What are Endpoints?
An endpoint or endpoint device is any machine that runs a standard operating system such as Microsoft, Linux, or Mac.
Sometimes, other devices such as mobile, and other Internet of Things devices are also encompassed in the definition. However, the three most significant endpoints for the purposes of an organization, corporate or otherwise, are desktop computers, laptops, and the organization's servers.
How May an Attacker Use Endpoints?
The essential function of an endpoint device is to store and process data. This data is most valuable to cybercriminals, be it the financial resources of a business, private patient information held by a healthcare provider, or the personal files of a top executive. The objective of an attack will typically be to steal or somehow manipulate such valuable data. This means that nearly all attacks will be carried out on or will be headed toward endpoints, making endpoints the crown jewel for threat actors. Here are the four things a criminal might want to do with data accessed through an endpoint:
#1 Establishing and Selling Access
Once an attacker gains control over an endpoint device, they might not go through the hassle of going further themselves. Many cybercriminals will sell what they have learned online, granting access to the device to anyone willing to pay the price. It is these buyers who then, with the knowledge of how to bypass the target's endpoint security solutions, will go on to infiltrate the network and manipulate or steal the data they are after.
#2 Stealing Information
One of the ways these players may interact with data is to steal it. Malicious actors may use endpoints as an entryway into a system and exfiltrate valuable and confidential data that can then be sold or leveraged in some other way, such as by blackmailing the victim.
#3 Locking Data and Extortion
In some cases, an attacker will not bother with exfiltrating data: instead, having control over an endpoint, a malicious actor can infect the system with malware that will encrypt data and demand payment in exchange for unlocking it. This scam is otherwise known as ransomware extortion.
#4 Destroying Data
Finally, a cyber attacker might choose to merely destroy data stored in endpoints. To do so, a threat actor may install malicious software on an endpoint that will permanently wipe the device clean of any information it has stored. This malware is typically called wiperware. This is relatively uncommon in organizational settings since the attacker usually has little to gain but typically occurs in cases of personal feuds. However, an organization may still be a target, as there have been cases of such attacks perpetrated by resentful former employees on a quest for vengeance.
Another reason an attacker may wish to destroy data is to cover their tracks, making it more difficult for authorities to trace them.
Why Is it Important to Secure Your Endpoints?
Given the high value of endpoints, it is evident that it is essential to secure them if they contain any data worth protecting. For almost all organizations, data loss can be devastating, and can sometimes take months to even detect.
The way cyber attackers access the information of their victims is always through the internet, meaning that enterprise network monitoring operations must also be in place to secure endpoints. Furthermore, having the appropriate cybersecurity systems is essential in order to get a reasonable cyber insurance premium. Some insurance firms even deny coverage unless certain security systems are in place.
That said, let us now see the main ways to secure endpoints.
How to Secure Endpoints
Currently, there are two principal ways to secure endpoints: preventive methods, and behavior-based monitoring. Here we will explain the differences and importance of both.
Preventive Control: Antivirus Software
The most common method of protecting endpoints is to have antivirus solutions. This is the first line of defense. A traditional antivirus works by scanning files and processes on the system, looking for malicious code. Antivirus software is built to seek out known "signatures" of malicious programs--data patterns known to be indicative of malicious or suspicious activity. If something on an endpoint matches a signature it knows to be nefarious, it triggers an alert and blocks it accordingly. A good antivirus is continually updated (or sometimes is able to update itself) with new definitions to recognize the ever-evolving landscape of malicious threats.
The main benefits of such a system are that it does not require any training or configuration, and runs constantly in the background without the need for human monitoring.
While an antivirus can be very effective for basic security needs, an antivirus is not foolproof. Antivirus software is only able to protect against known threats, meaning that it may not recognize novel or unknown forms of malicious code. This is what constitutes the constant battle in the realm of cybersecurity; while cybersecurity experts relentlessly attempt to secure, map, and predict malicious code that will be used in a cyberattack, advanced cybercriminals are continuously trying to find ways to bypass them.
Therefore, far more sophisticated methods of security must be used if a system is to be protected against unfamiliar threats.
