“Secure the endpoints!” This battle cry can sound like a meme, sure, but it also highlights arguably the most important part of modern cybersecurity today: are we securing the endpoints?
A compromised network is likely to leave traces of anomalous and unauthorized activities that originate from network endpoints. Such endpoints can include, but definitely are not limited to:
Critically, network endpoints also serve as the initial targets in cyberattacks — a break here eventually breaks through more sophisticated defense mechanisms.
For example, a hacked smartphone with escalated access privileges can break through multiple layers of data security and privacy defense systems until a suspicious activity is discovered on the approved endpoint device.
So, let’s look at the process of detecting and monitoring these endpoints, the first step towards endpoint security.
To be clear, endpoints are physical devices that share information with a computer network. Pretty much anything can be an endpoint: mobile devices, computers, virtual machines (VMs) and servers. If it’s part of the IoT, it’s also an endpoint.
So, endpoint detection is the process of monitoring and analyzing the behavior of endpoint devices for malicious behavior in a network environment. It involves two key pieces:
An Endpoint Detection and Response (EDR) system analyzes the aggregated information for potential cyber threats. An integrated Security Information and Event Management (SIEM) tool acts on the incidents triggered by the EDR system to contain the damage by isolating compromised network zones, revoking access to sensitive data and triggering alerts to the concerned InfoSec teams.
Endpoint detection plays a key role in cyber kill chains. The CKC model proposed by Lockheed Martin outlines seven stages of a cyber-attack:
Endpoints are involved from the third stage, Delivery, all the way through to the final stage of Actions on Objectives.
This makes endpoint detection an essential element of your cybersecurity defense mechanism: Indeed, endpoints are THE place where cybercriminals actively engage to extract and compromise data at the network edge — and to override cybersecurity defense systems.
Here’s how endpoint detection can help mitigate risks at different stages of the cyber kill chain:
This stage follows the reconnaissance and weaponization stages where a target is evaluated, identified and an attack vector is prepared for execution. At the Delivery stage, the attack is launched by practically engaging with a network endpoint device.
Cybercriminals may use social engineering to either acquire control of a user account running on an endpoint device or compromise a system vulnerability in the device.
(See how social engineering attacks work.)
The attack vector in the form of a malicious payload, for instance, is spread through the network by either:
Once the malicious payload has reached the servers, it is installed and allows intruders to gain full control of the network environment. At this stage, endpoint devices serve two important purposes:
The endpoint devices are also used as part of the Command and Control (C&C or C2) initiatives, such as:
(Read all about command & control attacks.)
The final stage actively involves endpoint devices in actions such as data exfiltration, service disruption, data manipulation as well as exposing unauthorized access and controls of system resources.
Now, let’s review endpoint detection from the opposing perspective: defending against cybercrime. Since the network edge is the first line of attack on the cybercrime battleground, you can take several measures to make your defense stronger:
Adopting cybersecurity guidelines is not always a straightforward process. For instance, the insider threat is responsible for 95% of all cybercrime incidents, but not all responsible insiders intend to harm the organization. Lack of awareness, negligence and falling prey to clever social engineering ploys is the main reason behind their role in facilitating a cyber-attack.
Fortunately, advanced AI based endpoint detection tools allow InfoSec teams to identify this behavior proactively.
Cybersecurity teams can use their network endpoints as rabbit holes to draw interest from cybercriminals engaging with them at the Reconnaissance stage of the Cyber Kill Chain.
Since the actions of adversaries at this stage are authorized, albeit with a malicious intent, security alarms are not raised until a suspicious action takes place. By running some endpoint devices as a honeypot, InfoSec teams can analyze and determine the Tactics, Techniques and Procedures (TTPs) of the attack, before it is even launched.
Data from multiple endpoint devices can be fused together and analyzed in real-time. Technologies such as data lake are designed for such use cases, where structured and unstructured is ingested continuously. Required portions of real-time data streams are then preprocessed and analyzed for anomalous behavior.
At the same time, AI systems continually learn from new information. The resulting control actions can be triggered remotely: Endpoint Detection and Response systems monitor for such remote dynamics and trigger security alerts and controls based on the real-time behavior of endpoint devices.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.