IGEL Blog
Ransomware Endpoint Threats: How to Fight Back
As 2022 rolls on, the latest threat intelligence data from WatchGuard makes it clear that endpoint devices are a ripe target for cyberattacks. “In this new normal of hybrid workforces, endpoints can no longer rely on a strong perimeter to identify and catch the bulk of threats,” the report noted. Turning the focus on the endpoint itself and looking at ways to better secure end-user computing makes sense given that endpoint and ransomware attacks in the first three quarters of 2021 alone exceeded all of 2020.
Malware is also becoming an increasingly simple endeavor for cybercriminals, even those who are new to the space. “With tools like PowerSploit, PowerWare and Cobalt Strike, even low-skilled attackers can take everyday malware payloads and execute them using sophisticated memory injection techniques to evade detection,” the report said. Similarly, ransomware-as-a-service is helping escalate ransomware attacks. “Would-be criminals no longer need coding skills to carry out devastating attacks against organizations thanks to commoditized offerings available on the dark web and underground forums,” WatchGuard noted.
Combatting these escalated threats at the endpoint requires organizations to look at all the ways threats could succeed and tighten up controls in each element: User activity, the operating system itself, policy and access controls, antivirus software, suspect or abnormal byte sequence detection, a chain of trust, virtualization and cloud-based computing. This defense-in-depth strategy is a multi-layered approach that uses physical, technical and administrative controls to safeguard an organization against ransomware threats.
Be Security Agnostic
We need to extend our thinking beyond just being device agnostic to being entirely security agnostic; recognizing that a hybrid workforce will introduce rogue devices at some point. IT security should focus on practices that reduce risk regardless of where or what device(s) an individual is using at the time. Being security agnostic is the answer to another hybrid workforce trend: Hoteling— which is now gaining steam in 2022 as businesses rethink the expensive office space they probably still have. Just like hotel reservations, workers can reserve office space or just a desk to work on-site as needed. They may or may not bring a device with them, so security protocols must be agnostic, or at least standardized across devices, to support what is becoming a permanently fluid style of working.
Leverage Virtualization and Inherently Secure Operating Systems
Moving Windows to the data center or cloud and using a lean, inherently secure operating system (OS) can enable more secure access to apps and data. For example, moving Windows off the endpoint is the logical strategy as cloud-based applications like Azure Virtual Desktop with Windows 365 and those from VMware and Citrix are now the virtualization standard for end-user computing. This also helps consume less staff time since it streamlines patching and other security updates across the entire endpoint environment; also greatly reducing risk at the endpoint. A user, whether remote or on-site, can open up their device, access data and apps in the cloud and minimize the chances of introducing a threat.
For optimal success, a Linux-based OS built for VDI, DaaS and digital workspaces can be structured as a modular, read-only and tamper-proof firmware base. This base won’t hold any business data for hackers to target as all data is stored in the cloud. A broad array of security-focused features in the OS can be designed to minimize exposure and deter attackers from infiltrating an organization through the endpoint.
Control Access to Endpoint Devices
Giving users what they need to be productive and controlling access to non-relevant apps will further limit the number of cyberattack vectors. IT teams can set policy controls retrievable from Microsoft Active Directory, for example, and also use OS access controls via a selection of integrated PKCS11 libraries that support multifactor authentication. This adds another layer of security to protect the enterprise, even in the event of loss or theft of the endpoint device.
Add Chain-of-Trust Processes
Chain-of-trust adds the next dimension to threat protection—a sequence of cryptographic signature verifications that ensure end-to-end integrity. It extends from the endpoint device to the digital workspace VDI host or cloud. In practice, every time a device boots, chain-of-trust ensures that none of the firmware and software in the startup sequence have been altered. If it detects a failure condition at any step, the end-user is alerted and IT can take appropriate action.
Stay Vigilant
IT teams face another year of security challenges via endpoint devices. By taking a multi-layered approach to endpoint security, businesses can add to their threat defense and simultaneously reduce their overall attack surface. Using a lean, lightweight operating system that is inherently secure by design and moving Windows to the data center or cloud will go a long way toward stepping up security. Adding access controls, chain-of-trust verification and multifactor end-user authentication further reduces threats. These steps also reduce the amount of time and energy expended by IT to secure endpoints in the first place. We know 2022 will bring new attacks. This defense-in-depth strategy can help stop criminals at the endpoint source before attacks occur.
This article was written by Dan O’Farrell, Sr. Director of Product Marketing for IGEL, and first published in Security Boulevard.