As employees increasingly work remotely, it is more important than ever to maintain visibility and threat detection in a remote working world. We have seen a significant increase in state-sponsored attacks and malicious phishing campaigns, and this trend is expected to continue. This period of remote work is a good time for enterprise to make sure endpoint security techniques are in place and up to date.
In this environment, endpoint security is critical. Security teams face several challenges:
- A rapid surge in the size and complexity of the attack surface: With a predominantly remote workforce, organizations now have large numbers of devices outside the corporate network that attackers are targeting to infiltrate the organization, steal data and conduct other nefarious activities.
- Home networks: The remote workforce is using a larger number of remote endpoints to access sensitive data and systems. Threat actors can take advantage of home networks that lack the defense-in-depth security controls of corporate networks.
- BYOD risk: Bring-your-own devices typically do not have the same security controls as corporate-owned devices, and security teams must protect these devices from malware and viruses.
- Remote security teams: Security teams are also remote while still needing 24/7 visibility and monitoring for users and endpoints. This raises new challenges, such as figuring out new ways to collaborate on issues even though they are no longer sitting next to each other in the security operations center (SOC).
The most commonly asked question by security teams is this: How can we monitor and secure endpoint devices? Of course, the security basics must be covered. These include scanning and managing vulnerabilities, applying patches and more.
Endpoint Security Tools
The term endpoint security refers to tools, services or controls that protect endpoints from cyberattacks. These may include antivirus software, firewall services, email and web filtering and more.
Security teams can use existing devices while also arming themselves with additional tools to fortify their endpoint devices with visibility, monitoring, threat detection and remediation. These tools include security information and event management (SIEM), security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), the MITRE adversarial tactics, techniques, and common knowledge (ATT&CK) framework and artificial intelligence (AI).
Security Information and Event Management
A SIEM platform collects, aggregates and normalizes data from a large number of log sources that include network servers, web servers, endpoints, containers, applications, network devices (routers, firewalls, etc.), security software (authentication servers, intrusion detection and prevention systems and vulnerability management software) and more. A SIEM platform gives security teams visibility and control over their environment by providing actionable insights that allow security analysts to quickly detect, investigate and remediate threats.
Security Orchestration, Automation and Response
A SOAR system allows endpoint security teams to respond to threats with speed and effectiveness. Usually, a SOAR system integrates with a SIEM platform for end-to-end visibility into threat detection, investigation and response processes during remote working.
Endpoint Detection and Response
An EDR solution is designed to protect endpoints from attack by continually collecting, monitoring and analyzing data from endpoint devices to identify suspicious activities and cyberthreats. An EDR system integrates with SIEM and SOAR platforms for end-to-end visibility, detection and remediation of threats. This should be in place under normal working conditions, but can be especially helpful during remote working.
Security teams can leverage AI to enrich data within their networks and from endpoint devices to provide more visibility into their organization’s network traffic. With this increased visibility, AI significantly reduces the amount of time it takes analysts to identify, analyze and remediate threat attacks in any given situation. AI solutions help security teams increase productivity, improve efficiency and save time even during remote working by allowing them to detect, investigate and remediate threats more quickly, accurately and consistently.
MITRE ATT&CK is a comprehensive, globally accessible knowledge base of attackers’ tactics and techniques based on real-world observations of cyberattacks. Since it is based on adversarial behavior instead of signatures or static indicators of compromise (IoC), this framework enables security teams to better understand what adversaries are likely to do in their environment, including on endpoint devices. It is a living framework that is updated every quarter. The MITRE ATT&CK framework is incorporated into other security tools, including SIEM and SOAR systems. It helps SOC analysts reduce attacker dwell time, which in turn lowers the cost of security breaches if and when they occur. See the MITRE ATT&CK framework for enterprises here.
With the MITRE ATT&CK framework, security teams can see which tactics and techniques have already been used by attackers, whether under remote working conditions or normal operation. This helps them anticipate the next steps that the attackers could take. Security teams can be more proactive by understanding how the attackers operate — what steps they have taken so far and what steps they are likely to take to attain their objectives.
A Real-World Endpoint Security Scenario
In the following scenario, using a SIEM platform, we identified a source that attempted to attack a larger number of hosts on the network than are known to exist. An authentication failure followed by a successful login were detected, indicating urgency to investigate further. Once the attackers logged in, a command was executed from a compromised host. During this attack, AI flagged it as a high-value attack.
By leveraging the MITRE ATT&CK framework, we correlated the threat actor’s actions to the following MITRE ATT&CK tactics, techniques and descriptions:
|Action Taken By Threat Actor||MITRE Tactic||MITRE Technique||MITRE Description|
|Compromised Credentials||Initial Access||Valid accounts||Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.|
|Compromised Account||Credential Access||Credentials from Web Browsers||Adversaries may acquire credentials from web browsers by reading files specific to the target browser.|
|Gain Higher Level Permissions||Privilege Escalation||Valid Accounts||Once attackers gain access to the network, they try to gain access to privileged/administrator accounts to be able to access higher value systems and databases.|
|Malicious Malware||Execution||User Execution||An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.|
This tells us that the attackers have already used four tactics. Based on their attack behavior, we can expect them to move on to Lateral Movement, Collection, Command and Control, Exfiltration and Impact. After investigating this incident, a SOC analyst can block the workstation to stop data exfiltration. These incidents are remediated using a SOAR platform.
Going Into Detail on Remote Working
As we adapt to remote working, security tools such as SIEM, SOAR, AI and MITRE ATT&CK complement any security strategy. By providing enterprise with threat intelligence and insight into attack behavior, these tools enable security teams to detect, investigate and respond to intrusions more effectively and efficiently.
Interested in learning more? Register for the webinar Endpoint Security for Your Remote Workforce Using AI & MITRE, at 12 pm (EST), Thursday, August 13, 2020, to learn more about protecting endpoints for a geographically dispersed workforce.