersecurity team, and other resources available for implementing security measures in an enterprise, institution, or organization. The article addresses the following tasks: reviewing and analyzing existing EDR systems, analyzing the architecture of EDR solutions and EDR agents, the features of their use, the logic behind the construction of methods and mechanisms for detecting threats to the system from malicious actors and malicious code. The task of providing recommendations for the organization of ICS is also separately addressed in terms of the need to protect the entire ICS and its individual elements, as well as in terms of the available resources (the cybersecurity team, their qualifications and level of awareness of the architecture of EDR solutions) and means (available EDR system elements) for organizing protection. The following methods are used: modeling attack mechanisms, modeling attacker behavior. The following results were obtained: general and specific recommendations were formulated for optimizing the operation of EDR systems and ensuring the effective use of EDR system elements in the information and communication networks of enterprises, organizations, and institutions of various types and orientations depending on the available resources and the information requiring protection. Conclusions: The identified recommendations for the application of EDR mechanisms for protecting information systems and networks allow optimizing the costs of creating a protection infrastructure and implementing security measures, taking into account the characteristics of the available tools and the training and awareness of the cybersecurity team both in terms of response time to threats and the complexity and cost of performing protection tasks.

Author Biographies

Kateryna Shulika, Kharkiv National University of Radio Electronics

M.Sc. at the Department of Information Technology Security

Dmytro Balagura, Kharkiv National University of Radio Electronics

PhD (Engineering Sciences), Associate Professor at the Department of Information Technology Security

Anton Smirnov, Kharkiv National University of Radio Electronics

PhD (Engineering Sciences), Associate Professor at the Department of Information Technology Security

Dmytro Nepokrytov, Ivan Kozhedub Kharkiv National Air Force University

Associate Professor at the Department of Radioelectronic Systems of Control Points of Air Forces

Andrii Lytvyn, Ivan Kozhedub Kharkiv National Air Force University

Senior Instructor at the Department of Radioelectronic Systems of Control Points of Air Forces

References

Список літератури

Annual share of organizations affected by ransomware attacks worldwide from 2018 to 2023 URL: https://www.statista.com/statistics/204457/businesses-ransomware-attack-rate/ (дата звернення 24.05.2024).

Журило О., Ляшенко О. Архітектура та системи безпеки IoT на основі туманних обчислень, Сучасний стан наукових досліджень та технологій в промисловості, 2024, Вип. (1(27), С. 54–66. DOI: 10.30837/ITSSI.2024.27.054

Когут Ю. Кібервійна та безпека об’єктів критичної інфраструктури. Сідкон, 2021. 336 с.

Matt Hand. Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems. No Starch Press. 2023. 312 р.

Мерзлікін Є., Бабешко Є. Аналіз кібербезпеки веборієнтованих індустріальних IOT-систем. Сучасний стан наукових досліджень та технологій в промисловості. 2023. Вип. 2(24). С. 131–144. DOI: 10.30837/ITSSI.2023.24.131

Forrester Wave October 2023, URL: https://www.forrester.com/ (дата звернення 24.05.2024).

Баклан Я. А., Сєвєрінов О. В. Аналіз систем захисту кінцевих точок від складних загроз EDR (Endpoint Detection and Response). Сучасні напрями розвитку інформаційно-комунікаційних технологій та засобів управління: матеріали дванадцятої міжнар. наук.-практ. конф. 2022. Баку–Харків–Жиліна. 141 р. URL: https://openarchive.nure.ua/handle/document/24142

ISO/IEC 27035:2011 Information technology. Security techniques. Information security incident management, 2011.

Crowdstrike October 2023, URL: https://www.crowdstrike.com/ (дата звернення 24.05.2024).

