Protecting critical infrastructure from ransomware and advanced cyberattacks is proving to be challenging across all sectors in the United States. In fact, these cyberattacks are growing in sophistication and are employing stealth techniques against common detection capabilities to remain undetected. The emergence of ransomware-as-a-service (RaaS) creates an elaborate ecosystem for leasing out malware and malicious software to affiliates and cybercriminals for profit. This allows ransomware actors to scale to increase profits and maximize their attack reach, while minimizing effort for ransomware developers. In fact, cybercriminals and nation state actors are blending and adopting tactics and techniques of each other, where espionage and cybercrime converge. What is common to both threat groups are evasion techniques, increasing the ability for these threat actors to remain in stealth mode, which makes it more difficult to detect.

Ransomware requires more protection

Cybercriminals who use RaaS can infect more victims, demand more ransoms, and improve their tactics to stay ahead of detection capabilities. According to Chainalysis, the Dark Angels ransomware group received the largest ransomware payment ever at approximately $75 million in 2024. Disrupting ransomware and advanced cyberattacks is imperative for national security. To do so will require industry to shift toward a holistic endpoint protection and prevention strategy that starts with endpoint privilege management (EPM). Why EPM? Because it is more resilient against ransomware and advanced cyberattacks, providing better protection capabilities to reduce the attack surface on endpoints. Endpoint detection and response (EDR) performance and detection against ransomware and advanced cyberattacks have failed to protect government agencies as cited in the Cybersecurity and Infrastructure Security Agency’s Red Team Assessment report. Moving to a holistic endpoint protection and prevention strategy will help shore up cyber defense for cyberattacks targeting critical infrastructure.

Threat actors bypassing EDR

Curated threat intelligence from MITRE ATT&CK and other threat intelligence sources have shown increasing use of advanced malware called EDR killers designed to evade, disable and manipulate EDR systems. EDR killers employ a range of techniques including terminating EDR security-related processes, tampering with EDR agents, DLL unhooking and API hooking, process hollowing and unloading kernel drivers. These evasion techniques pose a significant risk to critical infrastructure and government agencies responsible for critical infrastructure protection, rendering EDR capabilities ineffective and unreliable. Another common evasion technique highly weaponized by threat actors is living-off-the-land (LoTL) attacks that leverage native systems tools, trusted software and operating system (OS) utilities, such as PowerShell, Windows Management Instrumentation (WMI) and schedule tasks that are whitelisted by EDR.

Complimenting EDR with EPM protection capabilities is essential to combat highly sophisticated threat actors’ behaviors and activities. Understanding these gaps and issues in state-of-the-art practices is critical for elevating cyber defense with the right protection measures to boost cyber resiliency against evolving threats.

EDR leaves gaps in endpoint resiliency

Boosting cyber resiliency early in the ATT&CK lifecycle will disrupt threat actors’ capabilities and prevent them from increasing their foothold by evading detections and gaining privilege and persistence to move through the ATT&CK lifecycle. Early detection, which requires a more proactive approach, can prevent data exfiltration and impacts such as distributed denial of service, data destruction and encryption that are common with ransomware attacks. Shifting to a more proactive approach requires industry to rethink and adjust their endpoint security strategy that is less reliant on reactive capabilities associated with EDR capabilities. EDR by design focuses on detection and then prevention, which means it must accurately detect maliciousness before it can prevent the threat. That is good for common threats, but novel and sophisticated threats require longer attack chains before EDR can gain confidence.

