How to Defend Against Sophisticated Endpoint Attacks
In this article
Endpoint attacks have matured tremendously in the last 20 years and are rapidly increasing in sophistication as cybercriminals devise new tactics and techniques. What started with viruses motivated by fame with the goal of widespread infection has evolved into targeted ransomware used by crime syndicates. But much of the information an attacker needs to damage your organization is now stored on desktops, phones and tablets, making endpoint attacks the new perimeter.
This trend will increase as remote working practices continue and employees increase engagement through social media and new collaboration applications. As a result, it's critical to have an attack strategy in endpoint security to protect your data, networks, systems and users from the growing threat of cyber attacks.
What are the types and characteristics of endpoint attacks?
Cybercriminals are continuously honing more sophisticated and more varied methods to launch endpoint attacks. They do so in attempts to attain or steal BitCoin and other cryptocurrencies, personal identifiable information (PII) and banking usernames and passwords. Common endpoint attacks include:
- Ransomware: A form of malware that holds the victim's data or computer hostage and encrypts data until a ransom fee is paid.
- Vulnerability exploits: Attackers are constantly on the lookout for new vulnerabilities in code or software that haven't been spotted by an organization. When they discover one, they develop an exploit kit that allows them to hack into the organization.
- Email phishing: A hacking method in which attackers pose as a trusted email sender to trick users into revealing sensitive information, such as their credit card details or account login details.
- Drive-by downloads: A method commonly used in ransomware attacks, drive-by downloads involve attacks sending users to spoofed websites that install malicious files or software onto a device.
- Watering holes: A form of cyber attack that infects commonly used websites to target groups of users and steal their personal information.
An attack strategy in endpoint security can be waged using different tactics, but they all share common characteristics, such as:
- The Web is the attack distribution vector of choice. Using the Web, attackers can easily spread links to hosted malware via email and instant messaging sites; use command and control servers to manipulate botnets; and install components after infection for multi-staged attacks.
- These attacks are sophisticated. Unique malware variants are polymorphic and metamorphic with automated toolkits allowing for the quick creation of new variants and URL shorteners like bit.ly and ow.ly, providing an easy disguise for malware.
Attacks are targeted in large part because of end-user behavior. As users engage more with social media and select sites, attackers can be more strategic in luring victims.
The best weapon of defense against endpoint attacks used to be antivirus software. Many companies still rely on antivirus as their endpoint security solution, even though the best antivirus scanners are incapable of keeping up with the amount of malware now thrown at them.
However, purpose-built endpoint security solutions are more effective in the evolving modern threat landscape. These solutions forgo antivirus' chase-from-behind approach characterized by a reliance on signatures, product suites or pervasive presence. Instead, they proactively monitor and contain attacks using emerging technologies, such as security automation and machine learning.
The easiest way to examine endpoint protection solutions is to look at those designed to secure endpoints before an attack versus those focused on containing a breach after an attack.
An endpoint protection platform covers the window of compromise between vulnerability and breach and is the best defense before a breach occurs. For example, Gartner defines an endpoint protection platform (EPP) as: "A solution that converges endpoint device security functionality into a single product that delivers antivirus, anti-spyware, personal firewall, application control and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive solution."
As advanced cyber threats become increasingly diverse and sophisticated, it's crucial to build an endpoint security architecture that discovers and mitigates risks as quickly as possible. This architecture needs to include technologies like:
Sandboxing is a security technique in which suspected files are pushed to a protected environment to analyze their behavior and traits. If traits match those of malware, they're executed or detonated. This technique is particularly effective at preventing zero-day attacks, for which no signature exists.
Historically, sandboxing has been done on-premises. However, more organizations are sandboxing in the cloud as cloud-based solutions can offer faster analysis, better protection for mobile users and more attractive pricing. To be effective, a vendor's sandbox should look like a real endpoint within an organization and support an organization's operating system platforms. However, it's important to note that threat sandboxing isn't a surefire endpoint attacks solution as attackers have devised methods to evade it, and it should be used in conjunction with other cybersecurity solutions.