Arfeen A., Ahmed S., Khan M. A., Jafri, S. F. A. Endpoint Detection and Response: A Malware Identification Solution. International Conference on Cyber Warfare and Security (ICCWS). 2021. DOI: 10.1109/ICCWS53234.2021.9703010

Сєвєрінов О. В., Хрєнов А. Г., Поляков А. О. Аналіз сучасних методів атак на автоматизовані системи управління військами та інформаційні мережі. Системи обробки інформації. 2015. Вип. 9. С. 101–104. URL: http://nbuv.gov.ua/UJRN/soi_2015_9_24

Exploring the History of Antivirus: Fusion Computing. URL: https://fusioncomputing.ca/history-of-antivirus/ (дата звернення 21.03.2024).

Сєвєрінов О. В., Шевцов В. О., Сокол-Кутиловська А. С. Аналіз сучасних методів атак на електронні ресурси органів управління. Системи озброєння і військова техніка. 2017. Вип. 1. С. 65–67. URL: http://nbuv.gov.ua/UJRN/soivt_2017_1_13 (дата звернення 21.03.2024).

Ушатов В., Сєвєрінов О. В. Проблеми оперативного виявлення і реагування на інциденти інформаційної безпеки Global Cyber Security Forum: матеріали Першого міжнародного науково-практичного форуму, 2019 С. 104–105. URL: https://openarchive.nure.ua/bitstreams/c2575d95-c877-47e6-aef8-2c19e286d900/download (дата звернення 21.03.2024).

FZE B. B. History of antivirus software. UKEssays. 2023. URL: https://us.ukessays.com/essays/information-technology/history-of-antivirus-software.php

Zhuravchak D., Dudykevych, V., Tolkachova, A. Дослідження структури системи виявлення та протидії атакам вірусів-вимагачів на базі endpoint detection and response. Електронне фахове наукове видання «Кібербезпека: освіта, наука, техніка». 2023. Вип. 3(19), С 69–82. DOI: https://doi.org/10.28925/2663-4023.2023.19.6982

Зубок В. Ю., Гончар С. Ф., Єрмошин В. В., Карасюк Г. О. Архітектурно-функціональне порівняння відомих платформ та систем кіберзахисту промислових об’єктів. Електронне моделювання, 2022, Вип. 44. Том 3. 65 с. DOI: 10.15407/emodel.44.03.065

Коробейнікова Т., Федорченко В. Системний моніторинг мережевої безпеки в тріаді SIEM-EDR-NDR. Grail of Science. 2023 Вип. 27. С. 354–360. DOI: https://doi.org/10.36074/grail-of-science.12.05.2023.055

References

"Annual share of organizations affected by ransomware attacks worldwide from 2018 to 2023", available at https://www.statista.com/statistics/204457/businesses-ransomware-attack-rate/ (last accessed 24.05.2024).

Zhurilo, O. and Lyashenko, O. (2024), "Architecture and security systems of IoT based on fog computing", ["Arkhitektura ta systemy bezpeky IoT na osnovi tumannykh obchyslen"], Modern State of Scientific Research and Technologies in Industry, No 1(27), P. 54–66. DOI: 10.30837/ITSSI.2024.27.054

Kogut, Y. (2021), Cyber warfare and security of critical infrastructure objects, [Kiberviina ta bezpeka obiektiv krytychnoi infrastruktury], Sidkon, 336 p.

Hand, M. (2023), Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems, No Starch Press, 312 p.

Merzlikin, Y., Babeshko, Y. (2023), "Cybersecurity analysis of web-oriented industrial IoT systems" ["Analiz kiberbezpeky veboriientovanykh industrialnykh iot-system"], Modern State of Scientific Research and Technologies in Industry, No. 2(24), P. 131–144. DOI: 10.30837/ITSSI.2023.24.131

"Forrester Wave October 2023", available at: https://www.forrester.com/ (last accessed: 24.05.2024).

Baklan, Y. and Severinov, O. (2022), "Analysis of endpoint protection systems against complex threats EDR (Endpoint Detection and Response)" ["Analiz system zakhystu kintsevykh tochok vid skladnykh zahroz EDR (Endpoint Detection and Response)"], Modern Trends in the Development of Information and Communication Technologies and Management Tools: materials of the twelfth international scientific-practical conference 2022, Baku Kharkiv Zhilina, 141 р., available at: https://openarchive.nure.ua/handle/document/24142

"ISO/IEC 27035:2011 Information technology. Security techniques. Information security incident management", 2011.

