Use Case: The Purple Guys Blocks Credential Theft Using Endpoint Detection and Response; Why Antivirus Isn’t Enough Anymore

Not that long ago, having antivirus software was a “good enough” approach to keeping malware and viruses off your business computers. Today, traditional antivirus software struggles to detect and remove modern attacks that can lead to ransomware and exfiltrated data such as usernames and passwords. Endpoint Detection & Response, or EDR, is the answer to securing your devices against these more advanced, modern threats. We wanted to share a real-world example of how a cyberattack could have succeeded if it weren’t for EDR being installed instead of a traditional antivirus.

On a Saturday, we received an alert from the Endpoint Detection and Response platform installed on one of our client’s computers. The EDR flagged a program as suspicious and prevented it from running its code. After investigating the alert and the program in question, we were able to verify that the program was, in fact, malicious. The cybersecurity community believes that this specific malware was designed to steal credentials and log keystrokes of infected machines.

We were able to determine that this malware was delivered in a phishing email, disguised as an invoice in an Excel file. After infection of the computer, the malware sat intentionally dormant and waited until the weekend to execute the payload. Modern threats like these are intelligently designed to run during off hours and weekends to avoid detection.

So how was EDR able to stop this attack? It all comes down to how EDR works. Unlike antivirus software that relies on static definitions, EDR works by examining behavior. When the malware tried to run its malicious code, it attempted to use a powerful Windows tool called PowerShell. Since this behavior was seen as irregular and suspicious, the EDR software prevented it from executing and sent us an alert to investigate. If EDR was not in place, this program would have been able to execute its purpose and steal data and credentials from the infected machine.

Are you interested in a more detailed breakdown of Endpoint Detection & Response? We have an article on our blog explaining what exactly EDR is, how it works for small business, and why antivirus is no longer enough to protect your devices. If you would like to discuss in detail how you can start protecting your organization with EDR please reach out to us here or give us a call at 816-222-1100.

Get Award-Winning IT Support Today



Get Access to Resources to Help You Thrive

Download Now