Last updated at Wed, 03 Jan 2024 21:00:48 GMT

Most organizations focus on their server infrastructure when thinking about security – a fact we often see in our Nexpose user base where many companies only scan their servers. However, IDC finds that 70% of successful breaches originate on the endpoint.

This does not necessarily imply insider threats, it is rather a sign that phishing is prevalent, cheap, and surprisingly effective in compromising machines. Given this compelling data, I strongly urge security professionals responsible for vulnerability management to consider scanning their endpoints to spot and remediate vulnerabilities in browsers, office packages and other typical endpoint software to reduce the risk of compromising endpoints.

At the risk of over-emphasizing the point: the recent JP Morgan breach, which exposed half of U.S. households and millions of small businesses, started with a compromised endpoint.

Incident detection must therefore also take endpoints into account. With Rapid7 InsightIDR, we detect endpoint compromises using an agentless scanning technology that is built on the fast, efficient, and proven technology of Rapid7 Nexpose, which has years of experience in this area.

The number one attack vector for breaches remains credentials. These are often obtained through the following means:

  • Social engineering the help desk
  • Trying default passwords
  • Guessing passwords
  • Installing keylogging malware
  • Phishing users
  • Accessing orphaned accounts

Protecting against these attack vectors is hard, but there are several ways to test if your environment is vulnerable. For example, Rapid7 Nexpose includes vulnerability checks that test for known default credentials, giving you visibility into your weakness, and enabling you to protect yourself.

Rapid7 Metasploit has great, new functionality for testing for weak and reused credentials as part of a penetration test. This can highlight issues where passwords are shared across account types and trust zones. It also exposes common security issues such as the use of one local domain administrator account password across the entire organization, which helps our penetration testers own entire network in a heartbeat using pass the hash attacks.

While prevention is necessary, no network is flawless, so detecting attackers using compromised credentials is quickly becoming a critical part of any security program. Compromised credentials are leveraged in three out of four breaches but they are hard to detect because attackers look like a bona fide user to most monitoring solutions. Rapid7 InsightIDR was built specifically to detect stealthy use of compromised credentials across your domain, local accounts, and in the cloud. It integrates with leading SIEMs and threat intelligence solutions such as Splunk, HP ArcSight ESM and FireEye TAP.

IDC's recommendations on how to protect your organization

IDS is making six recommendations to help protect against these risks:

  1. Re-allocate budget from prevention to detection: Nobody suggests that you should end your prevention efforts. Prevention continues to be necessary, but you now must also assume that you will be breached and expand your focus on detection and response.
  2. Monitor user behavior: Users are at the heart of your operation. They produce value to your organization, and are the origin of your productivity. This makes them a huge target for attackers, who know that they have they keys to the kingdom. Security analytics solutions such as Rapid7 InsightIDR can help you detect and investigate malicious user behavior, whether it's because of an insider threat or an attacker masking as an internal user. What's best: if you already have a SIEM, deploying this technology becomes even faster.
  3. Get visibility into unmanaged cloud applications: Whether your organization is an avid user of cloud services or not, your users probably are. Rapid7 InsightIDR customers are always surprised to discover how many of their users turn out to have cloud applications installed, even when it's against company policy. In organizations using enterprise-grade cloud services such as Salesforce.com or Amazon Web Services InsightIDR's direct integration with key cloud providers also helps you detect and correlate logon activities that don't originate from your network, dramatically improving detection capabilities and security visibility.
  4. Monitor endpoints (including mobile devices!): Monitoring endpoints is critical to detect local account compromises and other malicious activity, and the same is true for mobile devices. Rapid7 InsightIDR can detect compromises of mobile devices even in BYOD environments by integrating with key choke points, such as mail servers.
  5. Eliminate default passwords: Our penetration testers frequently get access to a network because someone forgot to change a default credential. While this is an easy mistake to make, this lack of basic security hygiene can have dire consequences. Rapid7 Nexpose can help you identify default passwords on all of your hosts so you can swap them out.
  6. Harden endpoints: Hardening your endpoints encompasses several things. Scan your endpoints for client-side vulnerabilities that could be leveraged in phishing attacks and remediate them. You should also look at deploying exploitation prevention toolkits, which are available for free for Windows and other platforms and ensure that your mass-malware endpoint solution is installed, active, and up to date. Rapid7 ControlsInsight is a great beacon to help you track how effective your endpoint and server controls are today and where you can get the biggest bang for your buck. It also helps you track progress in improving controls and to show your management the positive impact you have on your organization's security posture.