"Crowdstrike October 2023", available at: https://www.crowdstrike.com/ (last accessed: 24.05. 2024)

Arfeen, A., Ahmed, S., Khan, M., Jafri, S. (2021), "Endpoint Detection and Response: A Malware Identification Solution". International Conference on Cyber Warfare and Security (ICCWS). DOI: 10.1109/ICCWS53234.2021.9703010

Severinov, O., Khrenov, A. and Polyakov, A. (2015), "Analysis of modern attack methods on automated control systems and information networks", ["Analiz suchasnykh metodiv atak na avtomatyzovani systemy upravlinnia viiskamy ta informatsiini merezhi"], Information Processing Systems, No. 9, P. 101–104. available at: http://nbuv.gov.ua/UJRN/soi_2015_9_24

"Fusion Computing 'Exploring the History of Antivirus: Fusion Computing", available at: https://fusioncomputing.ca/history-of-antivirus/ (last accessed: 21.03.2024).

Severinov, O., Shevtsov, V., Sokol-Kutilovska, A. (2017), "Analysis of modern attack methods on electronic resources of management bodies" ["Analiz suchasnykh metodiv atak na elektronni resursy orhaniv upravlinnia"], Weapons and Military Equipment Systems, No 1, P. 65–67. available at: http://nbuv.gov.ua/UJRN/soivt_2017_1_13 (last accessed 21.03.2024).

Ushatov, V. and Severinov, O. V. (2019), "Problems of prompt detection and response to information security incidents" ["Problemy operatyvnoho vyiavlennia i reahuvannia na intsydenty informatsiinoi bezpeky"], Global Cyber Security Forum: materials of the First International Scientific and Practical Forum, P. 104–105. available at: https://openarchive.nure.ua/bitstreams/c2575d95-c877-47e6-aef8-2c19e286d900/download (last accessed 21.03.2024).

FZE, B. B. "History of antivirus software, UKEssays". 2023, available at: https://us.ukessays.com/essays/information-technology/history-of-antivirus-software.php

Zhuravchak, D., Dudykevych, V. and Tolkachova, A. (2023), "Research on the structure of the system for detecting and countering ransomware attacks based on endpoint detection and response", ["Doslidzhennia struktury systemy vyiavlennia ta protydii atakam virusiv-vymahachiv na bazi endpoint detection and response"], Electronic Professional Scientific Publication "Cybersecurity: Education, Science, Technology", No 3(19), P. 69–82. DOI: 10.28925/2663-4023.2023.19.6982

Zubok, V., Honchar, S., Yermoshyn, V. and Karasyuk, H. (2022), "Architectural and functional comparison of known platforms and industrial cybersecurity systems", ["Arkhitekturno-funktsionalne porivniannia vidomykh platform ta system kiberzakhystu promyslovykh obiektiv"], Electronic Modeling, No 44, Vol. 3, 65 р. DOI: 10.15407/emodel.44.03.065

Korobeinikova, T., Fedorchenko, V. (2023), "System network security monitoring in the triad SIEM-EDR-NDR", ["Systemnyi monitorynh merezhevoi bezpeky v triadi SIEM-EDR-NDR"], Grail of Science, No. 27, P. 354–360. DOI: 10.36074/grail-of-science.12.05.2023.055

Published

2024-06-30

How to Cite

Shulika, K., Balagura, D., Smirnov, A., Nepokrytov, D., & Lytvyn, A. (2024). A method of using modern endpoint detection and response (EDR) systems to protect against complex attacks. INNOVATIVE TECHNOLOGIES AND SCIENTIFIC SOLUTIONS FOR INDUSTRIES, (2(28), 182–195. https://doi.org/10.30837/2522-9818.2024.2.182