Written by Ziften CEO Charles Leaver
Throughout the holiday season it is a prime time for the cyber criminals, syndicates and state sponsored cyber groups to hack your company. A lowered number of IT personnel at work might enhance the odds for undiscovered endpoint compromise, sneaky lateral pivoting, and undetected data exfiltration. Experienced attack teams are most likely assigning their leading talent for a well-coordinated holiday hackathon. Penetration of your enterprise would likely begin with an endpoint compromise by means of the typical targeted methods of spear phishing, social engineering, watering hole attacks, etc
With thousands of enterprise client endpoints readily available, preliminary infiltration barely positions a challenge to experienced assailants. Conventional endpoint security suites are there to secure against previously-encountered commodity malware, and are basically useless versus the one-off crafted exploits used in targeted attacks. The attack group will have reconnoitered your business and assembled your standard cyber defense products in their laboratories for pre-deployment evasion screening of planned exploits. This pre-testing may include appropriate sandbox evasion techniques if your defenses consist of sandbox detonation safeguards at the business boundary, although this is not always needed, for example with off-VPN laptop computers visiting compromised market watering holes.
The methods which enterprise endpoints might end up being compromised are too many to list. In most cases the compromise may merely involve jeopardized credentials, without any malware needed or present, as validated by industry research studies of malicious command and control traffic observed from pristine endpoints. Or the user, and it only takes one among thousands, may be an insider opponent or a disgruntled staff member. In any big enterprise, some incidence of compromise is unavoidable and continuous, and the holiday period is ripe for it.
Given constant attack activity with inescapable endpoint compromise, how can businesses best respond? Endpoint detection and response (EDR) with constant monitoring and security analytics is a powerful strategy to determine and respond to anomalous endpoint activity, and to perform it at-scale throughout lots of enterprise endpoints. It likewise enhances and synergizes with enterprise network security, by offering endpoint context around suspicious network activity. EDR supplies visibility at the endpoint level, similar to the visibility that network security offers at the network level. Together this supplies the complete picture needed to recognize and react to uncommon and potentially significant security incidents throughout the enterprise.
Some examples of endpoint visibility of prospective forensic value are:
- Monitoring of user login activity, particularly remote logins that may be attacker-directed
- Tracking of user existence and user foreground activity, including typical work patterns, activity durations, and so on
- Tracking of active procedures, their resource usage patterns, network connections, procedure hierarchy, and so on
- Collection of executable image metadata, including cryptographic hashes, version info, filepaths, date/times of first appearance, and so on
- Collection of endpoint log/audit events, preferably with optimum logging and auditing setup settings (to take full advantage of forensic value, minimize noise and overhead).
- Security analytics to score and rank endpoint activity and bubble substantial operating pattern abnormalities to the business SIEM for SOC attention.
- Assistance for nimble traversal and drilldown of endpoint forensic data for rapid analyst vetting of endpoint security anomalies.
Do not get a lump of coal in your stocking by being caught unawares this Christmas. Arm your enterprise to contend with the dangers arrayed against you.