top of page

EDR (Endpoint Detection and Response) 

  • busrabeslekoglu7
  • Jul 30
  • 3 min read

 The Need for New Solutions Against Emerging Threats

Traditional antivirus applications may be insufficient in dealing with advanced attacks and analyzing attack behavior. Such applications detect malware using digital signatures of predefined threats. However, today's threat landscape is full of constantly changing, shape-shifting systems that are vulnerable to zero-day attacks. At this point, there is a need for more powerful security solutions that enable behavior-based analysis of threats.


Why is EDR necessary?

EDR continuously monitors activities occurring at the endpoint. Beyond monitoring and threat detection, it provides information about how the attack started and how it spread. It analyzes the attack process using the Cyber Kill Chain logic. With its real-time intervention feature, it can stop the attack, isolate the computer from the network, and quarantine the file. This feature demonstrates that the EDR solution not only monitors but also initiates active defense. When IOCs (Indicators of Compromise), which are the digital footprints of an attack, are introduced into the system and encountered, they are automatically detected, and EDR correlates them with the relevant techniques and tactics in MITRE ATT&CK. This makes it possible to analyze not only the existence of an attack but also its purpose, method, and potential impact. In addition, thanks to IOAs (Indicators of Attack), which represent behavioral patterns during the attack phase, it is possible to proactively detect and prevent not only actual threats but also potential attack attempts.


How is the attack process monitored? What does EDR do?

Using behavioral telemetry collected by agents from systems, it provides an overview of security events at endpoints.


The EDR interface typically includes a dashboard. This panel allows you to access actionable summaries instead of data clutter, and also provides a simple view. You can access the following information through this panel:


Active Monitoring and Threat Detection: Threats and incidents detected in real time can be viewed. The system classifies malicious activities according to specific tactics and techniques (based on the MITRE ATT&CK framework). You can find this under the heading “Detections by Tactics” in the system.


Real-Time Threat Score: This system evaluates the security status of organizations on a scale of 0–100, allowing you to quickly see the risk level at endpoints with this visual metric. This clarifies which events analysts should look at first. The lower the score, the more secure the system is.


Real-Life Scenario Example: NotPetya

Stage 1: Infection via Malicious Email

An enterprise user opens a fake email attachment.

Macros are executed in the Excel/Word file.

NotPetya ransomware is installed on the computer in the background.


Stage 2: Spread and Discovery on the Network

NotPetya jumps to other computers on the network using the EternalBlue vulnerability (lateral movement).

It also steals administrator passwords using Mimikatz.

It quickly scans the entire network and targets all accessible systems.


Stage 3: Encrypting and Disabling Systems

NotPetya encrypts the disk's master boot record (MBR) directly, not the files.

The computer reboots and no longer starts up.

The user only sees the ransom note: 300$ BTC is demanded.


Ransomware like NotPetya aims to bypass traditional security solutions by penetrating deep into systems. However, today, an EDR solution supported by behavioral analysis can detect all links in this attack chain at an early stage.


EDR products now protect your organization against not only NotPetya but all advanced ransomware by instantly detecting macro-based attacks, lateral movement, and suspicious system changes.


Result: With EDR, the attack is tracked step by step. It shows when, where, and how (cyber kill chain) the system was attacked. Thanks to fast and real-time intervention, further damage is prevented.


In summary, EDR solutions detect advanced threats by monitoring behavioral data at the endpoint in real time. They analyze attack stages using the Cyber Kill Chain model, classify them according to MITRE ATT&CK tactics and techniques, and offer automatic intervention capabilities. Risk levels are measured, enabling effective threat management and a robust cybersecurity mechanism.


 

bottom of page