Anatomy Of an Endpoint Attack: How A Cyberattack Can Compromise an Enterprise Network – Source: www.cyberdefensemagazine.com

By Guillermo Gomez, Vice President of Endpoint Product, WatchGuard Technologies

For truly effective network security posture, it’s crucial to protect all of your company’s devices as cyber adversaries can turn any endpoint – phones, computers, virtual machines, embedded devices, servers, POS terminals – into an entry point into your organization. Unprotected endpoints are a leading attack vector for malicious actors, who often move from one to another until they find a way to penetrate more deeply into a network. That’s why it’s so critical to have visibility across all endpoints in your organization.

However, establishing this comprehensive visibility and ensuring all endpoints are protected isn’t always easy. Knowing how to properly lock down the myriad devices within your company’s network and maintain protection first requires knowledge of how a cyberattack typically begins and spreads through your systems. Below, we’ll walk through what the stages of an endpoint attack look like and provide tips on how to stop these threats in their tracks.

The anatomy of an endpoint attack

There are countless ways for a threat actor to conduct an attack and move laterally through your network. One common method is to conduct a spam or phishing campaign sending emails with a dangerous attachment to unsuspecting users throughout an organization. An end user within your network might click on the attachment and launch an initial malware payload. If their device isn’t equipped with an endpoint security solution, that malicious element will start running. The incident might result in an infection with lesser impacts to your network. However, it is common that the malicious element is a command-and-control link to a remote cell that connects to an operator who is waiting to compromise the device. They will attempt to access the environment in which the device is running and begin analyzing your network for vulnerabilities and valuable assets.

The malicious actor will then start querying the network the same way that security professionals do to discover other devices. Attackers have grown more sophisticated; depending on their findings or how far they get in your network, they likely won’t trigger many alerts nor be in a hurry to launch the attack. They’ll move carefully through the network, scanning for additional devices they can access and credentials they can steal. For instance, if remote desktop protocol (RDP) services are enabled, the attacker will leverage those RDP connections with the credentials they have stolen to try accessing a different device. They will continue using different exploits to access more devices, gather more credentials and gain more knowledge about the network. If they can get the device’s security domain, the adversary may sell that information via the dark web to a different threat group that may be interested in orchestrating a larger attack.

Attackers often operate unnoticed for days or weeks, waiting patiently to launch the attack until they have stolen all the data they want. Those managing the network must be aware that, if the attacker has accessed it for a while and notices the network operator is implementing additional security measures, they may immediately launch their attack while they still have access.

Increasing visibility to secure endpoints

There are several steps that security teams can take to protect their endpoints and mitigate risk, even in the event of a breach. Some best practices that teams should adopt to strengthen their network security include:

• Establish comprehensive visibility across all endpoints. As mentioned, an essential measure for security teams is to have extensive visibility of all endpoints. Advanced security tools with sophisticated discovery capabilities will help increase visibility by identifying those endpoints that are unprotected and inform the necessary steps for installing protection and continued monitoring. For instance, if you have a network of 100 computers and 10 are unprotected, a security tool with advanced discovery can identify all endpoints attached to the network and show which 10 remain unprotected, allowing you to manage those unmanaged endpoints.
• Employ multi-factor authentication. Malicious actors will try various methods, including brute force attacks, to gain access to security credentials and use them throughout your network. If an attacker can steal the security administrator’s credentials and log into the security product’s console, they will try to uninstall or disable the security product from the admin console. Requiring multi-factor authentication (MFA) in all these critical services can prevent an attacker from disabling the security measures from the code itself. Measures like MFA can mitigate much of the risk and limit the extent of an attack.
• Implement a vulnerability management process. Security teams must ensure that all software being used is updated. A notable way that threat actors move laterally within a network is by exploiting known vulnerabilities in existing software. Organizations can significantly reduce their risk by implementing a vulnerability management process that is designed to regularly patch software, operating system and third-party vulnerabilities. Removing this “easy button” for attackers makes their job much harder and can prevent many common attacks from succeeding.
• Hire a managed service provider. Maintaining security effectively is a service. Managed service providers (MSPs) are valuable resources who can provide comprehensive, dedicated services to significantly reduce the security risks that companies face. They can manage the appropriate security configuration and operation of protected devices. The work of MSPs is critical for protecting end users.
• Consider an MDR service. As cyberthreats have grown increasingly complex, many organizations – especially small and midmarket companies – have come to realize that they don’t have the resources or expertise to defend themselves on their own. As a result, managed detection and response (MDR) services have become increasingly popular. Consider employing an MDR service to help with providing 24/7 threat detection and response services. If your company isn’t ready to go the MDR route, you should at least consider using a security solution that includes advanced security services – such as services that classify 100% of the executables, for instance – with its usage license.

An important concept to understand is that effective security requires more than a technology solution; what is needed is a combination of technology and security services managed by a team of experts. Organizations shouldn’t simply deploy a security solution, they need to manage that security solution and put people in place to analyze the activity and anomalies that their security tools uncover. If your organization doesn’t have a security operations team, it’s probably worth subscribing to an MDR service instead of trying to do the work by yourself. Because ultimately, effective security requires constant monitoring. With the right people, products and processes, you can protect your endpoints and your entire network.

About the Author

Guillermo Gómez, Market Owner for Endpoint Security, is responsible for leading the evolution and success of the Endpoint product line at WatchGuard. With 25 years of experience in the Endpoint Security space. He started his career as an engineer, though he moved to management positions to initially lead Product Development and, finally, to be responsible for Product Management, Product Development, IT, and Support areas at Panda Security.