CSIS RESEARCH - Weakness in Microsoft Defender for Endpoint identified

April 26, 2023

Introduction

In today’s rapidly evolving cybersecurity landscape, organisations rely on robust security solutions such as Endpoint Detection and Response (EDR) tools to protect their systems and data from cyber threats. However, even these advanced tools can have weaknesses.

In a recent Incident Response case, CSIS Security Group (CSIS) discovered a bypass technique that exploited a weakness in Microsoft Defender for Endpoint (MDE), one of the leading EDR products in the market. This weakness allowed the malicious activity to continue undetected, posing a significant risk to organisations.

In this blog post, we will discuss the details of the cyber incident, its implications, and recommendations for mitigating the risk.

Background

CSIS was contacted by a company, which was not a Managed Detection and Response (MDR) customer of CSIS, that had fallen victim to a cyber incident. CSIS was tasked with leading the Incident Response investigation, conducting an in-depth root cause analysis, and providing remediations and security recommendations.

The analysis revealed that the attackers had compromised five servers and obtained domain administrator privileges.

The attackers managed to exploit a weakness in MDE’s threat detection and response mechanisms. To verify the potential tactic, a test lab was set up and the steps of the attacker were replicated, documenting that a weakness in MDE indeed existed. CSIS has reported the issue to Microsoft, and full disclosure of the bypass technique will be revealed once the issue has been addressed by Microsoft. Read more about what we can reveal at this stage, in our anonymized Incident Response case report.

Implications and Recommendations

This weakness in Microsoft Defender for Endpoint mechanisms poses a significant risk to organisations, as it allows attackers to bypass the EDR and carry out malicious activities without being stopped by the tool itself.

To mitigate this risk, organisations are advised to take the following actions:

1. Implement multiple layers of security - such as Network Detection and Response (NDR), Security Information and Event Management (SIEM), amongst other tools. These additional layers can help protect against a wider range of threats and minimise the impact of a potential bypass.
2. Regularly apply patches and updates – keeping all software, including operating systems and applications, up-to-date with the latest security patches is essential for reducing vulnerabilities and maintaining a robust security posture. Timely patching helps prevent attackers from exploiting known weaknesses in your organisation’s systems.
3. Conduct ongoing threat hunting - to proactively search for and identify potential threats and vulnerabilities in their environment.
4. Perform root cause analysis - to fully understand the scope and impact of any security incidents, even if EDR tools claim the threat was mitigated.
5. Boost detection and auto-remediation - with custom detection rules and organisational procedures, such as in-depth analysis of suspicious behaviour, even if your security tool reports these threats were remediated.
6. Implement 24/7 eyes-on detection and response - with a strong Service Level Agreement (SLA) to ensure a rapid response to any potential threats.
7. Stay informed - of the latest research and developments in the cybersecurity field and maintain constant awareness of new findings that could impact your organisation’s security posture.

Conclusion

This incident highlights the importance of staying vigilant and adapting to the rapidly evolving threat landscape. While Microsoft Defender for Endpoint is a valuable tool in protecting organisations against cyber threats, this bypass technique exposes a risk in relying on security tools alone.

It emphasizes the need for a comprehensive approach, encompassing technology, skilled personnel, and effective processes, to protect organisations from emerging cyber risks effectively. By sharing this information, CSIS aims to raise awareness of this issue and prompt both organisations and vendors to take appropriate action to safeguard their systems and data.

As the saying goes, “a chain is only as strong as its weakest link”, and the same applies to cybersecurity. It is crucial to continually assess and strengthen every aspect of an organisation’s security posture to defend against advanced and persistent threats effectively.

Customers of CSIS’s MDR service using MDE are protected against this threat.

CSIS - REST ASSURED

Contact: Jan Kaastrup jka(a)csis.com