Editor’s Note: Elastic joined forces with Endgame in October 2019, and has migrated some of the Endgame blog content to elastic.co. See Elastic Security to learn more about our integrated security solutions.
We are excited to announce the release of Reflex™. Reflex is the first technology to move customized protection within reach of security teams, combining a flexible architecture, query language, and a host-based execution engine that eliminates the time between detection and response, addressing the “breakout window” across enterprise networks. Reflex runs in-line on the endpoint, with no need for human interaction or confirmation, to stop adversaries before they have the chance to cause damage or loss.
The purpose of this post is to talk about why we developed Reflex and walk through a few use cases.
Why is Reflex necessary
Expanded protection across ATT&CK
At Endgame, we’ve built and continue to extend as many behavioral protection layers as possible. We extend protection across the entire MITRE ATT&CK matrix, covering phases of an attack from initial access through to actions on objectives. The idea is that the more layers put in place between an adversary and their objective, the closer to zero the probability that the attacker will move undetected, reducing the time it takes to detect and respond to an incident before significant damage or loss.
Different adversary techniques require different solutions. Typically, endpoint protection products provide inline preventions for a small subset of an overall attack, focused on blocking initial access, malware-based execution, or fileless techniques like process injection. With the rise of attacker focus on misuse of credentials and legitimate tools like Powershell, that’s not enough. And while this is a significant issue for Windows clients and servers, it is an even bigger problem for defenders protecting on Mac and Linux where malware and exploit detection-based approaches will fail.
Even the so-called “next-gen” endpoint protection vendors struggle to defend against broader adversary techniques, because they are mostly focused on detections across post-compromise portions of ATT&CK. From the outset, we knew that for Endgame to protect across the widest set of techniques, we needed to deliver the best data through a unique and flexible architecture. We use the Event Query Language (EQL) to process our endpoint telemetry with a set of primitives that take into account complex ancestry and temporal relationships between the entire body of telemetry data on an endpoint. Using this data, we can describe nearly every technique in ATT&CK with precision and generate high-fidelity detections, leading to an enormous increase in the scope of protections we provide – all of which can run in prevention or detection mode.
Endgame stops the problem, we don’t just tell you about it
Manual triage, scoping, and response by the SOC are time-consuming and error-prone next steps. Our customers don’t want us to just tell them about problems, they want us to stop problems with high confidence and give them the necessary capability and context to enable their scoping, response, and verification processes.
Some advanced and budget-rich SOCs are beginning to use security orchestration, automation, and response (SOAR) products to try to take automated preventative actions when certain conditions present themselves. Aside from introducing yet another platform into an already complex set of workflows and processes, this out-of-band approach is not only adding additional latency, it can be limited and inflexible in-terms of outcomes.
With 98% of our customers choosing Endgame for prevention, we needed to bring prevention technology across the entire MITRE ATT&CK Matrix.
Some endpoint protection vendors claim to allow users to create their own detections - a desirable feature for many organizations, especially for mature teams who have already embraced the death of a one-size-fits-all approach to information security. What you don’t get from any vendor, beyond very basic blacklisting or rudimentary application control features, is the ability to deploy customized preventions. You can use the endpoint agent to stop inline what your vendor lets you stop, and that’s it. Anything else you want to stop happens out-of-band from seconds, to minutes, or maybe even hours later.
Drawbacks of Cloud-Reliance
Building analytics on top of endpoint telemetry data is not new. The user-creation of detections has been a common selling point for vendors that layer ‘analytics’ on top of a SIEM, and as the EDR market matures, creating rules against the EDR data-lake will become part of the next buzzword-bingo card. The vendors that shout the loudest about data, streaming, and analytics all have one thing in common – an overwhelming reliance on their vendor-owned cloud services. The cloud is great for large scale analytics and threat hunting. You need massive data to develop and noise-test possible detections, whether they’re implemented in EQL or otherwise.
What the cloud isn’t great for is prevention. It is slow. Data is shipped from endpoint to cloud, run through an analytics engine, and an alert is displayed in a SOC. In the time that takes, a malicious process will often have already completed, and the attacker is off and running. Disconnected endpoints get no protection at all. If any alerts appear they are inherently detection-only, requiring manual response.
Cloud analytics plus manual response or orchestration is not good enough for prevention. We need to deploy our preventative controls on the endpoint and operate them effectively in-line.
Reflex in Action
Reflex enables users to create and deploy protections across MITRE ATT&CK. These protections apply to connected and disconnected endpoints and operate in near real-time.
