Compromising an endpoint is one of the most common ways for an attacker to access an organisation’s network. As more organisations grapple with the challenges of hybrid workplaces and unmanaged devices, security teams need to rethink their approach to endpoint security.
Endpoint detection and response (EDR) tools have enhanced endpoint protection solutions. Multifactor authentication (MFA) has improved the process for ensuring that users can securely connect to their networks in a “work from anywhere” environment. However, despite these advancements in endpoint security defenses, there are still fundamental weaknesses in preventing credential theft and misuse, privilege escalation, and lateral movement attack activities.
Security teams can start by expanding the aperture for endpoint protection beyond preventing the initial compromise to identity security that covers credential protection and gives insights into the overprovisioning of entitlements, privilege escalation, and lateral movement detection.
The good news is that available new technology prevents attackers from breaking out from an endpoint. There are four key ways businesses should be prepared and equipped to stop threats. These approaches reduce risk and bolster ransomware attack readiness.
Step 1: Identity exposure visibility for attack surface reduction on the endpoint
The Colonial Pipeline incident showed that just one weak password can enable a devasting and disabling ransomware incident. The first step in reducing risk is finding and removing exposed credentials and privileged accounts on an endpoint to remove attack paths and reduce the attack surface. Automated tools can provide topographical relationship maps and risky credential remediation.
Step 2: Identity exposure visibility for attack surface reduction from the endpoint
Attackers are going straight to Active Directory to gain privileged access. Unfortunately, it is intrinsically insecure, and attackers succeed more often than not. Vulnerability assessment of Active Directory has never been simpler with insights from the endpoint that show what exposures, misconfigurations, and vulnerabilities attackers could exploit from that system. Automation tools can take hundreds of manual checks and weeks of manual processing and reduce data correlation tasks to minutes. Detailed health checks complete user, device,
and Active Directory checks, providing indicators of exposure (IoEs), remediation reports, and advice to close attack paths quickly.
Step 3: Identity exposure visibility for attack surface reduction for cloud infrastructure entitlement management
Analysts have said that 95 percent of entitlements in the cloud are overprovisioned and never used. Human and non-human entities belong to groups that define their entitlements in the cloud, which has helped with faster migration but has also caused an explosion in attack surfaces that organisations must manage. Azure and AWS also have different environments to manage, adding to complexity. Cloud infrastructure entitlement management (CIEM) solutions
add automation that helps see exposures and drift from security policies, which can be useful in an environment that uses MFA, but users have turned it off.
Step 4: Identity detection and response (IDR)
Many organisations are adopting IDR to sit alongside EDR solutions to address credential theft, misuse, and privilege escalation activities. IDR uses several strategies.
Concealment technology can detect and derail credential theft and misuse, which differs from traditional deception in that it hides real production credentials and AD objects from attacker
tools. Additionally, policy-based credential controls can prevent attackers from misusing legitimate credentials. The ability to bind credentials to their applications plays a powerful
role in zero-trust architectures and least-privilege administration. Disinformation, lures, and deception decoys also detect lateral movement and prevent endpoint fingerprinting.
IDR solutions can also find indicators of compromise (IoCs) to identify evidence of attack activities. For example, suppose an attacker tries to elevate privileges by enumerating Active
Directory. In that case, the solutions can detect and alert on suspicious password changes, mass account changes, bruteforce attacks, reactivation of disabled accounts, and other dubious actions.
As organisations and governments rethink endpoint security, the biggest gaps to close will be around identity exposure visibility and identity detection and response. With an average of
under five days to run an exploit, preventing attackers from using identities to break out from an endpoint should be in every CISO’s budget this year.
