The State of Endpoint Defense in 2021
•Als PPTX, PDF herunterladen•
0 gefällt mir•105 views
The document summarizes the state of endpoint threats and defenses in 2021. It finds that while Windows PCs remain a top target, Mac malware is growing. Ransomware increased dramatically over the past year and remains a major threat. Endpoint defenses are still fragmented across antivirus, next-gen antivirus, EDR, and other tools. The document recommends strategies like hardening systems, adopting a zero trust model, training incident response teams, and regularly testing defenses to combat evolving endpoint threats.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie The State of Endpoint Defense in 2021
Ähnlich wie The State of Endpoint Defense in 2021 (20)
Mehr von Adrian Sanabria
Mehr von Adrian Sanabria (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
The State of Endpoint Defense in 2021
- 1. The State of Endpoint Defensein 2021 Adrian Sanabria Founder, Security Weekly Labs
- 2. 2 Adrian who? 10 years as security practitioner (all the hats) 5 years as a security consultant (pen tester and PCI QSA) 3 years as an industry analyst 2 years building my own company and working for vendors Founded several local cybersecurity community groups in East Tennessee Now: cybersecurity product testing at Security Weekly Labs
- 3. 3 Agenda The state of endpoint threats The state of endpoint defenses Strategies for success
- 4. 4 Endpoint threats – still all targeting Windows? For the first time, Malwarebytes detected more threats on Macs than on Windows! Source: Malwarebytes 2020 State of Malware Report
- 5. 5 Recent threat landscape changes (last ~5yrs) Ransomware and extortion bigger than ever • 10x increase in the past year, according to FortiGuard Labs • Not going away any time soon • It is mostly preventable Source: Fortinet’s 2021 mid-year Global Threat Landscape Report
- 6. 6 Recent threat landscape changes (last ~5yrs) https://ransomwhe.re Source: https://ransomwhe.re
- 7. 7 Recent threat landscape changes (last ~5yrs) Anti Anti-Money Laundering Source: Krebs on Security, New Anti Anti-Money Laundering Services for Crooks
- 8. 8 Recent threat landscape changes (last ~5yrs) Malvertising and Scareware are back Source: Fortinet’s 2021 mid-year Global Threat Landscape Report
- 9. 9 Recent threat landscape changes (last ~5yrs) Non-ransomware malware is still around and evolving! • Malware copying itself to removable storage to jump air gaps • Infection through Microsoft products or browsers • Botnets are still common • Mirai is still around, infecting IoT devices, performing DDoS attacks Source: Fortinet’s 2021 mid-year Global Threat Landscape Report
- 10. 10 Agenda The state of endpoint threats The state of endpoint defenses Strategies for success
- 12. 12 Market consolidation: 2003-2010 • Anti-virus • Host-based firewalls • HIPS • Full-disk encryption • VPN client • NAC client • Patching • Device/port control • Application control/lockdown EPP Emerges
- 13. 13 Lessons learned from the 2000s • OS vendors can pull the rug out • Device/port control is hard and breaks things • Application control is a nightmare to manage • Managing 5 or more endpoint products isn’t… ideal • Deploying a new endpoint product is an intense, high friction choice
- 14. 14 Market re-fragmentation: 2010- 2017 • AV • EPP • Next-gen AV • Exploit mitigation • Kernel shimming • EDR • MDM/EMM • Vuln mgmt agents • Remote device control EPP Emerges? Again?
- 15. 15 Lessons learned from the 2010s • 59% of enterprises still running three or more endpoint security products concurrently (451 Research Voice of the Customer, 2016) • Things didn’t consolidate as much as we thought • NGAV was largely complementary for 5+ years • Reactive approaches to endpoint security = playing leapfrog • Proactive approaches to endpoint security = playing chess
- 16. 16 Consolidation: 2017-present • New EPP • Unified Endpoint Management • Vertical consolidation of old AV • Vuln mgmt agents • Log aggregation agents • Browser-as-a-Service EPP + UEM + other stuff (maybe?)