Endgame ships with a large number of analytics to detect malicious behaviors with high confidence. Techniques such as misuse of Powershell and other often-abused built-in utilities, spear-phishing as indicated by suspicious child processes of applications like Word, system reconnaissance, stealthy persistence, and much more are handled out-of-the-box via Endgame-provided Reflex analytics. The power of Reflex allows our users to take action to contain and stop the malicious behavior and THEN investigate what happened, as opposed to investigating what is already happening well into the breakout window.
Our users are exceptionally well protected with what we provide. However, at Endgame we’re committed to giving users the tools they need to create security solutions tailored to their own unique environment. The most exciting capability of Reflex is that users can create their own protections which include a choice of preferred response actions.
Let’s run through a few examples of Reflex in action.
Discovery command sequences
Discovery commands, also referred to as enumeration commands, comprise an entire tactic column of ATT&CK. What is Discovery all about? When an attacker lands on a endpoint, they won’t usually know exactly where they are, what’s around them in the network, and what is on the endpoint. They will often run a set of commands to assess things like where the system can route to, what processes are running, what’s on the filesystem, what user accounts exist, what timezone the machine is in, and much more. This allows the attacker to get a good picture of the value of the system, its suitability for use as a persistent beachhead on the endpoint, and what opportunities may exist for lateral movement. Discovery techniques are a great set of adversary actions for defenders to look for.
The problem with Discovery is that the commands run by an attacker are commands often run by users and admins. If a user is having network trouble, she may run “ipconfig /all” to look at the network configuration. They may run “tasklist” to look at running processes. And so on. Alerting every time any one of these commands is run would be an False Positive disaster.
Many attackers will run a series of these commands via a script. This will lead to execution on the endpoint of a set of commands within a certain time window. Performing an analytic for this activity requires maintenance of state, which is very difficult for many products but a core use case for EQL.
The EQL above allows us to look for Discovery commands run within a short window. Our engine maintains state on the endpoint and knows when the customized threshold for alerting is met.
It is great to have a capability to alert on this, but even better to stop the problem. This custom Reflex could be configured to kill or suspend the parent process which would be a script host process or shell from which individual Discovery commands, and perhaps other malicious activity, are spawning.
Spear-phishing is the most common way for adversaries to get initial access to networks. Endgame has many layered capabilities in place to block spear-phishing including MalwareScore for macros, our machine learning-powered malicious document classifier, and a host of Endgame-provided Reflex analytics.
When an attacker spear-phishes for access, they seek to gain execution on the endpoint. One way this will usually manifest itself is in the endpoint data as a malicious child process of a MS Office application. Process ancestry queries are often difficult to implement in relational database-backed security tools due to performance impacts of the complex joins they require on backends, but Reflex was designed from the ground up to support process ancestry as a core feature which is easy to express and performant to execute.
The EQL above will fire anytime that Powershell launches anywhere below Word, Excel, or Powerpoint in a process ancestry tree. This simple expression is a great example of the power of EQL. Users might combine this with an automatic, on-the-endpoint action to immediately kill the Powershell process.
Organizations have a huge variety of policies they wish to enforce, from regulatory and compliance directives to self-declared, internal IT guidelines. Reflex can be used to enforce and block a huge set of this surface, and its customizability is necessary given how varied IT and security policies are between organizations.
The universe of possible Reflexes in this area is nearly endless, but we’ll briefly cover one illustrative example.
This simple EQL is deployed in an environment that doesn’t want to allow any unsigned processes executing outside of the base Windows and Program Files folders. This restrictive policy would block many unwanted applications or pieces of potential malware. One can imagine how to extend this into a huge number of other use cases - blocking execution from network shares, restricting to a set of named applications, only allowing network connections from allowed applications, and much more.
Matching across event types
It is necessary in security to flexibly join and match across event types to ask the right security relevant questions. EQL and Reflex support this in a straightforward and performant manner. One example use case is as follows.
This query is joining across three different event types: file, process, and network. It fires when a process which is backed by a file dropped by a Powershell process which talked on the network executes. Why does this matter? Powershell is often used as a mechanism to download and run malware which the adversary hosts on the internet. The attacker gains execution, runs a short Powershell command to grab a file from the network, and then that file is executed. It is trivial to link all of these events together with EQL and using the overall Reflex engine, we can kill all related processes effectively in real-time, with no cloud connection or round trip required.
Reflex changes the game for defenders, allowing for configurable, real-time, cloud-less prevention across Windows, Mac, and Linux. Security teams want control and teams want prevention without complexity, delay, or friction between totally separate tools. Reflex provides all of that in a straightforward and performant package.