Written by Ziften CEO Chuck Leaver
During the Christmas period it is a prime time for the cyber bad guys, syndicates and state-sponsored cyber teams to hack your company. A decreased number of IT personnel at work might improve the odds for undiscovered endpoint compromise, stealthy lateral pivoting, and undetected data exfiltration. Experienced attack groups are more than likely designating their leading skills for a well-coordinated holiday hackathon. Penetration of your enterprise would likely start with an endpoint compromise via the usual targeted methods of spear phishing, social engineering, watering hole attacks, and so on
With thousands of enterprise client endpoints available, preliminary infiltration hardly postures a difficulty to seasoned attackers. Standard endpoint security suites are there to secure against previously-encountered known malware, and are basically useless against the one-off crafted exploits used in targeted attacks. The attack group will have examined your business and assembled your basic cyber defense systems in their labs for pre-deployment avoidance screening of planned exploits. This pre-testing may consist of suitable sandbox evasion approaches if your defenses include sandbox detonation safeguards at the business perimeter, although this is not always needed, for example with off-VPN laptops checking out jeopardized industry watering holes.
The methods which business endpoints may become jeopardized are too numerous to list. In most cases the compromise might just involve compromised credentials, with no malware needed or present, as confirmed by market research studies of malicious command and control traffic seen from pristine endpoints. Or the user, and it just takes one amongst thousands, might be an insider attacker or an unhappy staff member. In any large business, some incidence of compromise is unavoidable and consistent, and the Christmas season is ripe for it.
Given constant attack activity with inescapable endpoint compromise, how can businesses best respond? Endpoint detection and response (EDR) with continuous monitoring and security analytics is a powerful method to determine and respond to anomalous endpoint activity, and to perform it at-scale throughout lots of enterprise endpoints. It also enhances and synergizes with enterprise network security, by providing endpoint context around suspicious network activity. EDR provides visibility at the endpoint level, similar to the visibility that network security supplies at the network level. Together this offers the full image needed to recognize and respond to uncommon and potentially substantial security incidents throughout the enterprise.
Some examples of endpoint visibility of potential forensic value are:
- Tracking of user login activity, specifically remote logins that might be attacker-directed
- Tracking of user existence and user foreground activity, including common work patterns, activity periods, and so on
- Monitoring of active processes, their resource consumption patterns, network connections, procedure hierarchy, etc
- Collection of executable image metadata, including cryptographic hashes, version information, file paths, date/times of first appearance, etc
- Collection of endpoint log/audit incidents, ideally with optimal logging and auditing configuration settings (to maximize forensic worth, lessen noise and overhead).
- Security analytics to score and rank endpoint activity and bubble substantial operating pattern abnormalities to the enterprise SIEM for SOC attention.
- Support for nimble traversal and drill down of endpoint forensic data for quick analyst vetting of endpoint security anomalies.
Do not get a lump of coal in your stocking by being caught unawares this holiday season. Arm your business to contend with the risks arrayed against you.