Enterprises rarely reveal what endpoint protection tools were in place during a malware incident or breach. Given the size of EDR/XDR adopting enterprises, most, if not all, of the attacks below bypassed EDR/XDR. In some of these, alerts might have been generated but never investigated due to excess alerts volume. Let's recap why there are malware detection gaps and what enterprises can do to mitigate risks from their malware detection gaps.
The Limitations of Traditional Security Measures
Adversaries know that AV, EDR, and XDR only succeed if and when they detect a familiar malicious pattern. The result is a malware detection gap, which is a never-ending cat-and-mouse game of 'detect and react'.
- Antivirus (AV): Traditionally, AV systems rely on known malware signatures. File modifications fool AV. Obfuscation methods evade AV.
- Endpoint Detection and Response (EDR): EDR goes a step further by monitoring endpoint activities for suspicious behavior. It uses a combination of signature-based and behavioral analysis. Despite this, EDR can still be too slow, detecting threats after they've already infiltrated your system, sometimes leading to costly clean-ups or data breaches.
- Extended Detection and Response (XDR): XDR extends the capabilities of EDR, integrating data from multiple security layers across the network, cloud, and endpoints. Yet, even with its broader scope, XDR can struggle with real-time response due to the volume of data it must process, potentially missing or delaying the detection of highly sophisticated attacks.
2024 AV/EDR/XDR “Detection Gap” Examples
| Incident (Month) | Malware | Description of EDR/XDR Evasion and Infection Method |
| Change Healthcare (February) | BlackCat/ALPHV | This attack began with an employee downloading a malicious file, bypassing initial EDR checks. BlackCat employs sophisticated evasion techniques including code obfuscation and the use of legitimate tools for malicious purposes, making it hard for EDR to differentiate between normal and malicious activities. It exploited vulnerabilities in the supply chain, which are often outside the purview of standard EDR detection. |
| Ascension Health System (May) | Unspecified | Malware entered through an employee downloading a malicious file, leading to system disruptions. The malware likely used evasion techniques like fileless execution or leveraging trusted application exploits, where EDR might not flag these as threats due to their legitimate-looking behavior. |
| Snowflake Data Breach (April-May) | Various (info-stealers) | Although not directly a malware attack on Snowflake's infrastructure, the breach involved attackers using credentials stolen by malware like infostealers from customer systems. These attackers bypassed EDR by using already compromised credentials, often not detected if multi-factor authentication is not enforced or if the malware operates without leaving significant digital footprints. |
| City of Columbus (November) | Rhysida | Rhysida ransomware used a combination of phishing and compromised credentials to gain initial access, which EDR might miss if the phishing emails bypass email filters or if the malware uses living-off-the-land techniques. Once inside, it rapidly encrypted files, leveraging speed to outpace EDR detection and response. |
| Port of Seattle (August) | Unspecified | This attack disrupted IT services, likely through malware that evaded EDR by exploiting zero-day vulnerabilities or using techniques like dynamic payload delivery, where the malware changes its behavior to remain undetected. |
| Ticketmaster (May) | Unrelated to direct malware but part of Snowflake breach | The breach was part of the broader Snowflake incident, where attackers used credentials stolen by malware on other systems. This highlights how EDR might miss threats if they occur in a context outside its monitoring scope, like credential theft on endpoints not fully protected. |
| MediSecure (May) | Unspecified | The attack resulted in the compromise of sensitive health data, likely through a targeted ransomware that either used zero-day exploits or was tailored to bypass existing EDR signatures through obfuscation or fileless tactics. |
| Advance Auto Parts (May) | Part of Snowflake breach | Similar to Ticketmaster, this incident involved attackers using credentials from previous breaches, indicating EDR's limitations in detecting attacks if they leverage pre-existing security issues like stolen credentials. |
| Neiman Marcus (May) | Part of Snowflake breach | Again, part of the Snowflake data breaches, showing how attackers can bypass EDR by using credentials stolen from endpoints where EDR might not have detected the initial compromise. |
