threat

Article Dean Dorton

It’s late at night the day before an important deadline. You are rushing to complete a project that you have been diligently working on for months. You run into a snag and run a quick Google search for some software to help you complete your task. You find some software and click download. Next thing you know your computer is frozen from a virus. You notice a particular name that seems odd so you run another Google search from your phone and discover it is a new strand of malware and that the best course of action is to re-install your operating system. All the hard work you have put in is gone, as the latest changes to the project were not saved. You think to yourself, “what could I have done differently? I have an antivirus program installed on my machine, why was this not caught?”

 The harsh reality is that standard antivirus programs are not enough in today’s threat landscape.

In order to adequately protect oneself at an enterprise level, one needs an Endpoint Detection and Response (EDR) tool.

Why is my Antivirus Not Enough?

Most traditional AV providers use signature-based algorithms to prevent malware from being installed on your machine. This means that it identifies the file based off a unique pattern or hash (a mathematical algorithm to generate a unique set of numbers and letters) of the file. For a more in depth explanation of hashing, read this SentinelOne article. For a while, this type of detection worked because new signatures could continuously be generated for files and be blocked, but as always, the threat actors adapted and began heavily obfuscating their code so that the hash generated for the file was not the same as its unobfuscated counterpart leading to it bypassing AV solutions entirely.

What is EDR?

EDR stands for Endpoint Detection and Response. It’s the current generation of protection for endpoints (you may also have heard of XDR which is an attempt to expand the capabilities of EDR, but frankly, the product is in it’s infancy). EDR allows cybersecurity and IT professionals to not only identify threats, but it also allows them to respond. These solutions gather telemetry data constantly from endpoints and rather than using a signature-based solution to detection, it uses a heuristic (or behavioral) approach. These solutions don’t focus on the hash of a file or if the file in unique to the device, it’s monitoring how the file behaves to determine whether it’s malicious or not. A good example is a spreadsheet sent over email with macros enabled. Now the spreadsheet itself may not be malicious, but what if the macro is? The file is detected by the EDR solution and the analyst is able to respond. These solutions are also continuously enriched with the latest threat intelligence. Threat intelligence is essentially a digestible version of the latest threats, threat actors, and their various tactics. Often threat actors are creatures of habit and they follow a specific set of steps in each cyber-attack. The EDR solution will gather this intelligence and incorporate it into the platform. They also will generally include some sort of proactive threat hunting component, actively seeking out potential threats rather than waiting for them to become active.

Why Does Any of this Matter?

A natural thought is: how does this apply to my company and me? The facts is that threat actors are continuously evolving. They are finding new and creative ways to breach environments and you and your business are no exception. This ingenuity creates a headache on the defensive-side as we are often playing a cat-and-mouse game of staying ahead of attackers. A good EDR solution helps to bridge that gap. Instead of an analyst spending their day perusing threat intelligence feeds to gather malicious hashes to input, they can spend their time on other important security tasks, such as vulnerability management.

Another key takeaway here is that no tool is a magic bullet. The people that use the tool are just as important as the tool itself. Without proper training, the alerts could go unnoticed or be inadvertently marked as a false positive, when it is in fact a legitimate threat. Any tool (especially EDR) is only as effective as its wielder. Keep that in mind as an EDR solution is considered.

Within cybersecurity, if you are not evolving, you are dying.

A traditional AV solution is not good enough in 2023. If you are concerned about your current cyber security posture and would like to discuss with Dean Dorton’s Cyber Security Professionals, feel free to reach out using the contact information below.

Jordan Johnson | Cyber Security Consultant
jjohnson@ddaftech.com
859.425.7659

Article Dean Dorton

COVID-19 has rapidly changed the landscape of our professional lives. No one could have predicted the year that we have seen, as well as the digital transformation that has occurred in many organizations trying to quickly adapt to a work-from-home model. 

The good news is that eventually the pandemic will end and people will return their normal duties, with likely some in-office and some virtual. After spending months working from home, many of us are anxious to go back to the office, at least on a regular basis to meet with colleagues and experience these social interactions that we so missed lately.

During the early stages of the pandemic, we observed an uptake in cybersecurity incidents related to remote work. Did your organization do any of the following?

  • Give laptops or other devices to employees to take home
  • Give open remote access to employees
  • Start utilizing new software programs
  • Give users local administrative rights

Any of these, as simple as they seem, open up your team members, devices, and your network to vulnerabilities, especially if new software was installed but is potentially malicious in some way.

As you continue to evaluate and navigate returning to work and remote work, consider these cybersecurity responses:
  • Implementing a comprehensive plan for your organization before employees return is of the utmost importance. The risk appetite (risk that an organization is willing to accept) will be different for every organization. An accounting firm may not have the same risk appetite as a hospital, for example. The basic checks will remain the same for most organizations, however.
  • How will you ensure that devices that were used in homes for months are not compromised and will not be leveraged by threat actors to spread as soon as they are connected to your internal networks? This would be a worst case scenario. An organization may have many technical controls in place to prevent incidents within their network, but it can be difficult to account for the wild card of laptops and other devices that have been at other locations being introduced back into the environment.
  • What software was installed by the employee and what other devices have been on the same home network 24/7 for the past few months?
  • How will you assess the risk related to how the device was used in the household or the level of exposure to unsecured devices?

We know that once threat actors gain access to system, they can wait idle for days, weeks, or even months before launching a cyber attack. Some of them are certainly lurking for the right opportunity to strike. Unfortunately, this opportunity may be when the user brings the infected laptop or other device and reconnects to your network, allowing the threat actor to propagate and infect many more laptops and/or devices in your organization.

Beyond standard practices such as effective patch management is effective and up to date anti-malware, we also recommend doing a thorough review of these devices before they are connected back to the internal network. This can be done manually or with an implementation of a NAC or Network Access Control system. This would allow your organization to set a baseline that laptops and devices must meet before they can connect to your network. These baselines could include ensuring that the laptop or device is patched with the latest critical updates, ensuring that the firewall is turned on and that the laptop or device has anti-malware software installed.

The majority of these solutions are highly customizable and can be tailored to fit your organization’s specific needs. Dean Dorton’s cybersecurity experts can assist you in putting a plan together, so risk is minimized and laptops and other devices do not put your information and systems at risk.

Cybersecurity Services

Gui Cozzi
Cybersecurity Associate Director
gcozzi@ddaftech.com • 859.425.7649