Endpoint security is a hot topic of discussion, especially now with so many businesses shifting to remote work. First, let’s define what endpoints are. Endpoints are end-user devices like desktops, laptops, and mobile devices. They serve as points of access to an enterprise network and create points of entry that function as gateways for malicious actors. Since end-user workstations make up a huge portion of endpoints, we’ll be focusing on their security.
The pyramid of endpoint security
The above illustration depicts that endpoints are essentially virtual gateways to apps, services, and data on a user system. If exploited, endpoints can be used to gain access to other workstations and even the privileged servers and users of your organization.
Let’s look at a few scenarios of an endpoint compromise that could lead to a potential security incident.
-
Establishing access to the endpoint
First things first: How do malicious actors obtain access to endpoints? The pandemic has forced many of us to adopt remote work. While working from home (WFH) has noteworthy benefits for employees and organizations alike, it poses a number of risks for network security. We had to relax a lot of security restrictions to enable the transition to WFH. Below is an example of how attackers target port 3389, commonly used for remote connections.
Some organizations use virtual private networks (VPNs), which are used to create secure connections to a network (especially remote connections). But dozens of malware variants from multiple hacking groups are turning their attention to vulnerabilities in VPN applications. Do you monitor the incoming traffic through your VPNs, changes in VPN configurations, or sources of VPN logons? If not, now’s the time to start.
Yet another disturbing trend is the Microsoft 365 macro attack, carried out using Microsoft 365 documents that carry malware. From their own server, an attacker can use a built-in command line tool, like PowerShell or Terminal in Linux, to create a malware-ridden Office macro and trick users into opening the macro via phishing attacks. For example, the attachment could have malware embedded that captures users’ password hashes and transfers them to a remote server.
Now that we have an idea of how threat actors compromise endpoints, let’s see how attackers can establish persistence in an endpoint or gain access to data, other endpoints, or privileged servers and users.
-
Privilege escalation with enterprise-critical apps and services running on an endpoint
Most services that run on a Windows endpoint use a predefined local system account. If an attacker gains access to the endpoint via a local system account, they also gain the privileges required to check for critical services that run with local system rights and modify their permissions to gain access to business-critical data.
In some cases, attackers may point the binary of the service to a script or app they wish to execute with local system privileges.
An attacker may not always target vulnerable services via a local user account; sometimes, a user account configured to run a specific service may have unwanted privileges, which can be exploited by the attacker. This applies to Linux systems as well.
While exploiting misconfigured apps and services is one option, attackers can also introduce malicious apps that launch malware once installed. Attackers often leverage MSI files, also known as Windows installer files, to bypass restrictions set by the administrator of the network.
For instance, if Windows Command Prompt or PowerShell is blocked by the admin via AppLocker rules, attackers can still use malicious MSI files to bypass the rules. Note how the MSI file is disguised as a PNG file; this helps attackers remain undetected.
MSI files can also be used to introduce backdoor changes to the network; for example, to add new users to privileged groups in Active Directory like the administrators group.
You can always disable the installation of MSI apps via Group Policy, but bear in mind there are many ways attackers can install malicious apps and services. The only true solution lies in monitoring the installation of suspicious apps and processes across all your endpoints.
-
Access to business-sensitive data from an endpoint
With local-user access to an endpoint, an attacker can access all the locally stored data in files and folders. However, with a legitimate network user account, the attacker can gain access to data shared with network users (via network shares). We discussed several ways attackers can capture network user passwords in the section above. Now, let’s look at another technique attackers use to capture network user passwords with local access to an endpoint.
Tools like Mimikatz can be used to extract passwords stored in the memory of endpoints. But many network admins are on to this attack method, and tools like Mimikatz have been blocked by antivirus solutions and Windows Defender.
The image above shows a technique with which an attacker can create a memory dump of the Local Security Authority Subsystem Service (LSASS) process in Windows endpoints, transfer the file to their own server where tools like Mimikatz can run without restrictions, and extract passwords from it. The more user passwords they gain access to, the more access to endpoints and data they gain as well.
