Tales From the Road: What Effective Endpoint Security Looks Like

Tales From the Road: What Effective Endpoint Security Looks Like

Could your endpoint security stand up to a ransomware attack?

Endpoint security is one on a long list of protections your organization should have in place to protect against today’s malicious actors – but simply having endpoint security versus having effective endpoint security are two very different things.  

One of our clients, a large financial institution, serves as a perfect example of what effective endpoint security looks like. We conducted a breach assessment and ransomware simulation at the organization – and we met our match. The financial institution had an impressively-hardened standard Windows workstation build along with highly-effective endpoint security controls.  

Keep reading to learn what a quality, well-configured endpoint protection solution looks like, especially when coupled with effective system hardening steps and routine patching.

Bolstering Security for a Remote Work Environment 

As remote work continues for many employees across the world, evaluating and tightening security is quickly climbing to the top of the priorities list for organizations.  

With our client’s workforce largely remote, they wanted us to simulate a ransomware attack and identify vulnerabilities within the internal network. Our assignment was to try to run known strains of ransomware on a locked-down, highly-restricted Windows 10 desktop environment, and attempt to encrypt files stored on a network file server. In both cases, we were met with a significant challenge in the form of well-configured endpoint protections. 

If at First, You Fail…Try, Try Again  

Wondering what happens during a ransomware attack when endpoint security protections are well-configured? We’ll tell you.  

In our first attempt to run known strains of ransomware, all were immediately detected and blocked.  

In our second attempt, we uploaded more than 2,000 files of dummy data onto a network file server and tried to encrypt them using a PowerShell script. Again, no luck – and that’s a scenario we rarely encounter.  

Endpoint protections: 1, DirectDefense: 0.  

But we weren’t done trying.  

After a full day of trying to run the encryption script, we had the organization’s team whitelist it so it could be placed on the desktop and executed. Only then were we able to proceed with identifying vulnerabilities – controls on the file server failed to detect the file encryption activities once we successfully ran them, indicating a need for stronger controls on the file server as well as monitoring and alerting solutions.  

Our attempt at simulating a ransomware attack demonstrates what an effectively-configured endpoint security solution looks like. If every organization configured their endpoint protections this well, ransomware would be in for a big surprise. 

7 Ways to Elevate Your Endpoint Protections 

You too can have effective endpoint security. Here are 7 things you can do to strengthen the endpoint protections you currently have or consider implementing for greater protections going forward.  

1. Proper Configuration. Endpoint security software doesn’t come out of the box ready to go and takes quite a bit of time and effort to properly configure and tune. Don’t cut corners here. Work with an information security and managed services firm that understands your environment inside and out and can ensure your endpoints can stand up to even the strongest modern attacks.   

2. Patch Management. Stay up –to date on all Microsoft Windows patches, which prevents bad actors from exploiting recent vulnerabilities or escalating privileges within your environment.  

3. System Hardening. Further minimize your attack surface by performing system hardening techniques such as: encrypting the drive that stores and hosts the OS, removing any unnecessary programs and drivers, and leveraging built-in Windows security “guards”. Additionally, you should enable “detailed file share” auditing so logs are created, allowing your SOC to generate alerts based on basic file share usage in the event that your endpoint fails to detect the ransomware attack. Utilize a security benchmark, such as CIS, to further aid in this process. 

4. Escalation Controls. You should limit system access permissions and authentication processes, and restrict privileges, which prevents malicious actors from escalating to higher-privileged accounts and accessing system data.  

5. Egress Filtering. Devices within the internal network should not have unrestricted outbound communication to other systems on the Internet, as an attacker could use that communication ability to facilitate the download of additional tools to use in other attacks or to exfiltrate data from within your internal network. All communication should go through a proxy that understands the outbound protocol to ensure that attackers do not tunnel an unexpected protocol via a whitelisted port. In addition, HTTP/HTTPS traffic should be inspected, and web content filtering should be performed to prevent or limit users from downloading/uploading arbitrary files over the Internet. 

6. Command Execution. Remove command execution access from employees without the proper authorization, such as via cmd.exe or PowerShell, which prevents attackers from being able to run a variety of attack vectors to access passwords or escalate privileges. 

7. File Server Protections. Even if your endpoint protection is strong, you should still have ransomware protections built into your file servers that will alert, detect, and block unauthorized activity such as file encryptions.  

What About Other Attacks? 

Because ransomware isn’t the only type of attack organizations have to worry about and protect against, we conducted a breach assessment for our client on two unique desktops.  

This type of assessment is useful for companies to perform because it allows us to test from the standpoint of an assumed breach, which answers two vital questions:  

1. What could an attacker get away with once inside your network? 

2. Is your organization well-positioned to respond? 

If you think your internal network is secure, here’s what we were able to do when we were given remote access to a Windows desktop environment with slightly more permissions than we had during the ransomware simulation. 

This desktop environment also allowed access to PowerShell, which contains tools and functionalities attackers can use to run various attacks.  

We successfully performed a Kerberoasting attack, which gave us access to hashed passwords of service accounts and other privileged accounts. Any attacker worth their salt would be able to crack those passwords, if weak enough, and potentially gain access to sensitive company and customer data, which can lead to dire financial and reputational consequences for organizations.  

Get Breach-Protected 

Don’t leave your company data or your customer’s data vulnerable to an attack. Once an attacker is able to breach your internal network, the sky might be the limit to what they can do based on the extent of your security protections.  

Here are 4 ways you can better protect your organization from a breach: 

1. Implement strong password protocols of 25 or more characters with complexities and periodic expiration for service and other privileged accounts 

2. Enable stronger encryption algorithms for active directory accounts, such as replacing RC4 with AES 

3. Limit service accounts to minimal required privileges and disable interactive and remote interactive sessions for them unless absolutely necessary 

4. Configure your SIEM to properly detect and alert unauthorized or suspicious activities 

Read More: Learn the anatomy of a password attack 

It’s Time to Review Your Endpoint Security Protections 

Our inability to gain significant – or any – access in both our breach assessment and ransomware simulation demonstrates the importance of quality, well-configured endpoint protection solutions, effective system hardening steps, and routine patching to close gaps and reduce your attack surface.  

Be like our client and master endpoint security and Windows hardening configuration. The right protections can make an incredibly significant difference, and you don’t want to wait for a successful breach or ransomware attack to realize how important this security actually is.  

Putting the time and effort into your security protections always pays off.  

Take stock of how secure your organization is from malicious attackers. Contact us today.

   By: Bethany Kozal   04.20.22