Endpoint Detection and Response (EDR) Systems
Endpoint Detection and Response (EDR) works as a second, more advanced layer of defense against cyber threats. EDR systems are proactive, meaning that they continually monitor endpoints for suspicious behavior rather than just being limited to pre-defined patterns of malicious code. This allows them to detect anomalous behaviors on endpoints and quickly respond in order to mitigate threats. EDR works by collecting and analyzing data from endpoints such as the operating system, memory, and network activity to establish an understanding of the typical user's normal patterns of behavior on the device. EDR, therefore, is able to know what programs are used and how they are used. As soon as the EDR system sees behavior that deviates from the norm, it triggers an alert.
For instance, an attacker, after gaining access to an endpoint, might attempt to use a legitimate program to execute commands in order to exfiltrate valuable files. Some attackers will open Microsoft Excel, from which a program called PowerShell may be launched. PowerShell is a valuable tool for system administrators, IT professionals, and developers because of its powerful features that enable complex automation tasks to be executed quickly. However, a cyber attacker may exploit the functions of PowerShell to their advantage, thus using a legitimate program to perform nefarious deeds.
Such activity will go under the radar of a traditional antivirus, which will be unable to identify and block the malicious use of a legitimate program. On the other hand, an EDR system is able to detect these types of anomalous behaviors by referencing what normal usage looks like on that device. If an EDR system detects suspicious behavior, it will create an alert for cybersecurity professionals. These professionals are an essential component of the EDR system, as only they will be able to properly investigate, and take the appropriate steps to isolate the endpoint from the network and neutralize the threat.
Three Best Endpoint Security Practices
Seeing how important endpoints are for attackers, and how crucial endpoint security is for an organization’s safety, here are three key tips to consider when putting together endpoint security solutions:
#1 Implement Behavior-Based Endpoint Protection
As we have seen, an antivirus is the first, indispensable line of defense, and keeping it updated is a must. Nonetheless, it will only go so far, as attackers will go far beyond traditional malware technologies to get to sensitive data. In order for businesses and other organizations to better defend against an advanced threat, EDR security software and services must be put in place.
#2 Do Not Rely on Automation - Employ Competent Workers
EDR systems are as effective as the team responsible for managing them; this means it is important to have a cybersecurity team with the necessary skills, experience, and access to the latest threat intelligence in order to be able to properly investigate any threat that might present itself. It is also important for these teams to be monitoring the system and attending to alerts in order to ensure enterprise security.
A common mistake that organizations make when implementing EDR as a security solution is to overly rely on the automatic endpoint protection platform, and ignore the personnel required for an appropriate response. Unlike many other security solutions, EDR requires a dedicated team of people to be actively engaged in monitoring processes to properly safeguard against threats. If an EDR system detects unusual activity on any endpoint devices, but there is no expert to investigate the issue, the cybercriminal will experience minimal disruption, if any.
#3 Consider Hiring a Third-Party Organization
Many organizations are increasingly turning to third-party vendors for endpoint protection solutions. This is because the complexity and sophistication of today’s threats call for specialized skillsets, and a team of proficient end-user support staff specifically dedicated to network security. Additionally, Managed Detection and Response (MDR) services provide advanced threat detection capabilities that may not be easily accessible otherwise. Therefore, for many businesses, building a dedicated endpoint security team is difficult and costly, making outsourcing a wise option to engage in up-to-date threat intelligence and endpoint security.
In conclusion, endpoints are a critical target for attackers due to them being warehoused for valuable data. To properly protect endpoints from threat actors, it is important to implement preventive methods, including endpoint protection software like a traditional antivirus. However, it is unwise to rely solely on prevention technologies, as more advanced threats will know how to bypass them. This makes endpoint detection and response systems (EDR) systems all the more important to ensure network security. Even so, merely installing EDR technologies on a network is not enough if a competent cybersecurity team is not looking out for threats. Such a team should be involved 24/7 in order to investigate any suspicious activity and formulate a response.
As an alternative to building one's own team, hiring third-party organizations specialized in endpoint security solutions can help acquire the necessary infrastructure with minimal disruption and cost.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.