Protecting Against Threats that Disable Security Tools


Tom Ricoy


July 7, 2020

Security Tools Disabled During Attack

A common best practice by adversaries is Disabling Security Tools (Mitre Att&ck T1089). There are multiple documented cases, including Agent Tesla, Brave Prince, DarkComet, and Gold Dragon, just to name a few. When your endpoint security software (AV, NGAV, EDR, PAM, etc.) is disabled, the adversary has free undetectable reign over your system, can easily ransom your data or exfiltrate it without your knowledge, and wipe every trace of what they did.

Relying solely on security software is insufficient against such attacks. Hardware integration is the only reliable mitigation.

Firmware Continuous Security App Monitoring

K2 and Everest have special Cigent-proprietary firmware which tethers to the D3E agent. D3E pings the drive as often as down to millisecond granularity to verify it is still running. If D3E does not ping within the allotted interval time, the drive will completely cut off access to the protected data. D3E can also be configured to verify other security agents such as Windows 10 Security and other NGAV/EDR/PAM tools are running as well and if not protect the data.  

The firmware locking and protecting of the data protects it from any O/S-based attack but also other compromised PC components (such as BIOS, CSME, NIC, etc.) and even if the drive is removed and booted from a different PC.  

Once the security software is back up and running and the threat is cleared D3E will unlock the data and make it accessible, never having allowed data to be at risk to theft, ransom, corruption, deletion, etc.

Cigent D3E protects your files in a way that's never been done before.

Learn More

Explore more articles.

Protect your organization's most valuable asset—your data.

Contact Us