LastPass, a password management company, made headlines last month when it revealed that one of their DevOps engineers had his personal home computer hacked and infected with keylogging malware, resulting in the exfiltration of corporate data from the vendor's cloud storage resources. The story sheds new light on the significance of endpoint resilience.
Typically, media coverage of mega breaches (e.g., AT&T, Independent Living Systems, Zoll Medical Data, Latitude Financial Services) focuses on the exfiltration points rather than how the threat actor got there. However, post-mortem analysis has repeatedly revealed that compromised credentials are the most common source of a hack, which is then used to establish a beachhead on an end-user endpoint (e.g., a computer). As a result, comprehensive cybersecurity strategies should include endpoint resiliency as an essential component of the overall approach.
The Lifecycle of a Cyberattack Today
The majority of today's cyberattacks begin with credential harvesting campaigns that employ social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or a combination of these. Cybercriminals also profit from the sale of millions of stolen credentials on the Dark Web.
Attackers use brute force, credential stuffing, or password spraying campaigns to gain access to their target environment once they have stolen, weak, or compromised credentials. Cyber adversaries are increasingly taking advantage of the fact that organizations and their workforce rely on mobile devices, home computers, and laptops to connect to company networks in order to conduct business.
As a result, these endpoint devices become the natural entry point for many attacks. According to a Ponemon Institute survey, 68 percent of organizations experienced a successful endpoint attack in the previous 12 months.
Many organizations deploy security tools such as data loss prevention, disc and endpoint encryption, endpoint detection and response, and anti-virus or anti-malware as a first step to protect endpoints and reduce risk exposure. However, IT and security professionals have little insight into the effectiveness of these tools. For example, unmonitored security applications on endpoints can quickly degrade and become compromised. Many factors can have an impact on application health, including a lack of updates, software collision, unintentional deletion by end users, and malicious compromise.
Absolute Software conducted a study on the effectiveness of enterprise security controls and discovered that security tools were typically working effectively on less than 80% of devices, and in some cases as low as 35%. Due to ineffectiveness, cyber adversaries frequently move laterally to perform additional reconnaissance and identify IT schedules, network traffic flows, and scan the entire IT environment to gain an accurate picture of its resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime targets for reconnaissance in search of additional privileged credentials and access.
Once an attacker has determined the location of valuable data, they typically seek ways to elevate access privileges in order to exfiltrate the data and conceal their activity.
Rising Endpoint Resilience
When establishing visibility and security controls across endpoints, security professionals must recognize that each endpoint is responsible for some or all of its own security. In contrast to the traditional network security approach, established security measures apply to the entire network rather than individual devices and servers. Making each endpoint resilient is therefore critical to implementing a successful defense strategy.
Forrester Research recommends taking a proactive approach to endpoint security and establishing endpoint resilience to combat human error, malicious actions, and decayed, insecure software. Organizations should consider resilience as part of their planning process when modernizing endpoint management strategies because there is no guarantee that security controls installed on employee devices will not tarnish or become compromised over time.