- 17. 17 Agenda The state of endpoint threats The state of endpoint defenses Strategies for success
- 18. 18 Where endpoint fits today Applicat ions Devices Network Data People Ident ify Recove r Respon d Detec t Prote ct Proces s Technolo gy People Degree of Dependence on People, Process, Technology https://cyberdefensematrix.com/ - created by Sounil Yu - @sounilyu EDR AV/NGAV Vuln mgmt agents Endpoint DLP
- 19. 19 Endpoint products: Prevention Prevention: the first line of defense Scenario: Detect and stop malware Categories: AV, NGAV Pros: • Fully automated • Least expensive • Addresses a wide range of threats Cons: • Doesn’t stop talented and Bottom Line: Like or hate AV’s success rate, it’s a must Don’t Forget: 5 devices per license makes it possible to cover corporate-owned and personal devices!
- 20. 20 Endpoint products: Detect and respond Prevention: the second line of defense Scenario: Malware gets by AV, or attackers don’t use malware Categories: EDR, MDR, XDR Pros: • Catches stuff AV doesn’t • Highly configurable Cons: • Relies on knowledgeable analysts Bottom Line: These days, EDR is also a must, despite the additional overhead Don’t Forget: The people to get value out of it! Low on labor? Look at MDR
- 21. 21 Endpoint defense: Strategies Penetration Testing Considered Harmful, Haroon Meer, 44CON 2011 https://www.youtube.com/watch?v=GvX52HPAfBk
- 22. 22 Endpoint defense: Strategies Endpoint security products should be considered the last line of defense, not the first Some good, general strategic cybersecurity principles 1. Understand what attackers want and how they go about getting it 2. Don’t give them what they expect to find 3. If you don’t need it, get rid of it
- 23. 23 Strategies: Hardening • Disable legacy services and functionality • Disable unnecessary and unused services and functionality • Use LAPS (https://www.microsoft.com/en- us/download/details.aspx?id=46899) • Go through the CIS benchmarks for your endpoint technologies
- 24. 24 Strategies: Defenders Attackers are fragile • Non-standard Windows install directories • Non-standard account names • Look for typical attack signs - Weird executions in %appdata% - New autoruns added to registry - Use of CryptAPI by unfamiliar binaries - Dumping credentials from memory • Set honeypot/honeytoken traps - Canarytokens.org - Fake credentials in memory - Fake endpoints (OpenCanary) Intrusion Detection Honeypots: Detection through Deception by Chris Sanders
- 25. 25 Strategies: Zero Trust • Endpoint isolation • Replace Windows file shares with EFSS (e.g. Box, DropBox, OneDrive, GDrive) • Cloud printing services • ZTNA (Zero Trust Network Access) • Ditch traditional, on-prem Active Directory
- 26. 26 Strategies: Train like a team 1000 276 2* The hours professional sports teams spend training together every year The hours college and high school athletes spend training every year The hours security teams spend training for incident response every year * A generous estimate based on my own experiences working with hundreds of companies over my career
- 27. 27 Strategies: Test your defenses • Guardicore’s Infection Monkey: https://www.guardicore.com/infectionmonkey/ • EndGame’s RTA: https://github.com/endgameinc/RTA • Other tools: https://pentestit.com/adversary-emulation- tools-list
- 28. 28 Strategies: Tech refresh • Less vulnerable stuff • Happier staff • More productivity • Worth the investment Source: 2021 Cisco Security Outcomes Study
- 29. 29 Endpoint Defense: Resources Resources to understand attacks are more plentiful than ever • MITRE ATT&CK Evaluations: https://attackevals.mitre-engenuity.org/ • Verizon DBIR: https://www.verizon.com/business/resources/reports/dbir/ • CISA most exploited vulns: https://us-cert.cisa.gov/ncas/alerts/aa21-209a Detection through Deception • Canarytokens: https://canarytokens.org • OpenCanary: https://github.com/thinkst/opencanary • Chris Sanders’ training course, Building Intrusion Detection Honeypots : https://chrissanders.org • Chris Sanders’ book, Intrusion Detection Honeypots: Detection through Deception https://www.amazon.com/Intrusion-Detection-Honeypots-through-Deception/dp/1735188301 Hardening • CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/ • Local Administrator Password Solution (LAPS): https://www.microsoft.com/en- us/download/details.aspx?id=46899
Hinweis der Redaktion
- Technically, no. For the first time in 2019, Malwarebytes detected more threats per endpoint on Macs than on Windows-based PCs! Okay, but what happens when you take that word, “technically” out of it? Ah, I’m glad you asked. So the VAST majority of these “threats” turn out to be adware and “PUPs” – potentially unwanted programs. How much is the VAST majority? In 2020, Malwarebytes reports that only 1.5% of detections on Macs are malware – the rest were adware and PUPs. This stuff isn’t actually a real threat to endpoints though – more annoying than anything. So, yeah – when we’re talking about REAL threats, Windows is still drawing the vast majority of attention
- Ransomware was already bad. But it exploded late last year, almost overnight! Though attackers have moved away from COVID-19-related phishing lures, ransoms still work, so why not lean into it? Though, in the past, it has been difficult to estimate how much money Cybercriminals were making… Now, thanks to cryptocurrency, it’s much easier to monitor ransom payments and criminal profits
- There’s even a website for tracking criminal payments!
