Endpoints and Endpoint Detection: Importance & Risk Mapping

“Secure the endpoints!” This battle cry can sound like a meme, sure, but it also highlights arguably the most important part of modern cybersecurity today: are we securing the endpoints?

A compromised network is likely to leave traces of anomalous and unauthorized activities that originate from network endpoints. Such endpoints can include, but definitely are not limited to:

• Computing devices
• IoT sensors
• Smartphones 
• M2M connected machines

Critically, network endpoints also serve as the initial targets in cyberattacks — a break here eventually breaks through more sophisticated defense mechanisms.

For example, a hacked smartphone with escalated access privileges can break through multiple layers of data security and privacy defense systems until a suspicious activity is discovered on the approved endpoint device.

So, let’s look at the process of detecting and monitoring these endpoints, the first step towards endpoint security.

What is endpoint detection?

To be clear, endpoints are physical devices that share information with a computer network. Pretty much anything can be an endpoint: mobile devices, computers, virtual machines (VMs) and servers. If it’s part of the IoT, it’s also an endpoint.

So, endpoint detection is the process of monitoring and analyzing the behavior of endpoint devices for malicious behavior in a network environment. It involves two key pieces:

• Continuous real-time analysis of data traffic transmitted between the network endpoint and the backend servers (plus historical trends).
• Relevant environment parameters such as access protocols and logs data.

An Endpoint Detection and Response (EDR) system analyzes the aggregated information for potential cyber threats. An integrated Security Information and Event Management (SIEM) tool acts on the incidents triggered by the EDR system to contain the damage by isolating compromised network zones, revoking access to sensitive data and triggering alerts to the concerned InfoSec teams.

(See how Splunk’s SIEM goes far beyond EDR triggers for cybersecurity that is modern, unified and resilient.)

The importance of endpoint detection in cybersecurity

Endpoint detection plays a key role in cyber kill chains. The CKC model proposed by Lockheed Martin outlines seven stages of a cyber-attack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Actions on Objectives

Endpoints are involved from the third stage, Delivery, all the way through to the final stage of Actions on Objectives.

This makes endpoint detection an essential element of your cybersecurity defense mechanism: Indeed, endpoints are THE place where cybercriminals actively engage to extract and compromise data at the network edge — and to override cybersecurity defense systems.

The risk of endpoints, CKC-mapped

Here’s how endpoint detection can help mitigate risks at different stages of the cyber kill chain:

Phase 3. Delivery

This stage follows the reconnaissance and weaponization stages where a target is evaluated, identified and an attack vector is prepared for execution. At the Delivery stage, the attack is launched by practically engaging with a network endpoint device.

Cybercriminals may use social engineering to either acquire control of a user account running on an endpoint device or compromise a system vulnerability in the device.

(See how social engineering attacks work.)

Phase 4. Exploitation

The attack vector in the form of a malicious payload, for instance, is spread through the network by either:

• Exploiting multiple devices with similar vulnerabilities.
• Gaining access to all devices approved for a compromised user account. 

Phase 5. Installation

Once the malicious payload has reached the servers, it is installed and allows intruders to gain full control of the network environment. At this stage, endpoint devices serve two important purposes:

• Threat persistence at the network edge.
• Monitoring for security defense measures that would allow the victims to regain control of the compromised network endpoints.

Phase 6. Command & Control

The endpoint devices are also used as part of the Command and Control (C&C or C2) initiatives, such as:

• Coordinating attack to the wider network.
• Spreading malware.
• Sending false and manipulated communication protocol packets.
• Generating incident logs that hide the true activities performed by cybercriminals.

(Read all about command & control attacks.)

Phase 7. Actions on Objectives

The final stage actively involves endpoint devices in actions such as data exfiltration, service disruption, data manipulation as well as exposing unauthorized access and controls of system resources.

Defending against cybercrime

Now, let’s review endpoint detection from the opposing perspective: defending against cybercrime. Since the network edge is the first line of attack on the cybercrime battleground, you can take several measures to make your defense stronger:

Understand the human element

Adopting cybersecurity guidelines is not always a straightforward process. For instance, the insider threat is responsible for 95% of all cybercrime incidents, but not all responsible insiders intend to harm the organization. Lack of awareness, negligence and falling prey to clever social engineering ploys is the main reason behind their role in facilitating a cyber-attack.

Fortunately, advanced AI based endpoint detection tools allow InfoSec teams to identify this behavior proactively.

Understand the TTPs

Cybersecurity teams can use their network endpoints as rabbit holes to draw interest from cybercriminals engaging with them at the Reconnaissance stage of the Cyber Kill Chain.

Since the actions of adversaries at this stage are authorized, albeit with a malicious intent, security alarms are not raised until a suspicious action takes place. By running some endpoint devices as a honeypot, InfoSec teams can analyze and determine the Tactics, Techniques and Procedures (TTPs) of the attack, before it is even launched.

Understand the impact in real time

Data from multiple endpoint devices can be fused together and analyzed in real-time. Technologies such as data lake are designed for such use cases, where structured and unstructured is ingested continuously. Required portions of real-time data streams are then preprocessed and analyzed for anomalous behavior.

At the same time, AI systems continually learn from new information. The resulting control actions can be triggered remotely: Endpoint Detection and Response systems monitor for such remote dynamics and trigger security alerts and controls based on the real-time behavior of endpoint devices.