1 Introduction
The cost of cybercrime related to malware alone is expected to reach $6 trillion globally by 2021. Therefore, defenses against malware and other cyber criminal attacks have never been more important for businesses, governments and individuals.
Supported by an organized underground economy that is well-funded and resourced, malware and other cyber criminal attack methods continue to evolve and proliferate at a rapid pace. The number of known threats has grown from less than 2,000 in the early 1990s to hundreds of millions today.
Malware also comes in many forms: viruses, worms, rootkits, botnets, fileless malware, ransomware, and crypto-miners that represent different ways of exploiting known and unknown (zero day) vulnerabilities in widely-used operating systems and business applications.
In addition to the staggering volume of malware threats with hundreds of thousands of new variants detected every day, malware continues to become more complex as demonstrated by NotPetya, which included several propagation methods at its disposal to increase the likelihood of success.
The most sophisticated malware not only has several propagation/infection methods it can use, but is also increasingly split up into multiple stages and uses multiple techniques to achieve its objectives and to avoid detection. These include credential theft and privilege escalation to access systems and data disguised as legitimate users, and “code caves” to hide malicious code inside applications.
The potential impact of malware is also increasing, with thousands of private and public sector organisations continuing to be crippled by ransomware attacks designed to make money by encrypting critical data and demanding payment for its release.
Although NotPetya appeared to be ransomware, it is more accurately described as destructive malware, with potentially an even greater impact on business operations than true ransomware. NotPetya, like other “wiper” attacks was designed to destroy/overwrite data.
Taken collectively, these attacks represent the rise of data-destroying malware that is part of a growing trend of state-sponsored attacks that are much more damaging than traditional cyber criminal attacks and tend to have a 100% penetration rate due to high levels of investment in their development.
At the same time, the number of attack techniques continues to expand beyond malware to include weaponized documents and even fileless attack methods that avoid signature-based detections by propagating through process or memory injection without being written and transferred as a file.
As a result, traditional cyber threat detection systems that rely on signature-based detection are no longer effective in the face of an increasing number of previously unknown malware variants and attack methods, as well as the growing number of fileless attacks that use legitimate native tools like PowerShell to assemble and execute the malicious payload.
The number of attack channels has also grown since the 1990s from malicious emails, links and attachments to include malicious social media accounts, compromised legitimate websites, compromised mobile and desktop applications, including browsers and browser plugins.
In the light of the developments in the threat landscape, it has become increasingly important for organizations to have multiple layers of defense as well as the capability to detect and respond to attacks that may slip past those defenses to limit the damage and ensure business continuity.
These layers of defense are typically focused on the endpoint and the network, which has given rise to Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) product sets, many of which are designed to detect new or previously unknown malware or attack types.
While EDR is a well-established market, NDR is the relatively new application of EDR principles to networks and adds another layer of defense to detect malware or malicious activity that may have slipped past endpoint defenses. NDR is typically used to detect potentially malicious network activity, investigate and perform forensics to determine root cause, and then respond and mitigate. These responses can even be automated to reduce response times to a minimum. NDR solutions also tend to log all activities from attached networks in a central secure location for real-time and later analysis.
NDR solutions can help protect against non-malware threats, such as insider attacks, credential abuse, lateral movement, and data exfiltration. They also provide greater visibility into what is on the network and what activities are taking place. While most NDR solutions are designed to help security teams to identify and stop suspicious activity as quickly as possible, many rely heavily on anomaly detection and run the risk of a high rate of false positives or missing malicious activity because without being able to make connections to other activities in the network as part of an attack campaign, individual actions in isolation appear benign. A key differentiator for NDR technology is the employment of multiple Machine Learning (ML) algorithms in the various analysis phases. At a high level, unsupervised ML finds outliers, while supervised ML models categorize possible threats among the outliers.
NDR is likely to grow in importance as a layer of cyber defense for organizations because without an effective monitoring capability, networks provide an easy route for attackers into enterprise infrastructure that is connected to every device, application, service and data store. While EDR provides a detailed view of the processes running on a host and interactions between them, NDR provides a detailed and complementary view of the interactions between all devices on the network.
With both EDR and NDR products, key features include the ability to identify malicious behavior accurately so that they do not generate a huge volume of alerts, the ability to analyze detections and carry out investigations quickly and easily, and the ability to push responses to security products deployed in the enterprise IT environment to block and remediate attacks.
In the light of the hybrid reality of most enterprise IT environments, it is also important for EDR and NDR products to work across all the main operating systems found in modern enterprises, integrate with a wide range of security products, and work across systems on prem and in the cloud.