How does it work?
Endpoint-delivered threats usually enter an organization through:
- a user-infected device introduced into the corporate network which then delivers malware that can spread laterally
- an infected portable device
- users who are tricked into downloading and installing malicious software by claims that they are antivirus, disk cleanup or other utility software
Attackers can use strategies such as leaving an infected USB drive around the organization’s parking lot in anticipation that an employee will pick it up and plug it into a network connected system. However, pulling off such an attack is expensive and much more risky for the attackers, especially if they are remote and need a trained human asset in-country to assist with the attack.
Endpoint protection becomes more complicated as users connect their own devices into the corporate network and as more users work remotely. An organization has to accept that not all traffic on the user’s device will go through the corporate security controls, and in many cases the organization may not have device control to enforce a specific endpoint security solution.
Opportunistic attackers and those attempting targeted threats on organizations tend to use socially-engineered emails sent to corporate email accounts to compromise user endpoints.
This strategy is easy to execute and cost effective as attackers can execute the attack remotely, enabling attacks across multiple users, and at multiple different times.
The 2013 Verizon Data Breach Investigations report explains that running a campaign with just three targeted phishing emails gives the attacker a better than 50% chance of getting at least one user to click and have their machine compromised; sending ten almost guarantees getting at least one user to click and compromise their device.
Once compromised, the endpoint can give up a mountain of an organization’s information along with access credentials that are keys to critical systems and data. The risk of exposure further increases when the compromised endpoint connects to the network and allows the attackers to spread laterally through the organization’s networked endpoints.
The strongest defense is a layered security approach which includes best-in-class security solutions on the endpoint to check for malicious behavior, signature matching, and other solutions that can inspect traffic going to and from the device. Additionally, detection and protection from email delivered threats early in the lifecycle of a threat is a primary strategy in stopping a large volume of endpoint delivered threats into organizations.