Machine learning as applied to cybersecurity is an automated form of data analysis that builds a model or algorithm, which allows computers to find hidden insights without being explicitly programmed where to look. For each security event, statistical models produce a confidence score.
Like sandboxing, machine learning is highly effective against zero-day attacks, for which no signature exists. A major benefit of machine learning is its ability to weed out threat noise or non-threatening events, eliminating the need for security operations teams to perform unnecessary investigations. However, implementing machine learning technology doesn't guarantee endpoint safety. Machine learning solutions are dependent on the skill level of security research and data science teams.
Threat feeds curate databases of suspicious or known threats based on IP address, domain name, malicious payloads, suspicious file activity, command-and-control centers and other filters. Filters can be provided by outside vendors, the community or government agencies based on subscription or open source.
Endpoint detection and response (EDR) solutions are focused on security after an attack has occurred. These solutions detect security incidents by monitoring and recording endpoint activity, policy violations and indicators of compromise (IOCs). This insight provides security teams with the visibility they need to discover cyber threats that may otherwise have remained invisible and caused critical damage to the organization.
Endpoint events are used to investigate security incidents to determine the technical changes that occurred and the effect imposed on business. Once a security incident has been discovered, the endpoint can be contained such that network traffic or process execution can be remotely controlled. EDR solutions allow endpoints to be remediated to a pre-infection state, removing malicious activity and repairing other rollbacks.
By providing proactive continuous monitoring and recording of all activity on endpoints and servers, EDR solutions reduce the need for after-the-fact data collection and provide instant aggregate threat information. This decreases the dwell time of targeted attacks and is useful in countering insider threats, conducting internal investigations and improving regulatory responses.
By isolating infected systems, you can limit or control network connectivity of endpoints being investigated and deny attacker access to further systems, preventing lateral movement. Some EDR products provide a secure shell for access to the infected system to perform trusted investigations. This capability removes the burden of distinguishing between malicious and legitimate content or executables while investigating an endpoint attack.
System remediation provides a rollback capability that can restore system files that were deleted or modified during a security attack to a state previous to the incident. This eliminates the need for a costly cleaning operation and significantly accelerates time to remediation.
Although the endpoint market is crowded, the underlying technologies of vendor solutions are quite similar. Rather than comparing feature sets of all the products on the market, it's best to start the selection process based on key requirements. Common key requirements for large organizations considering an attack strategy in endpoint security include:
- Endpoint agent flexibility
- Managed and professional services
- Whether solutions are based in the cloud or on-premises
- Live response and automation
These key requirements can be influenced by a wide range of factors. For example, corporate objectives and priorities and your level of risk appetite may affect business decisions. And from an IT perspective, existing technology investments and future investments in the cloud can narrow a solution. There are also functional considerations, such as the level of collaboration between security and operations, and existing approaches to incident response.
Asking the right questions can help you identify solutions that best meet your key requirements. For example, when evaluating endpoint protection solutions, good questions to ask include:
- Does the solution offer tight integration with network infrastructure?
- Does the solution offer cloud-managed infrastructure?
- Is the solution resource-constrained?
- Does the solution provide dedicated threat hunting?
- Does the solution offer strong API and automation capabilities?
- Is incident response outsourced as part of the solution?
- How quickly can the solution be deployed?
- Does the solution possess post-breach response capabilities?
WWT has been devising innovative approaches and defenses to endpoint security for more than 25 years. Our five-pillar approach provides an end-to-end platform that provides the control, response and visibility you need to protect your data and users from known and emerging threats. And WWT's Advanced Technology Center (ATC) enables us to develop resilient endpoint security architectures that are flexible and robust to help you fight emerging cyber threat vectors.
Learn how WWT can help your organization strengthen defenses against endpoint attacks by discovering our approach to attack strategy in endpoint security and taking our endpoint security workshop.