How does it work?
Endpoint-delivered threats usually enter an organisation through:
- a user-infected device introduced into the corporate network which then delivers malware that can spread laterally
- an infected portable device
- users who are tricked into downloading and installing malicious software by claims that they are antivirus, disk clean-up or other utility software
Attackers can use strategies such as leaving an infected USB drive around the organisation's parking lot in anticipation that an employee will pick it up and plug it into a network connected system. However, pulling off such an attack is expensive and much riskier for the attackers, especially if they are remote and need a trained human asset in-country to assist with the attack.
Endpoint threat protection becomes more complicated as users connect their own devices into the corporate network and as more users work remotely. An organisation has to accept that not all traffic on the user’s device will go through the corporate security controls, and in many cases the organisation may not have device control to enforce a specific endpoint security risk solution.
Opportunistic attackers and those attempting targeted threats on organisations tend to use socially-engineered emails sent to corporate email accounts to compromise user endpoints.
This strategy is easy to execute and cost effective as attackers can execute the attack remotely, enabling attacks across multiple users, and at multiple different times.
The 2013 Verizon Data Breach Investigations report explains that running a campaign with just three targeted phishing emails gives the attacker a better than 50% chance of getting at least one user to click and have their machine compromised; sending ten almost guarantees getting at least one user to click and compromise their device.
Once compromised, the endpoint can give up a mountain of an organisation's information along with access credentials that are keys to critical systems and data. The risk of exposure further increases when the compromised endpoint connects to the network and allows the attackers to spread laterally through the organisation's networked endpoints.
The strongest defence against endpoint security risks is a layered security approach which includes best-in-class security solutions on the endpoint to check for malicious behaviour, signature matching, and other solutions that can inspect traffic going to and from the device. Additionally, detection and protection from email delivered threats early in the lifecycle of a threat is a primary strategy in stopping a large volume of endpoint security threats delivered into organisations.