Maintaining Endpoint Security to Protect Your Network
Endpoint visibility allows you to see threat indicators on the endpointBy: Kevin Strickland
Growing innovation can mean a lot of things to an organization – new functionalities, increased efficiency, and potentially, added risk. New technologies and the proliferation of connected devices have increased the surface area for potential attacks, and to stay ahead of an evolving threat landscape, businesses must adopt new security solutions. For starters, it’s critical to consider 24/7 network and endpoint visibility that can help you spot malicious activity as soon as it enters your environment, increasing the likelihood of shutting it down quickly to minimize potential consequences. Organizations have been good at detecting malicious activity on a network level using tools like firewalls and an IDS/IPS. However, if an attacker successfully enters your environment, these network sensor tools don’t reveal any executed commands or actions taken on an endpoint. Nor do they necessarily let you know whether data was exfiltrated. But even when the infected endpoints aren’t connected to the corporate network, an endpoint detection instance can monitor all your endpoints, and can provide continuous details of their activities.
Experiencing a Breach is a Matter of When – Not If
With the proliferation of online threats, the likelihood is that your endpoints will be compromised, infected or breached. Over time threat actors can find their way around whatever endpoint protections you have in place. Most threat actors remain in a network for months before being discovered. Often a third party, such as the FBI, the Secret Service, or a vendor is the one who discovers the breach and informs the victim. By that time, a lot of damage has already occurred. Once attackers can get into your network they “live off the land,” meaning they use tools native to your operating system to move laterally across your network.
Windows Tools that Help and Hinder
Windows features many tools that help administrators secure your environment, but in the hands of the wrong person, these tools can cause damage. One popular method threat actors use to extract user credentials is the Local Security Authentication Subsystem Service (lsass). Part of Microsoft’s operating system, lsaas verifies the validity of user logons to a PC or server and could allow attackers to extract logon credentials of employees to move further around your environment.
Ransomware often interacts with another native Windows tool, Volume Snapshot Service (vssadmin), which allows Windows to back up copies or “snapshots” of computer files. Ransomware often deletes the snapshots to prevent ransomware victims from restoring their encrypted data.
The Microsoft application ntdsutil, a command-line tool that provides Active Directory management, allows attackers to obtain a copy of the NTDS.dit database, which contains user password hashes for everyone in the network. Attackers potentially could obtain access to all user accounts and subsequently access all your files.
Administrators often have to access an employee’s computer and use different tools to do this like PsExec and PAExec. Attackers who have access to your network also use those tools to remotely access your computers. An employee could be on her computer at the same time an attacker is lurking in the background, viewing and gathering information.
As well as using tools that are part of your operating system to harvest user credentials, threat actors use external tools like Mimikatz, WCE and PWDump. These external tools are well known among the cybersecurity community, so attackers will often use custom variants of them to go undetected by antivirus.
Visibility is Key to a Strong Cybersecurity Program
If tools, like PsExec, aren’t commonplace within your organization and you discover they are being used, it could indicate threat activity in your network. Visibility into your endpoints is critical to spot this and other suspicious activities. Endpoint visibility provides you with security monitoring and indicators that these tools have been used so you can further investigate whether or not they were used for legitimate purposes.
To determine whether or not your network has been breached, as well as those activities that have been spotted by your network sensors (firewalls and IDS/IPS), you need to be able to see the types of activities that have been taking place on your endpoints. Threat actors could be on a small subset of systems or on several hundred systems. Checking all your endpoints manually could take days or weeks, but having visibility allows you to quickly detect anomalous activities and know exactly which of your endpoints the attackers have been on, what parts of your network they’ve accessed and how they got in so you can rapidly respond.