- But then, cybercrime reflects the vast profits they’ve been earning. They’re more business-like than ever and have anti anti-money-laundering tools to show for it!
- The iconic technique used by Stuxnet back in the 2000s is actively used today to spread across segmented and airgapped networks.
- At a macro-level, most security product markets begin fragmented. Dozens of standalone, point products that address small parts of a larger problem. Then, we typically see these sub-markets begin to consolidate. We've had two large consolidation events so far in endpoint security.
- The emergence of EPP brought a lot of functionality under one console, simplifying things. In addition to consolidation within the security market, several key features got added to operating systems: Host firewalls VPN clients Full-disk encryption (BitLocker, FileVault) Anti-Virus (Windows Defender, Mac’s Xprotect) Mobile operating systems were born during this consolidation and got most of this built in from the start!
- The OS vendors took away a lot of revenue Locking down systems sounds like a great idea… until you try to do it across a large enterprise Exception hell, edge cases
- Malware got out of control. The existing AV vendors weren’t doing a great job at stopping it, so a number of new approaches emerged: Machine learning Exploit mitigation (process shimming) Kernel shimming Also, device management desperately needed an overhaul (especially now that remote work was getting more and more popular) Traditional AV companies took a serious beating.
- NGAV’s long road to replacing AV - “The curse of complementing” Even today, lots of folks run more than one anti-virus simultaneously They don’t trust a single AV vendor to provide adequate coverage Proactive vs reactive example: ransomware doesn’t have to be cryptoransomware Looking at the problem as “we’ve got to stop unauthorized encryption of files” is the wrong way to play the game
- I don’t think we’ll ever get to a singular agent on endpoints, but it seems that these days, two or three seems reasonable. Old AV gets vertically consolidated. AVAST and AVG. AVG and NortonLifeLock, for example. Part of the reason for this is that the new AV companies decide to build EPP in-house, rather than to sell to traditional AV Besides, they built their brands on the premise that traditional AV failed – they couldn’t then join them! So this is roughly where we are currently
- The good news? AV/NGAV is pretty cheap. Windows Defender is free and is pretty decent. The really professional bad guys have AV/NGAV also and they know how to get around it – or they’ll just turn it off! (folks almost never notice when endpoint security is tampered with, sadly) Performance differences between AV products are generally not worth sweating over These days, many NGAV or AV products have been combined or bundled to some extent with EDR products If you’ve already got AV/NGAV, it might not be worth switching just to get EDR bundled unless you really don’t like it Don’t forget! Protecting employees doesn’t mean just protecting them at work or on corporate devices, you’ve got to protect them at home as well, especially during this heightened state of remote workers. Good news! Most AV/NGAV vendors allow 5 devices per individual! That’s typically enough to cover most employees’ work and home devices. Some might even consider it a work perk?
