Do You Need Persistent Agents to Fight Persistent Threats?

August 27, 2015

When you think about how your organization can deal with network intrusions and Advanced Persistent Threats (APT), you’ll eventually start to think about your incident response procedures and capabilities.  Many organizations hit a roadblock at this point because of the financial and resource investment required to deploy an enterprise-scale incident response tool that has persistent agents running on every endpoint.

A recent Gartner blog supported this observation. Our blog post talks about why you don’t always need to go the route of deploying persistent agents to give yourself the endpoint visibility that you need to properly respond.

Motivation for Endpoint Visibility

Agents are needed during incident response for endpoint visibility. More specifically, there are two common uses for agents:

  • Investigation: You are suspicious about an endpoint and want to triage and then investigate it to see if it is compromised, what it it is related to etc.
  • Scoping or Hunting: You have an indicator from another incident, such as file path or registry key, and want to scan the endpoint to see if it has the same indicator. If it does, then it may have also been compromised.

The investigation process typically involves more analysis techniques and is a longer process while the scoping and hunting process is faster on each host, but needs to cover many more hosts.

Once you’ve decided that you need endpoint visibility, you need to pick a solution. The agents generally fit into two categories:

  • Persistent agents are installed on each end point before an incident occurs and they are there waiting to be called into action. Some of them play a role in detecting incidents and others are sleeper agents that are largely dormant until needed.
  • Non-persistent agents are installed and run as needed on an endpoint.  Installation could be from a USB drive, using a standard IT remote administration tool, or a dedicated incident response tool that uses a non-persistent approach.

When looking at the various remote collection approaches, there are trade offs. Let’s look at them first.

  1. Preparation: What needs to be done to an endpoint before you can use the approach? Do you have to install anything?  Do you need to configure the system differently? How many endpoints do you need to multiply these processes by?
  2. Impact: What traces are left behind after? Are there traces in the registry, files, etc? Did it store a password hash for an administrator account?  How much evidence did it potentially overwrite?
  3. Accuracy: How resilient is it to data hiding techniques? Does it rely on operating system features that could have been modified by an attacker and therefore be producing false information?
  4. Security:  Does the agent introduce new security vulnerabilities into your system and potentially allow the attacker to get more access into your systems or allow them to plant false evidence into your collection?

Comparing the Agents

Where their data comes from & what they let you do

Persistent and non-persistent agents have more in common than they have differences. Let’s review the commonalities first.

When you scan or collect data from an endpoint, you need to be able to access memory and storage media. The memory contains information about what is currently running and maybe the only place on the system that contains advanced malware. The hard drive may contain other pieces of intrusion evidence, such as malware that was downloaded from websites and e-mails, registry modifications, and event logs.

Both types of agents allow you to investigate and hunt. Once you get the non-persistent agent running, it can do everything the persistent agent can do.  Both can collect volatile data to identify suspicious processes and network connections, collect malware, and hunt for IOCs.

Both types of agents can also be integrated with your security infrastructure. Your SIEM, incident detection system, or incident ticketing system can trigger either type of agent to start a collection of a suspicious end point.

Limitations of Persistent Agents: Time & Money

The biggest challenges with persistent agents, in our experience, is getting them approved and maintained. A persistent agent will often require the approval of IT, so they will want to review the agent to look at:

  • The memory and CPU resources required by the agent during normal operation and the performance impact on the user.  
  • The privileges required by the agent to run on the endpoint.  Most incident response agents will require administrator-level access so that it can access all data.
  • Instability caused by the agent on the system based on conflicts with other agents.

Depending on the company, this can be a lengthy process.  Once the agents are approved and deployed, some organizations have found that the solutions are not as reliable as they had hoped.  When they need to perform a hunt in the enterprise, not all of the endpoints can be reached or have working agents. At that point, however, it is harder to justify again going through the process of getting a new solution approved.

There is also a cost challenge with persistent agents. Many of them are licensed according to how many endpoints you are installing the agents on, rather than how often you will use the system or how many responders you have. When you are setting up a new incident response capability, this may be more money than you are willing to invest.

Limitations of Nonpersistent Agents: Time & Infrastructure

No solution is 100% perfect, and non-persistent agents have their downsides as well. First, either your IR tool needs to be able to deploy its agents as needed, or you need to have basic IT infrastructure in place to do so. It doesn’t often scale to manually copy and run agents as needed if you don’t have automated deployment in place. However, this can be as simple as using PsExec or WMI to copy single executables and run them.

Once you have the infrastructure to deploy at will, you may find a couple of other challenges.  One is that hunting may be slower because the agent needs to be copied to the host every time you want to do a scan.  You can still certainly do hunting, it may just take longer to reach every host in the enterprise.

The other challenge you may have with basic non-persistent agents is that your collection is of only a small snapshot in time. While some persistent agents can collect data 24 hours a day, many, though not all, non-persistent approaches collect data and leave.  This may limit the amount of activity that you see associated with malware because it often lies dormant until woken by a timer or other activity. However, some non-persistent agents can stay running after their initial collection to continue to monitor the system.

Maturing Your Security Posture in Stages

Endpoint visibility is critical to quickly responding to, containing, and resolving incidents. If your organization is not ready to make the resource and financial investment in a persistent agent-based solution, there are still options. Non-persistent agents can give you the same visibility and analysis options with a shorter IT approval process and at less cost. This makes them an essential stepping stone in the process of maturing your organization’s security posture.

The Cyber Triage product from Basis Technology has focused on providing endpoint visibility without persistent agents. It can be  deployed automatically and as needed, collects data from both memory and hard drive on the target system, and automates the analysis of the results. This has the end result of retrieving timely, reliable results while saving time and costs. To learn more or to schedule a demo, contact us today.

Simplify your incident response with Cyber Triage