It creates a dangerous blind place for safety operating centers that depends on the endpoint telemetry to monitor its environment. When an EDR agent stops reporting, it can indicate this new form of a system shutdown, network connectivity problem or attack.
Woods and Manroad made recommendations for organizations looking for defend against this attack vector. He suggested to block unauthorized safety software installations to detect suspected EDR installation and deploy applications control solutions to implement custom “indicator of attack”. He said that applications -ware firewalls and safe web gateways can help block access to unauthorized safety vendors portals.
Researchers provided detailed instructions to the security teams to test this attack vector in their own environment, emphasizing the importance of understanding how these attacks appear in organizational security telemetry. They recommend conducting controlled tests using separate systems, monitoring gaps in existing safety devices, and analyzing the attack deadline and indicators.