It’s also important to note that data can be copied from privileged servers onto an endpoint, and the endpoint can eventually be used as a data exfiltration medium via USB drives, remote servers, email, cloud storage, and more. The endpoint can also be used to corrupt and block access to critical business data—in other words, to carry out a ransomware attack. The attacker could place a malware-infected document in a share accessed my many users and leverage the end users as carriers to propagate malware, having them infect their own workstations.
“Termination List.” Pretty clickbait-y, right?
-
Access to other endpoints from a compromised endpoint
Apart from the techniques mentioned above, a common mistake is that in networks, a single local administrator account is used to configure endpoints. The issue is that the local admin password is reused in endpoints, so local admin access to one endpoint could mean access to other endpoints.
Microsoft Local Administrator Password Solution (LAPS) is a free solution that can be leveraged to rotate local admin passwords at a healthy frequency and ensure password strength. But exercise caution about its security capabilities before you deploy it in your network; for example, LAPS stores passwords in an AD attribute, in plaintext, which is a prime target in credential stealing attacks.
It’s also possible to extract passwords from the system hibernation files (hiberfil.sys) and virtual memory (VMEM) files of virtual machines. You can also extract the password hashes of local Windows users, including built-in administrator accounts.
Similarly in Linux machines, Linux passwords are stored in the /etc/passwd file in cleartext in older systems and in the /etc/shadow file in hash form in newer systems. We don’t want to give hackers any ideas, but just know that it’s possible to gain access to the passwords in these files, even with non-admin access to a Linux server.
-
Monitoring every single change on your endpoints is essential
Assume an endpoint is infected with malware. The malware may establish itself in genuine OS-approved locations in the endpoint to avoid detection. For instance, inside registry keys or alternate data streams. The malware may even create new processes, or stop existing ones.
Below is a video simulation of an infected attachment, which, when run on an end user’s system, establishes itself in the registry as a scheduled task. The malware variant is a keylogger that records the user’s key presses and takes periodic screenshots of the victim user’s system.
Endpoints can also be broken into via system vulnerabilities, which are essentially bugs that haven’t been patched yet by the vendors of the OS or application, or a critical patch by the vendor that hasn’t been applied yet by the organization. Vulnerabilities come in many forms, for instance, the vulnerabilities that let users execute code using admin privileges, bypass security features, or execute root and admin commands as a non-privileged user. It’s always better to keep yourself updated on critical fixes and patches, and keep an eye on your servers for vulnerability exploitation.
Security auditing to protect your endpoints from security attacks
Persistent security change monitoring and tracking is the only way to detect unusual activities across your endpoints. Remember, a simple activity like a user logging in to a network from their endpoint after work hourscould be a potential security threat.
Let’s observe examples of a few security logs and the difficulties administrators and security analysts might face while working with them.
Both Windows and Linux endpoints record security events in the form of audit logs and it’s crucial to analyze these logs to discover security anomalies. Sometimes, you may have to correlate logs produced at different times across various components in servers to truly understand the underlying context.
Most admins forward Windows event logs or Linux syslogs from various endpoints to a central server to collect, monitor, and analyze them. This complicates things further.
It’s important to note that while collecting and configuring logs is fairly straightforward, it’s more about:
-
Reading and understanding the security events that are logged.
-
Filtering and sorting techniques to find particular events.
-
Correlating and combining events to derive the underlying meaning.
-
Prioritizing and alerting on critical security events across endpoints.
The four parameters above will help you discover any sensitive or suspicious activities across your endpoints and mitigate any threats before they turn into full-scale security incidents.
Visit our “IT security under attack” page to learn more about the various ways your endpoints can be exploited as potential points of intrusion into your network. Looking for a simpler way to audit not just endpoints but every server in your network? Let us know in the comments below!