Think like an attacker:
Think like an attacker:

Thinking like an attacker can help enterprises better secure their prime vulnerability - their endpoints, explains Nick Levay, Chief Security Officer, Bit9.

Enterprise endpoints – such as laptops and workstations – are increasingly targeted by attackers seeking to break into corporate infrastructures and take valuable/sensitive information. Why? First, compromising endpoints is relatively easy compared to systems inside the data centre, due to extensive client-side software flaws. For a company with global employees, the sheer multitude of endpoints presents a major risk and vulnerability. In addition, by their nature people are susceptible to social engineering – a non-technical intrusion that relies heavily on human interaction and often involves tricking people to break normal security procedures.

As vulnerable endpoints increasingly come under attack, it's time for enterprises to turn the tables and start thinking like an attacker. Enterprises need to understand what attackers are looking for and which vulnerabilities are easy to exploit. From this perspective enterprises can see their security landscape in a whole new light and the realisation that a new generation of security is needed. This can help an enterprise better secure their prime vulnerability – their endpoints – and consequently, their IP and overall infrastructure; in addition, they will understand why traditional antivirus solutions have been superseded by new, integrated approaches which offer  a more viable and effective option.

Endpoints come under fire, traditional antivirus is no longer enough

According to Verizon's 2013 Data Breach Investigations Report, 71 percent of surveyed breach incidents targeted user devices. Theoretically, efforts aimed at protecting endpoints should include a focus on user awareness, in addition to strong host protection. But workers are focused more on doing their jobs than on the security of the computer they're using. Attackers know this, and they're leveraging this weakness through social engineering. The Verizon report also found about 78 percent of breaches were rated as “low difficulty” intrusions, suggesting that attackers didn't need to employ highly technical methods. It's not that the malware employed by advanced attackers is sophisticated; rather, it's their tactics that make them so effective, and social engineering is almost always at the forefront of attacks.

The underlying principle behind social engineering is that it's often easier to trick people than to hack into computing systems by advanced technical means. Social engineers get personal information or access to computing systems by exploiting people's natural tendency to be trusting and helpful. Social networks and the Web provide attackers with a wealth of reconnaissance information, helping them to precisely pinpoint and highly target individuals.

A classic example of social engineering is phishing – an email or phone call that appears to be from someone in authority, a member of the IT team or a trusted business – attempting to trick users into revealing their password or other personal information. Another example is “Click this Link” scams – these links often look legitimate but typically take users to a harmful websites designed to steal sensitive information or infect computers.

By thinking like an attacker, enterprise security teams should recognise how credulous people tend to be when targeted by social engineering, no matter how often these people may be “educated” on security procedures. This leaves enterprises with the option of strong host protection. Antivirus solutions, also known as signature-based blacklisting – where vendors compile lists of known malware – has become technically unfeasible, due to the massive growth in malware. With new threats emerging on a daily basis, antivirus solutions' lists of “bad software” can never be considered comprehensive. In addition, their “default-allow” model means that a piece of bad software only becomes known as bad once it has succeeded in compromising systems.

In a constantly evolving threat environment, a default-deny approach to security, often called whitelisting or application control – which permits only trusted software to run on endpoints and prevents unauthorised software from running – provides a better level of protection than antivirus. The notion that whitelisting could be challenging to deploy and manage is outdated. Today, whitelisting is policy-based and most organisations only need a few dozen policies to manage which software it trusts to run. Policies can be changed or deleted and new ones created by the security team quickly and easily as the needs of the organisation evolve.

New approaches integrate network and endpoint security capabilities

New approaches combine modern network defence techniques with endpoint and server data, helping enterprises to better identify and contain threats found on the network and on endpoints. Intelligent network devices capture suspicious files and confirm threats via a process known as detonation. The idea behind detonation is that files can be “exploded” by running the code and analysing whether it is making a clear attempt to act maliciously and aggressively, even if it's not known malware. But what detonation doesn't reflect is if attack code made it to the machines it intended to reach, if it ran or if it was stopped.

Today, detonation results can be immediately correlated with up-to-the-second endpoint monitoring and recording data to confirm the location, scope and severity of threats across enterprise endpoints. When every second counts, this enables security teams to prioritise and respond to threats faster and more efficiently. This is just one example of how network and endpoint security capabilities can come together to deliver more comprehensive, real-time intelligence from the network to endpoints and servers. Adversaries know that an attack can leave an enterprise scrambling, so today's advanced threats make this new approach critical to an organisation's security.


Unfortunately, users and endpoints have become the weak link in today's IT security chain, and increasingly stealthy attackers are looking to exploit them to the fullest. By thinking like an attacker, it is easy to see that excellent endpoint security is needed. Increasingly, enterprises need a new “double-barreled” approach to thwart today's increasingly sophisticated and relentless breed of attacker. The ideal approaches are those that integrate network and endpoint security capabilities, thus bridging the gap and delivering higher levels of actionable intelligence, greater proactivity and better overall protection.

Contributed by Nick Levay, Chief Security Officer, Bit9