The number of data breaches has skyrocketed during the ongoing health crisis, as hackers have taken full advantage of these uncertain times. According to the FBI’s 2020 Internet Crime Report, complaints soared by 69.4% in the last year. Unfortunately, media coverage of mega breaches (e.g., SolarWinds, Capital One) often puts a spotlight on the tail end of the cyber-attack life cycle, focusing on the exfiltration points rather than how the threat actor got there. Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures (so-called TTPs). In this context, it is vital for security practitioners to review the entire cyber-attack lifecycle to gain a full grasp of the areas that need to be addressed as part of an in-depth cyber defense approach.
Post-mortem analysis has repeatedly found that the most common source of a hack are compromised credentials that are subsequently used to establish a beachhead on an end user endpoint (e.g., desktop, laptop, or mobile device). This tactic, however, is often “overlooked” in anatomy of a hack discussions. This is surprising, considering that endpoints serve as the main points of access to an enterprise network and can be exploited by malicious actors. In fact, a recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months.
Today’s Cyber-Attack Lifecycle
Most of today’s cyber-attacks are front-ended by credential harvesting campaigns that use social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or any combination of these. Cyber criminals also take advantage of millions of stolen credentials being sold on the Dark Web.
Once in possession of stolen, weak, or compromised credentials, attackers are leveraging brute force, credential stuffing, or password spraying campaigns to gain access to their target environment. Increasingly, cyber adversaries take advantage of the fact that organizations and their workforce are relying on mobile devices, home computers, and laptops to connect to company networks to conduct business. In turn, these endpoint devices become the natural point of entry for many attacks.
Once they have compromised an end user device, hackers detect and disable endpoint security measures (e.g., data loss prevention; disk and endpoint encryption; endpoint detection and response; anti-virus or anti-malware) to avoid detection. Next, they move laterally to perform reconnaissance and identify IT schedules, additional security controls, network traffic flows, and scan the entire IT environment to gain an accurate picture of its resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access.
Once an attacker has identified where valuable data resides, they typically look for ways to elevate access privileges to exfiltrate the data and conceal their activity to avoid detection.
Boosting Endpoint Visibility and Control
When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own security. This is different from the traditional network security approach, in which case established security measures apply to the entire network rather than individual devices and servers. Thus, making each endpoint resilient is paramount to implementing a successful defense strategy.
At a minimum, organizations therefore should deploy simple forms of endpoint security like anti-virus or anti-malware software across their entire fleet of devices. Many organizations are going beyond these simple measures and nowadays leverage modern endpoint security technology that encompasses encryption, intrusion detection, and behavior-blocking elements to identify and block threats and risky behavior, either by end users or intruders.
To counteract human error, malicious actions, and decayed, insecure software, Forrester Research recommends taking a pro-active approach to endpoint security and establishing endpoint resilience by:
- Maintaining a trusted connection with endpoints to detect unsafe behaviors or conditions that could put sensitive data at risk. This includes maintaining granular visibility and control over endpoint hardware, operating systems, applications, and data gathered on the device; and self-healing capabilities for the device, mission-critical security controls, and productivity applications.
- Ensuring that endpoint misconfigurations are automatically repaired when possible, as organizations cannot assume that the health of their IT controls or security tools installed on their employees’ endpoints will remain stable over time.
- Focusing on the return on investment of the security tools being used. Organizations often use a variety of endpoint security and management tools. Yet, each new tool introduced can serve as both a potential risk and an operational burden. Maintaining continuous endpoint visibility ensures that controls are always working as intended. By doing so, IT security professionals will ensure the ROI of their security investments — both from risk reduction and operational perspectives.
- Understanding not just the tail end of the cyber-attack kill chain, but also focusing on initial attack vectors like endpoints provides a roadmap for aligning preventive measures with today’s threats. It is vital to maintain granular visibility and control over access points to prevent and remediate vulnerabilities that can and often will surface on them.