The document summarizes the state of endpoint threats and defenses in 2021. It finds that while Windows PCs remain a top target, Mac malware is growing. Ransomware increased dramatically over the past year and remains a major threat. Endpoint defenses are still fragmented across antivirus, next-gen antivirus, EDR, and other tools. The document recommends strategies like hardening systems, adopting a zero trust model, training incident response teams, and regularly testing defenses to combat evolving endpoint threats.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
The State of Endpoint Defense in 2021
1. The State of Endpoint Defensein
2021
Adrian Sanabria
Founder, Security Weekly Labs
2. 2
Adrian who?
10 years as security practitioner (all the hats)
5 years as a security consultant (pen tester and PCI
QSA)
3 years as an industry analyst
2 years building my own company and working for vendors
Founded several local cybersecurity community groups in
East Tennessee
Now: cybersecurity product testing at Security Weekly
Labs
3. 3
Agenda
The state of endpoint threats
The state of endpoint defenses
Strategies for success
4. 4
Endpoint threats – still all
targeting Windows?
For the first time, Malwarebytes detected more threats
on Macs than on Windows!
Source: Malwarebytes 2020 State of Malware Report
5. 5
Recent threat landscape changes
(last ~5yrs)
Ransomware and extortion bigger than ever
• 10x increase in the past year, according to FortiGuard
Labs
• Not going away any time soon
• It is mostly preventable
Source: Fortinet’s 2021 mid-year Global Threat Landscape Report
7. 7
Recent threat landscape changes
(last ~5yrs)
Anti Anti-Money Laundering
Source: Krebs on Security, New Anti Anti-Money Laundering Services for Crooks
8. 8
Recent threat landscape changes
(last ~5yrs)
Malvertising and Scareware are back
Source: Fortinet’s 2021 mid-year Global Threat Landscape Report
9. 9
Recent threat landscape changes
(last ~5yrs)
Non-ransomware malware is still around and evolving!
• Malware copying itself to removable storage to jump air
gaps
• Infection through Microsoft products or browsers
• Botnets are still common
• Mirai is still around, infecting IoT devices,
performing DDoS attacks
Source: Fortinet’s 2021 mid-year Global Threat Landscape Report
10. 10
Agenda
The state of endpoint threats
The state of endpoint defenses
Strategies for success
13. 13
Lessons learned from the 2000s
• OS vendors can pull the rug out
• Device/port control is hard and breaks things
• Application control is a nightmare to manage
• Managing 5 or more endpoint products isn’t… ideal
• Deploying a new endpoint product is an intense, high
friction choice
15. 15
Lessons learned from the 2010s
• 59% of enterprises still running three or more endpoint
security products concurrently (451 Research Voice of
the Customer, 2016)
• Things didn’t consolidate as much as we thought
• NGAV was largely complementary for 5+ years
• Reactive approaches to endpoint security = playing
leapfrog
• Proactive approaches to endpoint security = playing
chess
16. 16
Consolidation: 2017-present
• New EPP
• Unified Endpoint
Management
• Vertical consolidation of
old AV
• Vuln mgmt agents
• Log aggregation agents
• Browser-as-a-Service
EPP + UEM + other stuff (maybe?)
17. 17
Agenda
The state of endpoint threats
The state of endpoint defenses
Strategies for success
18. 18
Where endpoint fits today
Applicat
ions
Devices
Network
Data
People
Ident
ify
Recove
r
Respon
d
Detec
t
Prote
ct
Proces
s
Technolo
gy
People
Degree of
Dependence on
People, Process,
Technology
https://cyberdefensematrix.com/ - created by Sounil Yu - @sounilyu
EDR
AV/NGAV
Vuln mgmt
agents
Endpoint DLP
19. 19
Endpoint products: Prevention
Prevention: the first line
of defense
Scenario: Detect and stop
malware
Categories: AV, NGAV
Pros:
• Fully automated
• Least expensive
• Addresses a wide range of
threats
Cons:
• Doesn’t stop talented and
Bottom Line: Like or hate
AV’s success rate, it’s a
must
Don’t Forget: 5 devices per
license makes it possible
to cover corporate-owned
and personal devices!
