Written by Ziften CEO Chuck Leaver
Throughout the holiday season it is a prime time for the cyber bad guys, syndicates and state sponsored cyber teams to hack your company. A lowered number of IT personnel at work might improve the odds for undetected endpoint compromise, stealthy lateral pivoting, and unnoticed data exfiltration. Experienced attack teams are more than likely assigning their leading skills for a well-coordinated Christmas hackathon. Penetration of your enterprise would likely begin with an endpoint compromise through the usual targeted methods of spear phishing, social engineering, watering hole attacks, and so on
With countless business client endpoints readily available, preliminary infiltration hardly positions a difficulty to seasoned assailants. Standard endpoint security suites exist to protect against previously-encountered known malware, and are essentially worthless versus the one-off crafted exploits utilized in targeted attacks. The attack group will have examined your enterprise and assembled your standard cyber defense products in their labs for pre-deployment avoidance screening of planned exploits. This pre-testing may consist of appropriate sandbox evasion methods if your defenses consist of sandbox detonation safeguards at the business boundary, although this is not always required, for example with off-VPN laptop computers visiting jeopardized industry watering holes.
The ways in which business endpoints may end up being jeopardized are too numerous to list. In most cases the compromise may simply involve jeopardized credentials, with no malware required or present, as validated by market studies of malicious command and control traffic observed from pristine endpoints. Or the user, and it only takes one among thousands, may be an insider enemy or a dissatisfied employee. In any large business, some incidence of compromise is inescapable and consistent, and the holiday season is ripe for it.
With constant attack activity with inescapable endpoint compromise, how can businesses best respond? Endpoint detection and response (EDR) with continuous monitoring and security analytics is an effective method to recognize and react to anomalous endpoint activity, and to perform it at-scale throughout numerous business endpoints. It likewise augments and synergizes with business network security, by providing endpoint context around suspicious network activity. EDR provides visibility at the endpoint level, equivalent to the visibility that network security provides at the network level. Together this supplies the complete picture needed to recognize and react to uncommon and possibly significant security incidents throughout the enterprise.
Some examples of endpoint visibility of prospective forensic value are:
- Tracking of user login activity, especially remote logins that might be attacker-directed
- Tracking of user existence and user foreground activity, including common work patterns, activity durations, etc
- Monitoring of active processes, their resource consumption patterns, network connections, process hierarchy, and so on
- Collection of executable image metadata, including cryptographic hashes, version info, file paths, date/times of first appearance, and so on
- Collection of endpoint log/audit events, preferably with optimal logging and auditing configuration settings (to maximize forensic worth, decrease noise and overhead).
- Security analytics to score and rank endpoint activity and bubble considerable operating pattern irregularities to the enterprise SIEM for SOC attention.
- Assistance for agile traversal and drill down of endpoint forensic data for rapid expert vetting of endpoint security abnormalities.
Don’t get a lump of coal in your stocking by being caught unawares this holiday season. Arm your enterprise to contend with the hazards arrayed against you.