2023 Prediction: EDR and MFA Evasion Tactics Will Increase

January 18, 2023  6 Min Read
By: Simon Yelsky

As ransomware and malware become increasingly more sophisticated, spending and adoption on security products is on the rise. It’s estimated that globally, companies spend over $2B annually on endpoint detection and response (EDR)1 and another $12B plus on multi-factor authentication (MFA).2  Yet while spending on the next generation of data security may be up, so, too, is the rate of ransomware infection. In fact, 2022 is recorded as the “worst year for ransomware attacks statistically” with the successful rate of infection increasing by 80% year-over-year.3 In the wake of these reports, how much impact is the current security stack making to protect organizations from attack? We predict security evasion tactics, particularly for EDR and MFA technologies, will continue to impact the infection rate, leaving companies to seek new ways to protect their data.  


What is EDR and How Easy is it to Evade?

Endpoint Detection and Response (EDR), the relative newcomer to the perimeter defense scene, takes a different approach to traditional endpoint security. Malware detection typically involves either static analysis which searches the code itself for suspicious DNA or dynamic analysis which runs the suspicious code in a secured “sandbox” to analyze its behavior. EDR, by contrast, monitors the code’s behavior as it runs inside a machine or network, reacting in real-time to suspicious activity.

A simple search of EDR evasion will return a plethora of diagrams, instructions and proof-of-concepts on a number of tactics from hardware breakpoints4 to disabling Event Tracing for Windows (ETW)5 to removing EDR hooks by direct system calling,6 or even exploiting known driver vulnerabilities.7 While described as more of a “craft than a science,” evading EDR technology is estimated to add "only one additional week of development time to the tpyical infection of a large organizational network."8 So while still an upgrade for modern endpoint security, it is by no means fail-proof.  


Does EDR Stop a Data Exfiltration Attack?

Data exfiltration attacks have changed the way ransomware is monetized in recent years. In stealing a copy of the data, threat actors increase their leverage against their victims with the threat to publish in retaliation for unpaid ransoms. Data exfiltration has proven to be the silver bullet ransomware actors needed to undermine backup strategies and increase ransomware payouts to crisis levels.  

EDRs, by monitoring a code’s behavior as it runs inside a machine or network, should be able to shut down a ransomware attack in progress. Yet are they? Actual detection rates show mixed results with only a handful of vendors touting detection rates above 90%. In addition, employee mistakes and credential theft still rank high among the causes of data exfiltration which endpoint products are not equipped to detect.9


What is MFA and How Effective is it in Defending Against Data Exfiltration and Other Ransomware Attacks?

Multi-factor authentication (MFA) is a defense technology designed to combat against human error and stolen credentials. Additional proof of identity for accessing files or taking certain actions has proven to be effective in reducing risk of breach. Yet, just as with EDR, evasion tactics abound including man-in-the-middle (MITM) attacks, man-in-the-endpoint attacks, hijacked authentication APIs, SIM swapping and the list goes on.10 In fact Okta reported a surge in MFA bypass attacks in late 2022.11

Also plaguing MFA’s effectiveness: low adoption rates and misconfigurations. The Cyber Readiness Institute estimates that 46% of small-to-medium sized businesses have implemented MFA but that only 13% require its use. Of the companies that did not implement it, many claim they did not understand it or see the value.12 The extra steps required to access data in a busy work environment causes many companies to stay lax on their MFA policies.   


Cyberstorage Protects Data When Security Solutions Fail

A layered approach to security is always the best practice, but as cyber attacks grow in sophistication, new layers may need to be added to the security stack. Cyberstorage, an emerging category coined by Gartner last year, approaches data protection from the vantage point that attack is inevitable and, unlike traditional security solutions that are intended to keep malware out, cyberstorage solutions focus on protecting data once malware gets in. Merging high-performance security with active archive, accessible file share and data backup, cyberstorage solutions offer protection where it's needed most: right onto the data itself. 


Turning Stolen Data into Digital Sludge

By transforming how data is stored, Calamu Protect, the flagship cyberstorage platform from Calamu, is built to withstand a ransomware attack and eliminate the impact of a breach. Sitting as a layer between security defenses and cloud file management and backup, Calamu Protect’s award-winning engine automatically encrypts, fragments and scatters data across geographically disparate locations. A neutral data harbor runs the process and holds the keys to piecing the fragments back together instantaneously for authorized users. This process ensures that even if accessed, stolen data would be rendered useless because attackers would only gain access to the encrypted fragments and never the entire data set. We call these fragments "digital sludge." 

In addition, Calamu Protect provides granular file-level challenge-backs that take multi-factor authentication to the next level. Customizable policy options protect singular data files or multiple data sets from being accessed, removed or encrypted, depending on the user-defined level of security needed. The Calamu Protect platform also includes triggers and automated responses to further detect and block an attack as it’s happening inside the repository. Proactively responding to suspicious behavior, the Calamu platform quarantines the threat location and then self-heals impacted data files to prevent any downtime for the victim. As the fight against ransomware evolves, protection at the data level is becoming increasingly critical to protect data against ransomware, theft and exfiltration.  

Ready to see Calamu cyberstorage in action? Schedule a customized demo now with one of our experts.

Schedule Now


1 IMARC | 2 Global News Wire | 3 TechCrunch | 4 Blindside | 5 BINARLY | 6 Medium | 7 Tech Target | 8 ARS Technica | 9 Security Boulevard | 10 Cybersecurity Ventures | 11 Tech Target | 12 Cyber Readiness Institute


See Calamu in Action.