20. 20
Endpoint products: Detect and
respond
Prevention: the second line
of defense
Scenario: Malware gets by
AV, or attackers don’t use
malware
Categories: EDR, MDR, XDR
Pros:
• Catches stuff AV doesn’t
• Highly configurable
Cons:
• Relies on knowledgeable
analysts
Bottom Line: These days,
EDR is also a must, despite
the additional overhead
Don’t Forget: The people to
get value out of it! Low on
labor? Look at MDR
22. 22
Endpoint defense: Strategies
Endpoint security products should be
considered the last line of defense,
not the first
Some good, general strategic cybersecurity principles
1. Understand what attackers want and how they go about
getting it
2. Don’t give them what they expect to find
3. If you don’t need it, get rid of it
23. 23
Strategies: Hardening
• Disable legacy services and functionality
• Disable unnecessary and unused services and
functionality
• Use LAPS (https://www.microsoft.com/en-
us/download/details.aspx?id=46899)
• Go through the CIS benchmarks for your endpoint
technologies
24. 24
Strategies: Defenders Attackers
are fragile
• Non-standard Windows install directories
• Non-standard account names
• Look for typical attack signs
- Weird executions in %appdata%
- New autoruns added to registry
- Use of CryptAPI by unfamiliar binaries
- Dumping credentials from memory
• Set honeypot/honeytoken traps
- Canarytokens.org
- Fake credentials in memory
- Fake endpoints (OpenCanary)
Intrusion Detection Honeypots: Detection through Deception by Chris Sanders
25. 25
Strategies: Zero Trust
• Endpoint isolation
• Replace Windows file shares with EFSS (e.g. Box,
DropBox, OneDrive, GDrive)
• Cloud printing services
• ZTNA (Zero Trust Network Access)
• Ditch traditional, on-prem Active Directory
26. 26
Strategies: Train like a team
1000
276
2*
The hours professional sports teams spend training
together every year
The hours college and high school athletes spend
training every year
The hours security teams spend training for incident
response every year
* A generous estimate based on my own experiences working with hundreds of companies over my career
27. 27
Strategies: Test your defenses
• Guardicore’s Infection Monkey:
https://www.guardicore.com/infectionmonkey/
• EndGame’s RTA: https://github.com/endgameinc/RTA
• Other tools: https://pentestit.com/adversary-emulation-
tools-list
28. 28
Strategies: Tech refresh
• Less vulnerable stuff
• Happier staff
• More productivity
• Worth the investment
Source: 2021 Cisco Security Outcomes Study
29. 29
Endpoint Defense: Resources
Resources to understand attacks are more plentiful than ever
• MITRE ATT&CK Evaluations: https://attackevals.mitre-engenuity.org/
• Verizon DBIR: https://www.verizon.com/business/resources/reports/dbir/
• CISA most exploited vulns: https://us-cert.cisa.gov/ncas/alerts/aa21-209a
Detection through Deception
• Canarytokens: https://canarytokens.org
• OpenCanary: https://github.com/thinkst/opencanary
• Chris Sanders’ training course, Building Intrusion Detection Honeypots :
https://chrissanders.org
• Chris Sanders’ book, Intrusion Detection Honeypots: Detection through Deception
https://www.amazon.com/Intrusion-Detection-Honeypots-through-Deception/dp/1735188301
Hardening
• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
• Local Administrator Password Solution (LAPS): https://www.microsoft.com/en-
us/download/details.aspx?id=46899
Technically, no. For the first time in 2019, Malwarebytes detected more threats per endpoint on Macs than on Windows-based PCs!
Okay, but what happens when you take that word, “technically” out of it?
Ah, I’m glad you asked. So the VAST majority of these “threats” turn out to be adware and “PUPs” – potentially unwanted programs.
