Endpoint security is in demand everywhere

top cybersecurity companies

In many parts of the IT world, the prevailing belief is that some systems simply don’t need endpoint security. Maybe they are not connected to the network or have no internet access. Maybe they are development systems or nothing important is running on them. Some companies simply let their Endpoint Security subscriptions expire because they felt they were not adding value.

This attitude stems from the fact that endpoint security has long been designed (at least in the world of information technology) to stop malware should it somehow land on the system. So if the system was isolated, easily recoverable, unimportant, or “we’re always very careful” then protection was not required.

Some consider desktops, workstations, and laptops to be less important than servers, and therefore only protect the servers. In reality, however, according to the Sophos 2021 Active Adversary Playbook, 54% of attacks were aimed at unprotected systems.

Both endpoint security and the way attacks work have changed dramatically recently. Threat actors have developed sophisticated tactics of using their own administration tools (e.g. PowerShell), scripting environments (e.g. JavaScript), system settings (e.g. Scheduled Tasks) and Group Policy. Use network services (e.g. Server Message Block (SMB) and Admin Shares as well as Windows Management Instrumentation (WMI) and valid commercial applications for remote maintenance (such as TeamViewer, AnyDesk or ScreenConnect) to avoid having to use actual malware, To achieve their goals What used to be considered sophisticated technology by intelligence services and Advanced Persistent Threat (APT) hackers is now used by even the most inexperienced threat actors.

However, the attackers’ goal is still largely the same: to make money. This can be done through the use of ransomware for ransom extortion (often with subsequent data exfiltration and deletion of backup copies to make paying the ransom more attractive), through the mining of cryptocurrencies, through the theft of personal data or through industrial espionage.

In response to this changing threat landscape, device security has evolved. It now detects and prevents malicious behavior while providing detailed visibility, context and tools for threat detection. However, this further development of protection is in vain if it is not used. Unprotected systems are blind spots.

An unprotected system with Internet access can be a secret gateway through which hackers can attack your internal critical resources. (Image: Sophos)

Systems without direct internet access need to be protected

So how can an attacker attack an unprotected system without direct internet access?

As a rule, the attacks are started from a system that is connected as an intermediary to a Trojan horse or stager via a command-and-control channel on port 443 (anomalous encrypted data traffic that is difficult to identify). Whether it is a server or a user system is not that important – they all have similar core functionality. The attacker can then access your systems in the same way as you.

Let’s make a list of the techniques available to attack a system over the LAN (links to MITER ATT & CK):

T1047 – Windows Management Instrumentation

1 – Remote Desktop Protocol
2 – Windows Admin Shares
3 – Distributed Component Object Model
4 – Secure Shell (SSH)
6 – Windows Remote Services
5 – VNC, ScreenConnect, TeamViewer or other third party remote management tools

Security for all unprotected devices

With so many options available to threat actors, we need the visibility and protection that endpoint protection provides on all sorts of systems, including those without direct internet access. While the activity on the intermediate system may look harmless (e.g. establishing a Remote Desktop Protocol (RDP) connection), the consequences on the unprotected system can be catastrophic.

When blind spots are eliminated through the use of universal endpoint protection, attackers have fewer opportunities to hide. This is important because if attackers can hide on systems, they can remain undetected for days, weeks or even months and quietly collect information about the environment, users, networks, applications and data. They find end-of-life systems, Linux servers, hypervisors, and neglected and unpatched applications, and then dig until they’re ready for the ultimate attack.

In most cases, the hackers’ standard procedure is to disable endpoint security (which they can do because they have gained elevated or even system privileges), exfiltrate and then delete backups, and run a ransomware-as-a-service to infiltrate.

An actual incident in detail

Sophos Rapid Response was recently called in to an incident involving an unprotected system. This case is a prime example of why endpoint protection should be used everywhere.

In early June 2021, the discovery of Cobalt Strike on the network of a medium-sized media company triggered a security alert. Cobalt Strike is a remote access agent that is often used by attackers as a precursor to ransomware attacks.

The attackers smuggled the ransomware a few hours later, at 4 a.m. local time. For the next four hours, the target company’s IT team and Sophos Rapid Response team engaged in a live battle with the human attackers who orchestrated the attack.

