Ransomware, Security Staff Acquisition & Development

How to prevent pesky compromised endpoints

Like ants drawn to a picnic, cybercriminals can’t resist the spoils of juicy, unprotected endpoints.

2023 has proven to be a note-worthy year of attacks perpetrated through vulnerable endpoints and devices. In a recent survey conducted by CyberRisk Alliance, 58% of IT decision-makers share that one or more of their organizations' endpoints was compromised over the last 12 months. 

A separate study by cybersecurity vendor Sophos finds that ransomware attacks are responsible for two-thirds of all security incidents reported to their threat response team, and that 36% of those incidents are made possible via exploited vulnerabilities found in endpoint devices.

Near-daily incidents of endpoint-related breaches don’t inspire confidence in the average organization’s cybersecurity posture. Are attackers really that savvy or are companies just dropping the ball as new threats come online? 

That question is up for debate, but we know — based on data — there are basic steps organizations can take to rectify endpoint security failings. 

Check out our top recommendations:

MFA all day, every day

For every study that suggests multifactor authentication (MFA) has gone mainstream, other data arrives to indicate the opposite. MFA requires users to submit more than one form of identity to obtain access, which can be any combination of something you know (like a password or PIN code), something you have (such as a hardware token), or biometric data (such as fingerprint and voice recognition). According to Sophos, MFA still hasn’t caught on with a substantial portion of businesses — and the consequences are clear. Compromised credentials are the most common root cause of endpoint-based attacks (50%) according to Sophos' 2023 Active Adversary report — with external remote services taking the top spot among initial access techniques used. In 70% of cases, abuse of valid accounts allows attackers to access external remote services. 

What’s most concerning is that MFA policies were not being applied in 39% of the cases Sophos examined in 2023. Removing barriers to entry makes it much easier for threat actors to breach an organization's first (and only) line of defense. With recent social engineering attacks encouraging users to disable their Yubikeys, we know that MFA is a headache for bad actors when properly configured and enforced.

Patchless security creates a patchwork of problems

In the old days, corporate firewalls gave IT security teams a baseline peace of mind that employees desktop computers were protected, provided vulnerabilities were regularly patched. That assurance has eroded as companies expanded their borders to home offices, cafes and wherever employees choose to sign-in on company-issued devices. Unfortunately, the practice of patch management hasn’t kept pace with the mass shift toward endpoints operating on the network edge.

In over half of 2022 investigations in which Sophos determined a vulnerability was the root cause, ProxyShell or Log4Shell were present in affected assets, each of which could have been patched back in May 2021 and December 2021. In a subsequent analysis of IR data, Sophos found two additional exploits of a Zoho ManageEngine flaw and one ProxyNotShell sample, even though patches were made available 82 days ahead of the first Zoho attack and 192 days before the first ProxyNotShell attack. The bottom line is that it’s in every organizations' best interest to enforce regularly scheduled patch management for all endpoints on their network. 

Back, back, back it up

As with routine patching, there are few practices as beneficial to a company’s endpoint integrity as backing up applications and data to offsite locations. In the event organizations get hit by ransomware attacks, it’s likely they will see their data and systems encrypted too. Case in point: three out of every four ransomware attacks documented by Sophos result in encryption of customer data. 

By backing up data from endpoints and preserving it offline in other physical locations, organizations can curb the sting of ransomware. They might still lose revenue, but far less than their peers who don't use backups. Companies typically pay $1.62 million if they use backups to restore data, versus the $2.6 million it costs companies who pay out and do not use backups.

Using backups can also result in much faster recovery. Forty-five percent of companies recovered in a week by using backups, compared to 39% who recovered within a week by paying a ransom.

Vigilance around the clock

Without the means to authenticate every endpoint that accesses their network, an organization can give adversaries a free pass to move laterally through its network undetected. And any time adversaries remain undetected will be time that organization will wish it could get back. “The time to detect is the number one battle,” says Chester Wisniewski, Field CTO of Applied Research at Sophos. “If a human is on the other end and they get blocked, they just come back in three minutes with a different tool, and then a different tool, and even if you’ve managed to lock them out of all their tools, then they start mangling them until they can get past your software. So this is really all about a race against time.”

Endpoint detection and response (EDR) tools give organizations an arrow in their quiver, but it isn’t the only solution. Extended detection and response (or XDR) builds on EDR by integrating multiple data sources to give companies broader visibility of their IT stack — including firewall, servers, cloud infrastructure, and mobile endpoints. In addition, companies might consider pairing XDR with an MDR provider who leases out trained threat hunters to monitor customer networks around the clock.  

Cover all your bases with ZTNA

Zero trust network access (or ZTNA) treats each user and device individually so that only the resources the user and device are allowed to access are made available. Instead of granting users complete freedom of movement in a network, individual tunnels are established between users and the specific gateway for the application they’re authorized to access – and nothing more.

Before applying ZTNA in blanket fashion across the enterprise, your organization might consider identifying which endpoints merit the most restricted access controls and which can afford a little more leniency. “I recommend companies, especially those with a remote-first working model, do what I call a traffic light protocol,” says Wisniewski. “Sit down and figure out what all your applications are. Some apps will be green light, meaning you can bring your own device to access that app. Some apps are yellow light — you can bring your own device, but I'm going to make you use two factor authentication to get access to them. The remaining apps are red light — for these, you must use a company-issued device, it's got to have multifactor [authentication] and it's got to be fully managed and up-to-date.” 

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.