As employees increasingly work remotely, it is more important than ever to maintain visibility and threat detection in a remote working world. We have seen a significant increase in state-sponsored attacks and malicious phishing campaigns, and this trend is expected to continue. This period of remote work is a good time for enterprise to make sure endpoint security techniques are in place and up to date.

In this environment, endpoint security is critical. Security teams face several challenges:

  • A rapid surge in the size and complexity of the attack surface: With a predominantly remote workforce, organizations now have large numbers of devices outside the corporate network that attackers are targeting to infiltrate the organization, steal data and conduct other nefarious activities.
  • Home networks: The remote workforce is using a larger number of remote endpoints to access sensitive data and systems. Threat actors can take advantage of home networks that lack the defense-in-depth security controls of corporate networks.
  • BYOD risk: Bring-your-own devices typically do not have the same security controls as corporate-owned devices, and security teams must protect these devices from malware and viruses.
  • Remote security teams: Security teams are also remote while still needing 24/7 visibility and monitoring for users and endpoints. This raises new challenges, such as figuring out new ways to collaborate on issues even though they are no longer sitting next to each other in the security operations center (SOC).

The most commonly asked question by security teams is this: How can we monitor and secure endpoint devices? Of course, the security basics must be covered. These include scanning and managing vulnerabilities, applying patches and more.

Endpoint Security Tools

The term endpoint security refers to tools, services or controls that protect endpoints from cyberattacks. These may include antivirus software, firewall services, email and web filtering and more.

Security teams can use existing devices while also arming themselves with additional tools to fortify their endpoint devices with visibility, monitoring, threat detection and remediation. These tools include security information and event management (SIEM), security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), the MITRE adversarial tactics, techniques, and common knowledge (ATT&CK) framework and artificial intelligence (AI).

Security Information and Event Management 

SIEM platform collects, aggregates and normalizes data from a large number of log sources that include network servers, web servers, endpoints, containers, applications, network devices (routers, firewalls, etc.), security software (authentication servers, intrusion detection and prevention systems and  vulnerability management software) and more. A SIEM platform gives security teams visibility and control over their environment by providing actionable insights that allow security analysts to quickly detect, investigate and remediate threats.

Security Orchestration, Automation and Response 

A SOAR system allows endpoint security teams to respond to threats with speed and effectiveness. Usually, a SOAR system integrates with a SIEM platform for end-to-end visibility into threat detection, investigation and response processes during remote working.

Endpoint Detection and Response

An EDR solution is designed to protect endpoints from attack by continually collecting, monitoring and analyzing data from endpoint devices to identify suspicious activities and cyberthreats. An EDR system integrates with SIEM and SOAR platforms for end-to-end visibility, detection and remediation of threats. This should be in place under normal working conditions, but can be especially helpful during remote working.

Artificial Intelligence

Security teams can leverage AI to enrich data within their networks and from endpoint devices to provide more visibility into their organization’s network traffic. With this increased visibility, AI significantly reduces the amount of time it takes analysts to identify, analyze and remediate threat attacks in any given situation. AI solutions help security teams increase productivity, improve efficiency and save time even during remote working by allowing them to detect, investigate and remediate threats more quickly, accurately and consistently.

MITRE ATT&CK

MITRE ATT&CK is a comprehensive, globally accessible knowledge base of attackers’ tactics and techniques based on real-world observations of cyberattacks. Since it is based on adversarial behavior instead of signatures or static indicators of compromise (IoC), this framework enables security teams to better understand what adversaries are likely to do in their environment, including on endpoint devices. It is a living framework that is updated every quarter. The MITRE ATT&CK framework is incorporated into other security tools, including SIEM and SOAR systems. It helps SOC analysts reduce attacker dwell time, which in turn lowers the cost of security breaches if and when they occur. See the MITRE ATT&CK framework for enterprises here.

With the MITRE ATT&CK framework, security teams can see which tactics and techniques have already been used by attackers, whether under remote working conditions or normal operation. This helps them anticipate the next steps that the attackers could take. Security teams can be more proactive by understanding how the attackers operate — what steps they have taken so far and what steps they are likely to take to attain their objectives.

A Real-World Endpoint Security Scenario 

In the following scenario, using a SIEM platform, we identified a source that attempted to attack a larger number of hosts on the network than are known to exist. An authentication failure followed by a successful login were detected, indicating urgency to investigate further. Once the attackers logged in, a command was executed from a compromised host. During this attack, AI flagged it as a high-value attack.

By leveraging the MITRE ATT&CK framework, we correlated the threat actor’s actions to the following MITRE ATT&CK tactics, techniques and descriptions:

Action Taken By Threat Actor MITRE Tactic MITRE Technique MITRE Description
Compromised Credentials Initial Access Valid accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Compromised Account Credential Access Credentials from Web Browsers Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Gain Higher Level Permissions Privilege Escalation Valid Accounts Once attackers gain access to the network, they try to gain access to privileged/administrator accounts to be able to access higher value systems and databases.
Malicious Malware Execution User Execution An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.
Scroll to view full table

This tells us that the attackers have already used four tactics. Based on their attack behavior, we can expect them to move on to Lateral Movement, Collection, Command and Control, Exfiltration and Impact. After investigating this incident, a SOC analyst can block the workstation to stop data exfiltration. These incidents are remediated using a SOAR platform.

Going Into Detail on Remote Working

As we adapt to remote working, security tools such as SIEM, SOAR, AI and MITRE ATT&CK complement any security strategy. By providing enterprise with threat intelligence and insight into attack behavior, these tools enable security teams to detect, investigate and respond to intrusions more effectively and efficiently.

Interested in learning more? Register for the webinar Endpoint Security for Your Remote Workforce Using AI & MITRE, at 12 pm (EST), Thursday, August 13, 2020, to learn more about protecting endpoints for a geographically dispersed workforce.

 

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read