How much is the VAST majority? In 2020, Malwarebytes reports that only 1.5% of detections on Macs are malware – the rest were adware and PUPs.
This stuff isn’t actually a real threat to endpoints though – more annoying than anything.
So, yeah – when we’re talking about REAL threats, Windows is still drawing the vast majority of attention
Ransomware was already bad. But it exploded late last year, almost overnight!
Though attackers have moved away from COVID-19-related phishing lures, ransoms still work, so why not lean into it?
Though, in the past, it has been difficult to estimate how much money Cybercriminals were making…
Now, thanks to cryptocurrency, it’s much easier to monitor ransom payments and criminal profits
There’s even a website for tracking criminal payments!
But then, cybercrime reflects the vast profits they’ve been earning.
They’re more business-like than ever and have anti anti-money-laundering tools to show for it!
The iconic technique used by Stuxnet back in the 2000s is actively used today to spread across segmented and airgapped networks.
At a macro-level, most security product markets begin fragmented.
Dozens of standalone, point products that address small parts of a larger problem.
Then, we typically see these sub-markets begin to consolidate.
We've had two large consolidation events so far in endpoint security.
The emergence of EPP brought a lot of functionality under one console, simplifying things.
In addition to consolidation within the security market, several key features got added to operating systems:
Host firewalls
VPN clients
Full-disk encryption (BitLocker, FileVault)
Anti-Virus (Windows Defender, Mac’s Xprotect)
Mobile operating systems were born during this consolidation and got most of this built in from the start!
The OS vendors took away a lot of revenue
Locking down systems sounds like a great idea…
until you try to do it across a large enterprise
Exception hell, edge cases
Malware got out of control.
The existing AV vendors weren’t doing a great job at stopping it, so a number of new approaches emerged:
Machine learning
Exploit mitigation (process shimming)
Kernel shimming
Also, device management desperately needed an overhaul
(especially now that remote work was getting more and more popular)
Traditional AV companies took a serious beating.
NGAV’s long road to replacing AV - “The curse of complementing”
Even today, lots of folks run more than one anti-virus simultaneously
They don’t trust a single AV vendor to provide adequate coverage
Proactive vs reactive example: ransomware doesn’t have to be cryptoransomware
Looking at the problem as “we’ve got to stop unauthorized encryption of files” is the wrong way to play the game
I don’t think we’ll ever get to a singular agent on endpoints, but it seems that these days, two or three seems reasonable.
Old AV gets vertically consolidated. AVAST and AVG. AVG and NortonLifeLock, for example.
Part of the reason for this is that the new AV companies decide to build EPP in-house, rather than to sell to traditional AV
Besides, they built their brands on the premise that traditional AV failed – they couldn’t then join them!
So this is roughly where we are currently
The good news? AV/NGAV is pretty cheap. Windows Defender is free and is pretty decent.
The really professional bad guys have AV/NGAV also and they know how to get around it – or they’ll just turn it off!
(folks almost never notice when endpoint security is tampered with, sadly)
Performance differences between AV products are generally not worth sweating over
These days, many NGAV or AV products have been combined or bundled to some extent with EDR products
If you’ve already got AV/NGAV, it might not be worth switching just to get EDR bundled unless you really don’t like it
Don’t forget! Protecting employees doesn’t mean just protecting them at work or on corporate devices, you’ve got to protect them at home as well, especially during this heightened state of remote workers. Good news! Most AV/NGAV vendors allow 5 devices per individual! That’s typically enough to cover most employees’ work and home devices. Some might even consider it a work perk?
We’re largely talking about EDR here
EDR has shown to be effective, especially in threat hunting and behavioral detections
BUT, it’s a BIG labor commitment to get value out of
If you don’t have the people, look into MDR offerings instead
XDR is also starting to look like a natural evolution for EDR and MDR – it’s really a layer on top
XDR premise: Endpoint is the best place to start when putting together correlated security analytics for detection/response
More than ever, we know how attackers get in.
