Last year’s abrupt transition to working from home shifted certain security objectives in order to protect all the new remote endpoints. And certainly, workers and devices that operate outside your network perimeter can be especially vulnerable to cyberthreats. But organizations should remember that they still have to fully protect their internal resources and systems at the same time. A report released Tuesday by security provider WatchGuard Technologies discusses the latest threats and offers advice on protecting your endpoints, both inside and outside your network.
SEE: Enterprise Endpoint Protection Buyer’s Guide (free PDF) (TechRepublic)
As detailed in its latest Internet Security Report, WatchGuard discovered a significant drop in unique ransomware variants in 2020 versus 2019, likely because more of these types of attacks are targeted. At the same time, the firm spotted an 888% surge in fileless malware, which uses legitimate software to infect systems.
Fileless malware attacks have grown in popularity largely due to their ability to evade detection by traditional endpoint protection. Detecting and blocking a malicious script, for example, can be difficult to pull off without also blocking a high number of legitimate scripts. Toolkits like PowerSploit and Cobalt Strike allow attackers to inject malicious code into running processes and remain in operation even if the victim’s defenses identify and remove the original script, WatchGuard said.
Zero day malware that skirts past signature-based protection increased dramatically in the last quarter of 2020, accounting for 61% of all malware. Cryptominers also surged last year, with unique variants rising to 850, a gain of more than 25% from 2019.
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections,” WatchGuard CTO Corey Nachreiner said in a press release. “The attacks are coming on all fronts, as cybercriminals increasingly leverage fileless malware, cryptominers, encrypted attacks and more, and target users both at remote locations as well as corporate assets behind the traditional network perimeter. Effective security today means prioritizing endpoint detection and response, network defenses and foundational precautions such as security awareness training and strict patch management.”
To protect all your endpoints against the latest cyberthreats, Watchguard offers the following recommendations:
- Don’t get hooked. Phishing emails remain a common and increasingly effective infection path but there are plenty of ways to catch this type of threat with well-layered defenses. A DNS firewall can neuter links to hosted malware or command and control servers, anti-malware engines can detect the malicious payloads, and user training can help your employees avoid falling victim to the phish in the first place.
- Combat common web app threats. Directory traversal attacks continue to work against vulnerable web apps, giving attackers access to sensitive files on the server hosting a web service. Administrators can mitigate these threats by regularly updating their web application and server software and keeping their servers protected with intrusion prevention systems.
- Secure your Internet of Things (IoT) devices. While most organizations protect their computers with some type of firewall, many allow full access to IoT devices. Make sure you protect all devices on your network, especially IoT. Consider placing your IoT devices on a segmented network with carefully curated access control policies to only allow what each device needs. Further, be sure to monitor IoT connections with a stateful firewall and only allow access from trusted IP addresses.
- Keep your browsers up to date. Most cybercriminals are lazy, preferring to go after easy victims instead of expending time and resources on well-defended targets. One of the simplest ways to reduce your risk of attack is to keep your web browser and extensions up to date with the latest security patches. By patching known vulnerabilities, you reduce your attack surface to just social engineering and true zero day flaws.
- Watch out for common malicious script delivery methods. Many common fileless malware threats start with a malicious PowerShell script. Treat unsolicited Office documents with suspicion and consider blocking macro-enabled documents entirely from external sources. You should also avoid opening email attachments from unknown sources to reduce the risk of accidentally executing a script.
- Don’t sleep on ransomware. Don’t think that the size of your organization will keep you out of the ransomware crosshairs. Every business has something of value that an attacker could hold for ransom. Try to establish a position where you would never have to give in to ransom demands. A strong, layered anti-malware defense paired with regular data backups is key. Also remember that a good backup is not just making one copy of data, as targeted ransomware actors look for your backups. Make multiple offline and online backups to be safe and secure.
- Deploy strong Endpoint Detection and Response (EDR) and Endpoint Protection Platform (EPP) defenses with zero trust capabilities. Make sure your endpoint protection actively monitors new and existing processes for suspicious activity. Fileless malware threats and supply chain attacks mean that it’s no longer enough to just scan downloads that reach your storage devices. Your endpoint security needs to actively watch for other applications that attackers may have compromised.
- Audit your permissions. Be aware of the level of access you give to applications and cloud services. Grant the least level of privileges required for the application to function to help limit the damage in the event of a cyberattack. All of the recent high-profile breaches involved cybercriminals obtaining elevated permissions. Limiting the ability of attackers to obtain those permissions can go a long way toward curbing the impact of a successful breach.
- Secure your deployments. As you deploy new infrastructure, take time to consider what level of network access you give it. Never expose resources to the internet that are not designed and hardened for public exposure. Instead, use a VPN or a clientless VPN access portal as an additional layer of authenticated protection.
- Vet the security of supply chain partners. When the companies with which we partner and trust the most become the root vector of a breach, we have to reconsider how we protect our own organizations. Use EDR products to catch malicious code, even post execution, offering you a chance to trap an infection even if some seemingly legitimate software gets installed. Limit the permissions of special accounts used for cloud services or third-party products. Finally, always configure limited access controls to third-party products and services, just offering the bare minimum access for the integration to work.