Charles Leaver – Hackers Will Not Take A Christmas Holiday

Written by Ziften CEO Charles Leaver

During the holiday period it is a prime time for the cyber crooks, syndicates and state-sponsored cyber groups to attack your organization. A lowered variety of IT staff on duty might improve the odds for undiscovered endpoint compromise, stealthy lateral pivoting, and undetected data exfiltration. Experienced attack groups are probably designating their top skills for a well-coordinated Christmas hackathon. Penetration of your business would likely begin with an endpoint compromise through the normal targeted techniques of spear phishing, social engineering, watering hole attacks, and so on

With thousands of business client endpoints available, preliminary penetration hardly positions a difficulty to skilled assailants. Traditional endpoint security suites exist to safeguard against previously-encountered commodity malware, and are essentially worthless against the one-off crafted exploits used in targeted attacks. The attack group will have examined your enterprise and assembled your standard cyber defense products in their laboratories for pre-deployment avoidance testing of prepared exploits. This pre-testing may include suitable sandbox evasion methods if your defenses include sandbox detonation safeguards at the enterprise perimeter, although this is not always needed, for instance with off-VPN laptops going to jeopardized market watering holes.

The methods which business endpoints may end up being compromised are too many to list. In many cases the compromise may just involve compromised credentials, with no malware needed or present, as verified by industry studies of malicious command and control traffic observed from pristine endpoints. Or the user, and it just takes one among thousands, may be an insider opponent or an unhappy worker. In any large business, some incidence of compromise is unavoidable and continual, and the holiday period is ripe for it.

With relentless attack activity with unavoidable endpoint compromise, how can businesses best respond? Endpoint detection and response (EDR) with continuous tracking and security analytics is a powerful method to recognize and react to anomalous endpoint activity, and to perform it at-scale across many business endpoints. It also enhances and synergizes with business network security, by offering endpoint context around suspicious network activity. EDR provides visibility at the endpoint level, comparable to the visibility that network security supplies at the network level. Together this provides the complete picture needed to identify and respond to uncommon and possibly considerable security events throughout the enterprise.

Some examples of endpoint visibility of possible forensic value are:

  • Tracking of user login activity, especially remote logins that might be attacker-directed
  • Tracking of user presence and user foreground activity, including common work patterns, activity durations, etc
  • Tracking of active procedures, their resource usage patterns, network connections, process hierarchy, etc
  • Collection of executable image metadata, including cryptographic hashes, version info, file paths, date/times of first appearance, and so on
  • Collection of endpoint log/audit incidents, ideally with ideal logging and auditing setup settings (to take full advantage of forensic value, reduce noise and overhead).
  • Security analytics to score and rank endpoint activity and bubble substantial operating pattern abnormalities to the enterprise SIEM for SOC attention.
  • Support for agile traversal and drill down of endpoint forensic data for quick analyst vetting of endpoint security anomalies.

Don’t get a lump of coal in your stocking by being caught unawares this Christmas. Arm your enterprise to contend with the hazards arrayed against you.

Happy Christmas!