MITRE ATT&CK catalogues their techniques…
New work in ATT&CK heatmaps quantify which techniques are more common than others
So, a decade ago, Haroon Meer gives this great talk where he points out that pen testers don’t emulate attackers, they emulate other pen testers
Well, guess what? Modern attacks now look like pen tests, so I guess if we do the wrong thing long enough, eventually we’ll be right?
Phishing -> endpoint compromise -> dump creds -> pivot -> own AD -> profit?
Cobalt Strike
Sound familiar?
Endpoint security isn’t all about products!
A lot of what will save you from attacks have to do with hardening, planning, and architecture
In other words, endpoint security products should be considered the last line of defense, not the first
We’re going to dive into some principles of cybersecurity strategy, as they apply to endpoint
Here’s some of the most important ones at a high level
Understand how attackers operate and how they see you!
One of your key advantages is that the attack is going to happen on your home turf. You get to rig the game in your favor!
The principle of least privilege is always a useful one – less attack surface, less problems
Do all your employees still physically print things to a printer using the built-in print spooler?
If not, disable it! No print spooler, no print nightmare!
Move to cloud print technologies and disable these old protocols and services
The Petya ransomware infected systems that still had SMBv1 enabled
Most people could have disabled it and never would have noticed a difference
Most of the folks that couldn’t disable it was due to legacy printer-scanners and NAS devices that still relied on it!
Did you know much of the ransomware out there uses the built-in Windows CryptoAPI?
That means the decryption keys that people end up paying for were created on the very systems affected by the ransomware
Simple things like LAPS will slow down attackers
The CIS benchmarks require a time investment to go through, but they’re worth it to harden the base OS images and configurations you deploy to your systems
Ever heard someone say “attackers only have to get it right once, defenders have to be right every time”?
What if we flipped that script and said “attackers have to evade detection and guess correctly every time, defenders only need to detect them once?”
As defenders, we have the home turf!
When attackers get a foothold in a network, or their malware makes its way in, they’ve got a lot of guesswork to do!
They have to hope that your systems and networks look like every other systems and networks they’ve seen
With the same defaults, the same mistakes, secrets stored in the same places
What if we moved things around? Set traps?
Note: Chris Sanders also teaches a course (https://chrissanders.org)
Isolation: isolate endpoints from each other and the rest of the corporate network, like a guest network or coffee shop
By limiting the ‘blast radius’ for many types of attacks to a single endpoint, the breadth of damage can be limited
See, it’s not necessarily the endpoint as a target that’s the problem
It’s that the endpoint is a doorway into the rest of the organization
Domain-joined endpoints hook into active directory and the entire corporate network
Even in segmented networks, active directory is often a clear and open path for attackers to take from a single endpoint into the rest of the business
Replace legacy services that rely on traditional, open, flat networks
E.g. Using file sync and share services like Box, OneDrive, and Dropbox
E.g. Using cloud print services
Even traditional services can be more safely used thanks to technologies like ZTNA
Move the directory to the cloud – AzureAD, Okta, Jumpcloud
Replace group policy and on-prem ad with unified device management products like JumpCloud, InTune, and yes, Nexnode
At the very least – do some work to harden on-prem AD
Out of the roughly 2000 hours we all spend at work every year, a vanishingly small number of hours is spent actively running through scenarios for an attack
How can we expect to do well in these situations if we don’t train for them?
Yes, this is a small and biased sample size, but the only security teams I’ve run into that train more than this have dedicated full-time CIRT teams
If you need an excuse to get rid of that legacy software and/or hardware weighing you down, consider this that opportunity.
“A proactive tech refresh strategy increases the chance of reporting a successful security program by roughly 11% to 15%, with an average of 12.7%.”
MITRE’s ATT&CK evaluations take known attacker TTPs and test how well commercial EDR products are at detecting them!
The DBIR now goes into detail on what techniques are used in different phases of attacks!