- We’re largely talking about EDR here EDR has shown to be effective, especially in threat hunting and behavioral detections BUT, it’s a BIG labor commitment to get value out of If you don’t have the people, look into MDR offerings instead XDR is also starting to look like a natural evolution for EDR and MDR – it’s really a layer on top XDR premise: Endpoint is the best place to start when putting together correlated security analytics for detection/response
- More than ever, we know how attackers get in. MITRE ATT&CK catalogues their techniques… New work in ATT&CK heatmaps quantify which techniques are more common than others So, a decade ago, Haroon Meer gives this great talk where he points out that pen testers don’t emulate attackers, they emulate other pen testers Well, guess what? Modern attacks now look like pen tests, so I guess if we do the wrong thing long enough, eventually we’ll be right? Phishing -> endpoint compromise -> dump creds -> pivot -> own AD -> profit? Cobalt Strike Sound familiar?
- Endpoint security isn’t all about products! A lot of what will save you from attacks have to do with hardening, planning, and architecture In other words, endpoint security products should be considered the last line of defense, not the first We’re going to dive into some principles of cybersecurity strategy, as they apply to endpoint Here’s some of the most important ones at a high level Understand how attackers operate and how they see you! One of your key advantages is that the attack is going to happen on your home turf. You get to rig the game in your favor! The principle of least privilege is always a useful one – less attack surface, less problems
- Do all your employees still physically print things to a printer using the built-in print spooler? If not, disable it! No print spooler, no print nightmare! Move to cloud print technologies and disable these old protocols and services The Petya ransomware infected systems that still had SMBv1 enabled Most people could have disabled it and never would have noticed a difference Most of the folks that couldn’t disable it was due to legacy printer-scanners and NAS devices that still relied on it! Did you know much of the ransomware out there uses the built-in Windows CryptoAPI? That means the decryption keys that people end up paying for were created on the very systems affected by the ransomware Simple things like LAPS will slow down attackers The CIS benchmarks require a time investment to go through, but they’re worth it to harden the base OS images and configurations you deploy to your systems
- Ever heard someone say “attackers only have to get it right once, defenders have to be right every time”? What if we flipped that script and said “attackers have to evade detection and guess correctly every time, defenders only need to detect them once?” As defenders, we have the home turf! When attackers get a foothold in a network, or their malware makes its way in, they’ve got a lot of guesswork to do! They have to hope that your systems and networks look like every other systems and networks they’ve seen With the same defaults, the same mistakes, secrets stored in the same places What if we moved things around? Set traps? Note: Chris Sanders also teaches a course (https://chrissanders.org)
- Isolation: isolate endpoints from each other and the rest of the corporate network, like a guest network or coffee shop By limiting the ‘blast radius’ for many types of attacks to a single endpoint, the breadth of damage can be limited See, it’s not necessarily the endpoint as a target that’s the problem It’s that the endpoint is a doorway into the rest of the organization Domain-joined endpoints hook into active directory and the entire corporate network Even in segmented networks, active directory is often a clear and open path for attackers to take from a single endpoint into the rest of the business Replace legacy services that rely on traditional, open, flat networks E.g. Using file sync and share services like Box, OneDrive, and Dropbox E.g. Using cloud print services Even traditional services can be more safely used thanks to technologies like ZTNA Move the directory to the cloud – AzureAD, Okta, Jumpcloud Replace group policy and on-prem ad with unified device management products like JumpCloud, InTune, and yes, Nexnode At the very least – do some work to harden on-prem AD
- Out of the roughly 2000 hours we all spend at work every year, a vanishingly small number of hours is spent actively running through scenarios for an attack How can we expect to do well in these situations if we don’t train for them? Yes, this is a small and biased sample size, but the only security teams I’ve run into that train more than this have dedicated full-time CIRT teams
- If you need an excuse to get rid of that legacy software and/or hardware weighing you down, consider this that opportunity. “A proactive tech refresh strategy increases the chance of reporting a successful security program by roughly 11% to 15%, with an average of 12.7%.”
- MITRE’s ATT&CK evaluations take known attacker TTPs and test how well commercial EDR products are at detecting them! The DBIR now goes into detail on what techniques are used in different phases of attacks!