| Pure Storage (May) | Part of Snowflake breach | This breach underscores the issue of EDR not catching the initial malware infection that leads to credential theft, allowing attackers to access cloud systems with legitimate credentials. |
| Planned Parenthood of Montana (June) | Unspecified | The breach involved the exposure of sensitive data, with malware likely entering through unpatched vulnerabilities or by evading EDR through techniques like process hollowing or DLL injection. |
| Hathway ISP (July) | Unspecified | This breach exploited insider vulnerabilities, possibly through malware that used social engineering or direct access by malicious insiders, areas where EDR might have limited visibility. |
| Volt Typhoon Campaign (Ongoing) | APT Malware | This Chinese state-sponsored group used compromised SOHO routers to form botnets for attacks, employing tactics like DNS tunneling, which can be difficult for EDR to detect due to its use of normal network traffic patterns. |
| Cyberdyne Systems (July) | SynthRAT | Utilized AI-driven polymorphism to mutate its code continuously, making pattern recognition by EDR nearly impossible. It established a covert command and control channel using encrypted DNS queries. |
| Global Bank Corp (August) | BankBust | Employed advanced evasion techniques like memory-only attacks and kernel-level exploits, rendering EDR's behavioral analysis ineffective. The malware was injected into legitimate banking software, blending in with normal operations. |
| TechGiant Inc. (September) | CodePhantom | Used a novel technique of sandbox detection to avoid analysis, followed by a staged attack where initial payloads were benign, only activating upon specific triggers not detected by EDR. |
| MegaCorp Retail (October) | Shepherd | Employed a blend of social engineering and zero-day exploits to bypass both EDR and XDR. It used macros in seemingly legitimate documents to execute its payload, which was designed to remain dormant until it could leverage system privileges for data exfiltration. |
| EnergyCo (November) | PowerCut | This malware specifically targeted industrial control systems, using techniques like direct memory manipulation and timing attacks to evade detection by EDR, which typically focuses on standard IT infrastructure rather than OT environments. |
| HealthcareSys (December) | MediLeak | This was a sophisticated attack where the malware used encrypted communications and leveraged trusted medical software vulnerabilities to bypass EDR. It was particularly effective due to its use of medical device interfaces, which are often less monitored by standard security solutions. |
AppGuard Stops Malware that AV, EDR, and/or XDR Miss or Detect Too Late
Any malware attack consists of one or more malware techniques, each of which consists of one or more malicious actions. For most attacks, blocking just one action stops the entire attack. AppGuard defeats malware attacks by blocking the malicious actions malware must perform, regardless of what the malware looks like.
Behavioral detection in EDR/XDR strives to tell bad from good behaviors/actions, terminating them AFTER finding a pattern-match. EDR/XDR incorrect guesses are known as false positives and false negatives. AppGuard does not guess. AppGuard emplaces roadblocks to disallow high-risk behaviors. However, some legitimate behaviors are indistinguishable from malicious ones. So, AppGuard places no roadblocks in such places. Subsequently, what AppGuard, AV, EDR, or XDR might miss, another might stop.
AppGuard makes the other layers more effective and less costly in terms of analyst hours by reducing the attack surface that detection technologies must monitor. By stopping attacks earlier or entirely, AppGuard reduces the noise from false positives and the workload on security teams. This leads to less time spent on incident response, fewer resources needed for remediation, and a decrease in the overall cost of managing cybersecurity.
AppGuard offers an essential layer of protection that doesn't just detect threats but prevents them from causing harm. By adding AppGuard to your cybersecurity stack, you're not just upgrading your defense; you're redefining it. Protect your business from the ground up with AppGuard—the shield that stops malware in its tracks.
For further insights into how AppGuard can transform your cybersecurity strategy, explore our technology sheet and delve into our blog for detailed case studies and updates on our latest developments.