This was demonstrated by security researchers who analyzed MITRE ATT&CK evaluation results over multiple years using whole-graph analysis to measure the performance of EDR systems. Specifically, various aspects were analyzed to include detection coverage, detection confidence, detection modifier, data source, etc. Security researchers identified the following gaps in EDR capabilities:

1. Enhanced attack correlation — Many EDR systems still rely on detecting isolated events, and do not properly utilize comprehensive correlation to better understand and contextualize complex attack patterns. This limits the visibility in detection of multi-step and stealthy attack scenarios, which severely hamper response capabilities.
2. EDR systems struggle with advanced techniques — Threats that employ techniques that use living-off-the-land and advanced evasion require more sophisticated correlation from EDR systems.
3. Cross-host correlation is inconsistent — Many EDR systems struggle to detect lateral movement and coordinated attacks that span across multiple endpoints.
4. EDR systems too Windows-centric – A large percentage of EDR systems do not support Linux-based endpoints; if they do, they result in low detection and protection results.
5. Detection quality needs improvements — The variability in detection quality is essential for good coverage and detection. It is important to reduce the occurrence of low-quality alerts that can attribute to a considerable number of false positives — alert fatigue is real.

Cyber defenders must understand gaps in their overall security posture and develop strategies to elevate their cyber defense. To do that, a holistic endpoint strategy is needed to help reduce the attack surface on endpoints by managing privileges at the individual, user group and application levels. In the context of zero trust, no end user has privilege access by default. Privilege access is granted using just-in-time (JIT), to ensure just enough access, on an as-needed basis.

Closing gaps left by EDR

Enforcing least privilege, JIT and just enough access capabilities with endpoint privilege management provides protection and prevention capabilities that EDR lacks and cannot perform natively. These protection and prevention capabilities are designed to restrict elevated rights and control application execution. Implementing EPM with EDR allows critical infrastructure and government agencies to achieve stronger endpoint resiliency.

• EPM reduces the noise by limiting user privileges and application execution, which allows EDR to improve accuracy and threat detection.
• EPM limits the scope of potential damage, which allows EDR to focus on investigating and remediating specific threats to accelerate incident response.
• EPM prevents tampering with EDR agents by removing standing privileges and stopping privilege escalation attempts, which ensures EDR can continue to operate on a compromised endpoint.
• EPM contextualizes users and applications with elevated privileges, which improves threat hunting, enabling security teams to prioritize and investigate most likely threats.

CISA has been tracking ransomware actors and various techniques used to bypass and evade EDR. As part of their #StopRansomware campaign, CISA has been diligent about providing threat intelligence to the community with respect to tradecraft used by threat actors. CISA within the last four months has updated or released advisories for some of the top ransomware gangs outlining their ATT&CK techniques used in the wild.

• Play (Advisory updated June 4, 2025)
• Rhysida (Advisory updated April 30, 2025)
• Medusa (Published March 2025)
• Ghost aka Cringe (Published February 2025)

The table above highlights the evasion and bypass techniques that were used and have been associated with ransomware attacks. Threat actors are actively using LoTL and bring-your-own-vulnerable-driver (BYOVD) more in their attack arsenal. This illustrates the growing use of EDR evasion and bypass techniques by popular and active ransomware, but also demonstrates the need to complement other endpoint protection capabilities like EPM to boost endpoint resiliency. This echoes CISA’s Red Team assessment report, citing that the red team excelled in bypassing EDR solutions by avoiding the use of basic “known-bad” detections the tools would capture. In fact, the report further states that EDR detected only a few of the red team’s payloads in the organization’s Windows and Linux environments.

Defining a holistic endpoint protection and prevention strategy

A holistic endpoint protection and prevention strategy leaves no privileges behind. Privileges that are left behind become prime attack vectors that threat actors use to bypass and evade detection capabilities deployed in the environment to establish persistence and move laterally. Industry must pivot from a single point of failure with EDR, to a more holistic approach that not only enhances and protects EDR but can disrupt threat actors early in the ATT&CK lifecycle by enforcing privilege management to reduce the attack surface and harden the endpoint system. Enforcing least privilege, JIT and just enough access capabilities with endpoint privilege management provides protection and prevention capabilities that EDR lacks and cannot perform natively. EPM embraces foundational zero trust principles and concepts which will allow government agencies to mature their zero trust, while elevating their cyber defense.

Kevin E. Greene is chief security strategist for the public sector at BeyondTrust.

The post CISA must shift cyber defense toward a holistic endpoint protection and prevention strategy first appeared on Federal News Network.

Vicky