The attack ultimately failed, but not before the attackers encrypted the data on unprotected devices, deleted online backups, and decimated an online domain without protective measures.

The ransom note left on the encrypted devices was $ 2.5 million and was signed by REvil, also known as Sodinokibi. REvil is a ransomware-as-a-service offering, meaning that criminal customers can rent the malware from the developers and then use their own tools and resources to plan and execute the attack. The goal for this particular REvil customer was a media company with approximately 600 computing devices – including 25 servers – and three Active Directory domains, which were critical to keeping it up and running around the clock.

The rush to remote and online operations

Like so many companies in the early stages of the COVID-19 pandemic, the target company had rushed to equip and activate its employees for remote operation, and not all devices were equally well protected. The company also decided to connect a network that was previously connected through an airlock to the internet. Unfortunately, these measures should prove disadvantageous.

Once the intruders got inside the network, they made their way to the unprotected devices and other online systems they could access, installed their attack tools, and spread the attack to other devices.

The attack is developing

When the Sophos Rapid Response team arrived on site, they found that the attackers had already compromised a number of accounts and were able to move freely between unprotected computers.

“One of the biggest challenges in incident response is the lack of visibility into what is happening on unprotected devices,” said Paul Jacobs, Incident Response Lead at Sophos. “We can see and block incoming attacks coming from these devices on a protected endpoint, but we cannot centrally remove the intruder from these devices or see what he is up to.”

The Sophos team also examined the software applications installed on the devices to see if they could be used as part of the attack. “As a result of the pandemic, it is not uncommon for employees to have remote access applications installed on their devices,” said Jacobs. “When we saw Screen Connect on 130 devices, we assumed it was installed on purpose to help employees work from home. It turned out that the company didn’t know about it – the attackers had installed the software to make sure they could maintain access to the network and the compromised devices. “

This was just one of several mechanisms the attackers used to maintain persistence. The attackers also created their own domain administrator account as a fallback after stealing another set of domain administrator credentials.

“The attackers then realized that they would be discovered and blocked. We could tell that they knew we were there and they did everything they could to defeat us, ”said Jacobs. “Our security products have a behavior-based feature called CryptoGuard that detects and blocks attempts to encrypt files even if the source is a remote, unprotected device. As soon as we saw such detections, we knew the ransomware had been unleashed and the fight had begun.

The attackers repeatedly attempted to break into protected devices and encrypt files, and launched their attacks from various unprotected devices that they could compromise.

Each attempt had to be blocked and investigated to ensure that nothing else was going on and that no further damage was being done – even if the next attempt at attack was already underway at this point. This task was made difficult by the fact that the organization had to keep most of its servers online to support the 24/7 broadcast systems.

Eventually the attack began to subside. Incoming attacks were still sporadically detected on the second day, but it was clear that the main attack attempt was over and failed.

The aftermath and the lessons

When the company’s emergency responders and IT security team took stock, they found that the damage was mostly confined to the unprotected devices and domains. The previously air-gapped online domain was completely destroyed and needed to be restored, and the online backups deleted, but the attack did not completely paralyze the company or pay an exorbitant ransom. Even so, the return to full operation has been a slow process and is still ongoing at the time of publication.

“In most cases the attack has already taken place when we are called and we are helping to contain, neutralize and investigate the consequences,” said Peter Mackenzie, manager of Sophos Rapid Response. “In this case, we were there as the final phase of the attack unfolded and we saw firsthand the determination and growing frustration of the attackers who were throwing everything at us from all possible directions.

Sophos experts believe there are two key lessons defenders can learn from this incident:

The first concerns risk management. If you make changes to your environment, such as moving a network from air-gapped to online, as in the case of this company, the level of risk changes. New vulnerabilities are opening up and IT security teams need to understand and address them.

The second is data protection. The first account compromised in this attack belonged to a member of the IT team. All data had been deleted, which meant that valuable information, such as B. Details of the original break-in that could have been used for forensic analysis and investigation have been lost. The more information that is left intact, the easier it is to determine what happened and the easier it is to ensure that something like this is not repeated.

Leave a Reply

Your email address will not be published.