Why Defense in Depth Matters to fight attackers
The recent trend
During my time here at CYPFER working on both red and blue team engagements I have noticed a recent trend across a broad spectrum of organizations. This trend is that there appears to be a false sense of security and misunderstanding when it comes to EDR solutions and their overall protection within an environment. Questions that appear far too often during engagements are “Why didn’t our EDR pick this up”, or “It was detected, why wasn’t it blocked”. More often than I would like to admit during offensive security engagements, the simplest solution is often the best at beating EDR. In reality an EDR’s strong suit is detecting anomalous behavior on a host such as malicious command execution like adding a user to the administrator’s group, so, what happens when your actions look like a legitimate user? A great example of this is, what is the difference between an attacker using local administrator credentials to RDP to a host, compared to an IT admin leveraging the same local administrator credentials to RDP to the same host? Even better, what are the odds of detecting a DCSync attack when a domain controller’s computer account is leveraged for authentication? The unfortunate truth is a lot of organizations tend to think that just because they have an EDR solution in place this inherently makes them safe against all types of attacks, but this is not the case.
An EDR solution is only the first step in securing your environment
Nowadays, an EDR solution in place within the environment is only the first step towards creating a secure environment. We have seen many top-of-the-line EDR solutions across a wide range of environments, yet we still manage to achieve domain compromise in almost every single one. Often these compromises start through common misconfigurations that you all have probably heard a million times “local administrator password reuse”, “default credentials”, “insufficient password policy”, or ”Cleartext credential storage”. How does this relate to EDR’s? Well, when it comes to lateral movement, in most scenarios one of the easiest ways to get past EDR solutions isn’t with some newly developed EDR bypass technique, but by blending into the environment and acting like an everyday user. Instead of leveraging psexec or wmiexec, which is often quickly detected by EDR solutions, RDP to the host if it is available, potentially even just plain old SMB and enumerate administrative shares. More often than not both of these techniques grant remote access to the target host while bypassing the EDR solution allowing for enumeration of the host as a local privileged user. Unfortunately, threat actors are noticing this too. It is becoming more and more common that threat actors are leveraging the tools available to your everyday users or IT administrators within the internal environment along with common misconfigurations that often go unfixed and , during an incident, undetected. While EDR solutions are advancing and becoming more sophisticated the best way to secure your environment is with a multi-layered defense in depth approach, EDR solutions are only first piece of the puzzle.
EDR, NDR, and XDR, what’s the difference?
EDR, NDR, or XDR, what’s the difference? A key to knowing which solution best suits your needs as an organization comes down to understanding each solution’s capabilities and drawbacks.
As shown above EDR’s main capabilities are behavioral analysis of endpoints. So, unless the activity can be explicitly identified as malicious or anomalous, it can slip through the cracks. In general, we have seen lots of confusion when it comes to EDR and XDR. Quite often companies believe that EDR contains the same capabilities as an XDR solution, but unfortunately this is not the case. Unless an EDR solution has been fine tuned to the environment or is paired with a network monitoring solution then it is very difficult for the EDR solution to determine a local admin login to be malicious.
Defense in depth approach, “don’t place all your eggs in the same basket”
Defense in depth is probably a phase majority of you have heard before, essentially all it means is “don’t place all of your eggs in the same basket”. Defense in depth means that no single control is sufficient to protect the environment. This is especially true modern internal networks where lateral movement and credential abuse are common. While Endpoint Detection and Response (EDR) solutions are valuable for identifying malicious behavior on hosts, relying on them as the sole detection mechanism creates blind spot, particularly for attacks that leverage legitimate tools, encrypted traffic, or misconfigured services. Adversaries increasingly operate “living off the land,” blending in with normal activity in ways that may not trigger EDR alerts until late in the attack chain, if at all. Effective security requires layered controls, including network segmentation, identity monitoring, logging and SIEM correlation, intrusion detection systems, and strong access controls, to detect and contain threats at multiple points. By distributing visibility and enforcement across the environment, organizations reduce the likelihood that a single control failure leads to a full compromise.
Story Time
One of my favorite engagements over the last little while involved leveraging local administrator credential reuse to RDP to a host which contained the clients internal backup solution. Once on the host, to access the backup solution, we were once again able to leverage the local administrator’s credentials. After accessing the backup solution, we created a backup of the primary domain controller, exfiltrated the backup, and finally extracted NTDS.dit from the backup resulting in domain compromise. Tell me, what are the odds that your EDR solution will stop that attack chain? Nothing fancy, no brand new EDR bypass techniques, just misconfigurations combined with everyday administrative tools.
Prevention and detection methods
This attack chain demonstrates why organizations cannot rely on EDR alone as their primary security strategy. While an EDR solution may detect certain stages of the attack, such as credential dumping, suspicious tool execution, or data exfiltration, it offers limited protection when attackers are able to leverage legitimate credentials and administrative access throughout the environment. In this case, the compromise was enabled by weak identity and access controls, unrestricted RDP access, and excessive privileges within the backup infrastructure. A layered defense-in-depth strategy such as including unique local administrator passwords through Windows LAPS, privileged access segmentation, strict controls around backup systems and their time of operation, as well as continuous monitoring of administrative activity would have significantly reduced the attack surface and likely prevented the attack chain all together. The ability to execute and exfiltrate Domain Controller backups ultimately provided us with the means to obtain the NTDS.dit database and achieve full domain compromise, underscoring that strong security depends on multiple preventive and detective controls working together, not on EDR alone.How CYPFER can help you
This is where traditional penetration tests come into play. At CYPFER we don’t just test your environment with toolsets that would commonly be detected. Our goal isn’t just to find the quickest path to Domain Admin, we perform thorough adversary enumeration leveraging attacks, techniques, and exploit chains that are commonly observed within cyber security incidents. Our goal is to identify as many vulnerabilities, misconfigurations, or gaps within coverage as possible within the provided timeframe to help your team strengthen your environment. The results we provide can assist you in identifying gaps within your current solutions allowing you to take the necessary steps in narrowing the gaps so that if an incident were to occur, you will be better prepared. Here at CYPFER we have a broad range of services available to assist your team in securing your environment. During testing we are consistently taking thorough and detailed notes on which techniques worked and which were detected to be able to provide you with as much valuable feedback as possible, whether it’s a detection capability assessment, an internal penetration test, or red team engagement.
- Have you ever checked your EDR’s detection capabilities?
- Is your EDR in active response mode? Have you ever tested it?
- Are you able to differentiate between legitimate traffic and malicious traffic?