All of your organization’s security controls help reduce the chance for breach, but the rubber meets the road almost exclusively on 2 pieces of your organization’s protection: Endpoint Security and Email Security. Around 90% of the breaches I see are ultimately because of compromised email or compromised endpoints. Obviously, this is not based on studies, but on what comes across my desk as part of the medical industry. All of the other controls are critical and certainly reduce the amount of work done on the endpoint, but ultimately their role is to support these 2 items. The key takeaway? Layers, even on the endpoints themselves. I know it sounds simple, but it is quite difficult to fine-tune all of the components without impacting your business, especially in a complicated environment. Here is a sample case study that helps illustrate the importance of multiple layers on your endpoints:
In a large environment, WannaCry can be inserted into the network via non-corporate infected device plugged into the network. This could be a replacement device purchased off the shelf (Lenovo anyone?), a salesperson that plugged their laptop into the network for a presentation, a 3rd party hired to do internal work and brings their diagnostic laptop, etc. This bypasses all perimeter controls such as your email gateway and perimeter firewalls and puts the threat internal right now. WannaCry immediately begins attempting to infect machines that it can reach. WannaCry is a 2-phase ransomware. Phase 1 exploits a Microsoft vulnerability dubbed EternalBlue (aka MS17-010) which then implements DoublePulsar, a backdoor tool to install and execute a copy of itself. Thanks, NSA. It then attempts to continue to spread laterally using network shares as well as with the MS17-010 exploit. Phase 2 is activation. WannaCry attempts to find a particular domain name. If it finds it, it stays in Phase 1. If it does not, it activates Phase 2 and begins encryption and notification.
Major endpoint security vendors use multiple components that are vital in preventing infection and identifying unknown devices that have been exploited and are now attacking your other assets. These are the endpoint protection components and their role, from the first line of prevention down to the last line of defense. I have indicated the product name or feature for McAfee and Symantec since they are the biggest players. In this case study, Symantec was deployed but I believe these are accurate for McAfee:
- SEP Intrusion Prevention System or McAfee Host Intrusion Prevention: This would have prevented both styles of spread from running on any machine whether it was patched with the MS17-010 patch or not. It simply would not have run on the target machine
- SEP Firewall or McAfee ENS Firewall: If you have configured firewall rules to block lateral movement (i.e. workstation to workstation sharing) then this slows infection tremendously. In this case, the only way to infect would be if the machine were unpatched against MS17-010 and had no IPS
- SEP SONAR or McAfee ENS TP (behavior-based defenses): On machines that had no IPS, SONAR would detect and prevent the DoublePulsar attempt, so while a machine may still not be patched WannaCry was prevented from spreading to that machine
- SEP basic AntiVirus and McAfee ENS TP: For systems without IPS, Firewall, or Behavior-based defense, DoublePulsar would succeed in creating the copy of WannaCry on the machine, but the AntiVirus would detect the file and delete it
With basic AntiVirus, machines were still exploited and malware dropped, but it was cleaned before it could run. The SOC had no visibility into what machines it couldn’t see (i.e. non-AV installed machines: the attackers), which made it very difficult. For those machines with layers to provide good attacker info, it was trivial to get a tech to install SEP and be back in production. Because of the extra layers, this was a fairly simple issue. Without them, it would have been a far longer and costlier effort, and with extra time there is extra opportunity for Phase 2 to activate if someone goes off-network and that machine can no longer find the DNS record.