When tools that were created to help security teams simulate attacks are used by the attackers, you know there’s a problem. But that’s exactly what’s happened in recent news where the Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool was used by nation-state attackers to evade detection. 

The BRc4 tool is relatively new to the market—launching in 2020—and is like the more popular, Cobalt Strike tool. The recent announcement by Palo Alto Networks indicates that attackers can use the BRc4 tool to evade endpoint detection and response (EDR) solutions and anti-virus products. Specifically, a sample submitted to VirusTotal in May was not seen as malicious by any of the AV engines, but it was a self-contained ISO with an LNK (shortcut) file, a malicious DLL, and a copy of the Microsoft OneDrive Updater. When executed, DLL order hijacking was used to load malicious content. 

Why indicators of compromise aren’t enough

Unfortunately, the BRc4-related attack is just the beginning. By using only indicators of compromise to detect BRc4—or any variant that comes after it—organizations are just playing a game of “whack-a-mole.” These attempts will continuously be thwarted as new threat actors engage in this practice with BRc4 and similar tools. What has been clearly proven is that threat actors have the means to defeat EDR, and that trend is only going to continue. Just as organizations no longer rely on signature-based antivirus as their main security defense, so too is the case with EDR. 

The network is an attacker’s weak spot

EDR solutions can provide an important security platform for organizations. They target threats once they are on the network (in contrast to endpoint protection platforms (EPP) that target threats as they hit the edge/perimeter of a network). The solutions typically rely on endpoint data collection agents to analyze and automate incident response at the endpoint. 

Unfortunately, EDR solutions are limited to the endpoints where agents are deployed, or data is collected and therefore can miss important signs of malicious activity beyond the malicious payload. This is the case in the BRc4 attack since EDR solutions cannot detect the software as malicious.

But the network is a much better data collection point and can provide even better information regarding malicious activity. Threat actors cannot avoid or evade the network because it is an integral part of how their attacks can succeed. Without the network, threat actors are severely limited in their ability to inflict meaningful harm that would compel an organization to react the way the threat actor intends—be that by paying a ransom to unlock data or prevent a data leak, or whatever other goal the threat actor hopes to accomplish. 

The need for holistic network security

A better way to achieve near-complete network security is to use the network as a sensor. To understand where malicious—or otherwise unwanted activity—has taken place throughout the network, organizations require network detection and response capabilities through an NDR solution. 

Network detection and response (NDR) solutions provide network-based analysis to detect undetectable activity as it moves across the network. More clearly put, when a malicious payload makes its way on the network, a good NDR solution makes it impossible for the malware to do anything else undetected. 

But what is a good NDR solution? Network traffic data alone is not enough. Without machine learning (ML) and artificial intelligence, abnormal activity can still slip by, and lateral movement will remain unnoticed. Plixer’s ML detections catch any abnormal activity, lateral movement, data accumulation, and data exfiltration which gives organizations the ability to stop threat actors before sensitive data is lost. 

While EDR solutions were unable to detect the malicious payload concealed by BRc4—since that is the purpose of the tool—organizations are not completely hopeless. With NDR in place, organizations can easily detect malicious activity as it moves across the network regardless of if it is stopped by EDR or other threat detection solutions. To learn more about Plixer’s NDR solution click here.


Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.