"Exploits at the Endpoint: SANS 2016 Threat Landscape Survey," found that user actions at the endpoint were the most prominent entry points allowing threats into organizations.
"Exploits at the Endpoint: SANS 2016 Threat Landscape Survey," found that user actions at the endpoint were the most prominent entry points allowing threats into organizations.

Cybercriminals are only getting more insidious in their methods of attack and the impact on organizations is increasingly harmful. But, holding off incursions can be achieved with user education and tested strategies, according to a new report from SANS.

"Exploits at the Endpoint: SANS 2016 Threat Landscape Survey," takes a sweeping examination of the current threat landscape to zero in on how attacks are penetrating into enterprise networks. Based on a survey of 300 IT professionals across the globe, the study details the alarming rate at which personal and corporate devices are falling victim to phishing and ransomware. The study, written by Lee Neely, a SANS mentor as well as a senior IT and security professional at Lawrence Livermore National Laboratory (LLNL), found that user actions at the endpoint were the most prominent entry points allowing threats into organizations.

The number one threat polluting enterprise networks is ransomware, which is disseminated via phishing and web downloads. In fact, the FBI stated in April that cyberthieves have raked in $1 billion from ransomware so far in 2016.

Close behind, more than a third of respondents cited threats that bypass network gateway firewalls or went undetected by IDS tools.

More than 80 percent of respondents said their organization was attacked by a phishing incident in the past 12 months, with more than a quarter of those saying those threats resulted in a significant impact.

Key findings

How attackers get into user endpoints

75% of identified, impactful threats initially entered via email attachment

46% of attacks were executed by users clicking web links in email

41% also experienced attacks involving web drive-by or downloads

How attackers bypass endpoint defenses

48% through user error

38% through social engineering

37% through zero-day/unknown

Source: Exploits at the Endpoint: SANS 2016 Threat Landscape Survey

As well, spearphishing (or whaling) hit 58 percent of organizations, with 13 percent claiming the impact was significant. Trojan horses were ranked by just more than half of respondents as the next most common threat, though those saying its impact was significant ranked low at seven percent.

Phishing, ransomware and spearphishing (or whaling) are the fastest-rising types of threats entering into organizations, the SANS report found. And the primary method that threats enter organizations are via email attachments, clicking a link in an email, and via a web drive-by or download.

"As these phishing and ransomware trends intersect, they create the perfect storm for legitimate user actions to result in significant, costly consequences to the organization, such as having to pay tens of thousands of dollars in ransom to retrieve critical access to maliciously encrypted data or to regain control of keys, or experiencing service denials that cause loss of business," the report stated.

The indications are that workers are not being adequately trained to hold off from clicking on suspicious links because this is the most effective manner in which ransomware infections start, the report concluded. But, user training is not enough. "Endpoint security tools, help desk operations and security teams should work in unity to automate education and prevention," the report said

But there are a number of steps organizations can take to defend against attacks, according to Check Point, which sponsored the study:

Educate your employees – First and foremost, it's important to make sure that your employees are educated about what to watch out for. This includes making sure the sender, attachments and URLs within emails are legitimate and trustworthy, as well as being watchful for unsettling content, for example an email stating that your bank account has been hacked. Keeping your employees aware and paying attention to what comes in their inbox is critical to preventing phishing, ransomware and other attacks from compromising your network.

Think Beyond Signature-Based Protections – Traditional signature-based protections, like anti-virus, are necessary but are no longer sufficient. In recent years, cybercriminals have learned how to bypass traditional signature-based detection solutions, bringing in new technologies and tools that make it much harder for users to decipher if an email, website, a file, or a URL is truly legitimate or not. Hackers can also easily modify a variant of a particular malware, creating a brand new malware capable of avoiding detection by signature-based solutions. For these reasons, it has become essential for organizations today to employ multiple layers of protection, being sure to utilize solutions that can secure them from new, unknown malware and other sophisticated attacks for which there might not be available signatures.

Neely wrote to SC Media on Nov. 4 to offer some takeaways:

  1. The user and the device they use are ground zero.
  2. Next-generation defenses are needed beyond traditional anti-virus. Moving from signature detection to behavior detection because it is really easy to evade signature based systems.
  3. Whitelist everything. Sounds like a cliche or impossible task, but the issue is that blacklists don't work as they only address known bad items. They can miss a new signature on a bad item. The tools here are maturing and that helps.
  4. Make sure of the basics. Don't run as admin, monitor the network and endpoint. Pay attention to those alerts.
  5. Consider an always-on VPN. Then, corporate devices are always within the network defenses.
  6. Think about requiring authentication to reach the internet – all ports, not via single sign-on – so malware can't easily establish c2.
  7. Also deploy NGFW for in-depth protection, and couple that with limiting outbound ports to the absolute minimum, again to limit routes around defenses.


Updated on Nov. 4 to add Lee Neely comments.