Page 49 - Cyber Defense eMagazine March 2024
P. 49
endpoint security solution, that malicious element will start running. The incident might result in an
infection with lesser impacts to your network. However, it is common that the malicious element is a
command-and-control link to a remote cell that connects to an operator who is waiting to compromise the
device. They will attempt to access the environment in which the device is running and begin analyzing
your network for vulnerabilities and valuable assets.
The malicious actor will then start querying the network the same way that security professionals do to
discover other devices. Attackers have grown more sophisticated; depending on their findings or how far
they get in your network, they likely won’t trigger many alerts nor be in a hurry to launch the attack. They’ll
move carefully through the network, scanning for additional devices they can access and credentials they
can steal. For instance, if remote desktop protocol (RDP) services are enabled, the attacker will leverage
those RDP connections with the credentials they have stolen to try accessing a different device. They
will continue using different exploits to access more devices, gather more credentials and gain more
knowledge about the network. If they can get the device’s security domain, the adversary may sell that
information via the dark web to a different threat group that may be interested in orchestrating a larger
attack.
Attackers often operate unnoticed for days or weeks, waiting patiently to launch the attack until they have
stolen all the data they want. Those managing the network must be aware that, if the attacker has
accessed it for a while and notices the network operator is implementing additional security measures,
they may immediately launch their attack while they still have access.
Increasing visibility to secure endpoints
There are several steps that security teams can take to protect their endpoints and mitigate risk, even in
the event of a breach. Some best practices that teams should adopt to strengthen their network security
include:
• Establish comprehensive visibility across all endpoints. As mentioned, an essential measure
for security teams is to have extensive visibility of all endpoints. Advanced security tools with
sophisticated discovery capabilities will help increase visibility by identifying those endpoints that
are unprotected and inform the necessary steps for installing protection and continued monitoring.
For instance, if you have a network of 100 computers and 10 are unprotected, a security tool with
advanced discovery can identify all endpoints attached to the network and show which 10 remain
unprotected, allowing you to manage those unmanaged endpoints
• Employ multi-factor authentication. Malicious actors will try various methods, including brute
force attacks, to gain access to security credentials and use them throughout your network. If an
attacker can steal the security administrator’s credentials and log into the security product’s
console, they will try to uninstall or disable the security product from the admin console. Requiring
multi-factor authentication (MFA) in all these critical services can prevent an attacker from
disabling the security measures from the code itself. Measures like MFA can mitigate much of the
risk and limit the extent of an attack.
Cyber Defense eMagazine – March 2024 Edition 49
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.