In network environments, endpoints are frequently exploited due to their external-facing nature and ease of entry into the network. Many believe attackers or bad actors are only on the outside to exploit vulnerabilities; however, cybercrime statistics have proven that malicious insiders also exist. Insider threats have increased by 47% in the last two years. (Panda Security)
As a result of this dangerous misconception, businesses don’t protect their endpoints as thoroughly as they should.
Endpoint zero-day attack examples
March and October 2021 – Acer
After the March 2021 ransomware attack where the REvil ransomware group demanded $50 million – one of the highest reported at the time – the company experienced another attack. This time, in October, the isolated attack was detected in their after-sales service system in India.
May 2021 – Ireland’s Health Service Executive (HSE)
Conti (Wizard Spider) used phishing attacks to plant malware into the HSE’s system. The $20 million ransom demanded wasn’t paid, but initial costs to the health service included weeks of disruption. The CIO believed total costs could easily stack up to $565 million by the end of the fixes.
July 2021 – SolarWinds Attack
The SolarWinds attack made its way through the organization’s network using a bug in Microsoft. It was the Microsoft security team that spotted the new threat actor originating in China; DEV-0322 gained access “by connecting to the open SSH port and sending a malformed pre-auth connection request.”
The reality is that your user endpoints contain business-critical data. When an endpoint is lost, your business will take a hit in terms of lost data, lost time, and lost productivity.
Reasons why traditional network segmentation methods for endpoint protection are ineffective
- Devices on a shared VLAN can communicate with each other, meaning an attack can reach several neighboring devices effortlessly or even all at once.
- Lateral movement occurs once the endpoint is breached – essentially, once accessed and within a network, it can spread laterally across it.
- Zero-trust architecture is expensive and complex, requiring some fundamental infrastructure changes.
- The traditional method of network segmentation means there are many blind spots because of a lack of traffic visibility.
It comes down to the fact that the traditional route enables the spread of ransomware or malware within a network, segment by network segment.
The remedies for poor network segmentation
Lateral traffic flow visibility
Without clear visibility of what is coming into and going around your network, your organization’s network is the equivalent of a public park on a busy Saturday afternoon. You know there is traffic, but not how much or the direction and intention of individuals.
Traffic flow visibility between endpoints gives teams reassurance that only what is coming into a network is supposed to be there, and they also know where it’s going and where it’s been.
It provides visibility for all lateral traffic flows, including authorized and unauthorized communications between all devices in a shared VLAN.
Lateral movement containment
This is where the two-door ideology comes in. Should a burglar enter one house room, they’ll need to get through two locked doors to access the next.
The ability for any attack to move effortlessly from “room to room” needs to be contained. Lateral movement containment means ransomware and malware are restricted to a single device.
ENHALO’s agentless network segmentation solution
Agentless segmentation provides a safe and consistent way to protect managed and unmanaged devices, eliminating error-prone patch deployment and management. It provides default zero trust protection on all devices, regardless of whether they are on corporate or public networks.
With an Agentless Network Segmentation Service (NSS) or airgap service – the assumption is that every device is breached or will soon be breached.
ENHALO’s NSS Zero Trust enforcement model auto contains the spread of ransomware and malware to a single device. Infected devices are ring-fenced so that threats cannot be propagated beyond isolated devices.
Lateral communication between endpoints is therefore disabled, and visibility is created on what and where traffic is attempting to flow.