Written by Ziften CEO Charles Leaver
Throughout the holiday period it is a time of opportunity for the cyber bad guys, syndicates and state-sponsored cyber groups to hack your organization. A minimized variety of IT personnel at work could enhance the chances for unnoticed endpoint compromise, stealthy lateral pivoting, and unnoticed data exfiltration. Experienced attack groups are most likely appointing their top talent for a well-coordinated holiday hackathon. Penetration of your business would likely begin with an endpoint compromise by means of the normal targeted methods of spear phishing, social engineering, watering hole attacks, and so on
With thousands of enterprise client endpoints available, initial infiltration barely poses a difficulty to skilled enemies. Conventional endpoint security suites are there to protect against previously-encountered commodity malware, and are essentially ineffective against the one-off crafted exploits used in targeted attacks. The attack organization will have examined your business and assembled your standard cyber defense systems in their labs for pre-deployment avoidance testing of prepared exploits. This pre-testing might include proper sandbox evasion techniques if your defenses include sandbox detonation safeguards at the enterprise boundary, although this is not always required, for instance with off-VPN laptops visiting compromised industry watering holes.
The ways in which business endpoints may end up being compromised are too numerous to list. In many cases the compromise might just include jeopardized credentials, without any malware needed or present, as validated by industry studies of malicious command and control traffic observed from pristine endpoints. Or the user, and it only takes one among thousands, might be an insider opponent or a disgruntled staff member. In any large business, some incidence of compromise is inescapable and consistent, and the holiday season is ripe for it.
Given incessant attack activity with inevitable endpoint compromise, how can businesses best respond? Endpoint detection and response (EDR) with continuous monitoring and security analytics is a powerful method to recognize and react to anomalous endpoint activity, and to perform it at-scale across lots of enterprise endpoints. It likewise augments and synergizes with business network security, by supplying endpoint context around suspicious network activity. EDR supplies visibility at the endpoint level, equivalent to the visibility that network security offers at the network level. Together this offers the complete picture needed to recognize and react to uncommon and potentially considerable security events across the business.
Some examples of endpoint visibility of potential forensic value are:
- Tracking of user login activity, particularly remote logins that might be attacker-directed
- Tracking of user presence and user foreground activity, including common work patterns, activity periods, and so on
- Monitoring of active procedures, their resource consumption patterns, network connections, procedure hierarchy, etc
- Collection of executable image metadata, including cryptographic hashes, version information, filepaths, date/times of first appearance, and so on
- Collection of endpoint log/audit incidents, ideally with optimal logging and auditing setup settings (to optimize forensic worth, decrease noise and overhead).
- Security analytics to score and rank endpoint activity and bubble considerable operating pattern irregularities to the enterprise SIEM for SOC attention.
- Support for nimble traversal and drill down of endpoint forensic data for quick analyst vetting of endpoint security anomalies.
Don’t get a lump of coal in your stocking by being caught unawares this Christmas. Arm your business to contend with the hazards arrayed against you.