Hackers Don’t Take Holidays

by Charles Leaver

December 18, 2014

access_time 5 min read

The holiday period is prime shopping season for the criminal syndicates and state-sponsored cyber teams targeting your enterprise.  Reduced IT on-duty staffing could improve the odds for undetected endpoint compromise, stealthy lateral pivoting, and unnoticed data exfiltration.  Experienced attack organizations are most likely assigning their top talent for a well-coordinated holiday hackathon.  Penetration of your enterprise would likely begin with an endpoint compromise via the usual targeted methods of spear phishing, social engineering, watering hole attacks, etc. 

With thousands of enterprise client endpoints available, initial penetration hardly poses a challenge to seasoned attackers.  Traditional endpoint security suites are there to protect against previously-encountered commodity malware, and are essentially useless against the one-off crafted exploits employed in targeted attacks.  The attack organization will have reconnoitered your enterprise and assembled your standard cyber defense products in their labs for pre-deployment evasion testing of planned exploits.  This pre-testing may include appropriate sandbox evasion methods if your defenses include sandbox detonation safeguards at the enterprise perimeter, although this is not always needed, for example with off-VPN laptops visiting compromised industry watering holes.   

The ways in which enterprise endpoints may become compromised are too numerous to list.  In many cases the compromise may simply involve compromised credentials, with no malware needed or present, as verified by industry studies of malicious command and control traffic observed from pristine endpoints.  Or the user, and it only takes one among thousands, may be an insider attacker or a disgruntled employee.  In any large enterprise, some incidence of compromise is inevitable and continual, and the holiday period is ripe for it.

Given incessant attack activity with inevitable endpoint compromise, how can enterprises best respond?  Endpoint detection and response (EDR) with continuous monitoring and security analytics is a powerful technique to identify and respond to anomalous endpoint activity, and to perform it at-scale across many thousands of enterprise endpoints.  It also augments and synergizes with enterprise network security, by providing endpoint context around suspicious network activity.  EDR provides visibility at the endpoint level, comparable to the visibility that network security provides at the network level.  Together this provides the full picture needed to identify and respond to unusual and potentially significant security events across the enterprise. 

Some examples of endpoint visibility of potential forensic value are:

  • monitoring of user login activity, especially remote logins that may be attacker-directed
  • monitoring of user presence and user foreground activity, including typical work patterns, activity periods, etc.
  • monitoring of active processes, their resource consumption patterns, network connections, process hierarchy, etc.
  • collection of executable image metadata, including cryptographic hashes, version information, filepaths, date/times of first appearance, etc.
  • collection of endpoint log/audit events, ideally with optimal logging and auditing configuration settings (to maximize forensic value, minimize noise and   overhead)
  • security analytics to score and rank endpoint activity and bubble significant operating pattern abnormalities to the enterprise SIEM for SOC attention
  • support for agile traversal and drilldown of endpoint forensic data for rapid analyst vetting of endpoint security anomalies

Don't get a lump of coal in your stocking by being caught unawares this holiday season.  Arm your enterprise to contend with the threats arrayed against you.  Happy holidays!