Digital attackers are constantly looking for ways to infiltrate organizations' IT environments. One of the easiest modes of entry is for an actor to exploit a weakness in an endpoint, a network node which according to Dark Reading remains "the most attractive and soft soft target for cyber criminals and cyber espionage actors to get inside." Under the assumption security defenders aren't familiar with and don't update all of the devices installed on their organization's network, attackers look for vulnerable endpoints they can abuse to establish an initial foothold on the network. They can then leverage additional exploits to establish persistence and ultimately move towards their intended target. The way in which organizations protect against these types of intrusions has changed over the years. A decade ago, security practitioners needed a signature of what to look for in order to block attacks, so they primarily relied on signature-based anti-virus solutions and indicators of compromise (IoCs) to detect criminals accessing their networks. But hackers have grown creative and wise to corporate security teams' reliance on detection mechanisms, and they've learned to work around them by leveraging zero-day vulnerabilities and polymorphic, self-updating malware like Qbot. Security researchers have responded by adopting a new approach of their own. Referred to as endpoint detection and response (EDR), this new method operates under the assumption that attackers will infiltrate an organization's network. It enables professionals to leverage both IoCs and endpoint behavior to quickly detect any intrusion and reduce the damage caused by an attacker. To accomplish that aim, EDR systems deploy and actively manage six key security controls that help provide vital information about an organization's endpoints. Those controls are endpoint discovery, software discovery, vulnerability management, security configuration management, log management, and threat detection and response. Endpoint discovery is the first control because it's impossible for organizations to defend a piece of hardware if they don't know about it. As such, hardware and software management, license compliance, regulatory compliance, and security are all predicated on an organization's ability to maintain a running inventory of its endpoints. Security practitioners who wish to discover their organizations' assets should abide by the following three principles:
- Treat endpoint discovery as a process. It's impossible to find every asset all at once. Security personnel should instead break the job down into stages and begin with systems and processes that have known documentation.
- Leverage standardization to save time. By adopting standards like NIST, infosec practitioners will cultivate the ability to share endpoint information between tools in the future, which will augment the strength of their organization's security posture.
- Look for weaknesses. Security practitioners can't let an attacker know their IT environment better than they do. They need to constantly be on the lookout for weaknesses. That only works if an organization maintains an accurate list of its assets.
Those principles aside, endpoint discovery can be challenging. Some assets are spread out over segregated networks, while others (especially Industrial Internet of Things devices) don't use traditional IT protocols that can be easily identified by a scan. Even then, scanning IIoT devices can cause service interruptions, which means security personnel might need to resort to other modes of discovery to accurately inventory those endpoints. How can organizations overcome such impediments to endpoint discovery?
To help answer that question, Tripwire has published Endpoint Security Survival Guide: A Field Manual for Cyber Security Professionals. It's a resource that is designed specifically to help simplify the process of implementing and optimizing the six security controls for EDR. At a bare minimum, security personnel need to establish an endpoint baseline, or a reference of what constitutes "normal" behavior for each network node. That involves collecting information from existing records, including network maps and even sticky notes; scanning the network to find out what's actually on it; using passive discovery to map the endpoints; and reducing the accessible IP space to make sure the organization is using the fewest number of IPs possible. Interested in adding even more advanced endpoint discovery capabilities and enhancing the maturity of your security system? Download Tripwire's resource here.
