What a 100-Year Plant Disease Reveals About Endpoint Privilege Security

November 9, 2021 Andrey Pozhogin

Plant Disease Reveals About Endpoint Privilege Security

At the turn of the 20th century, a little-known plant disease called white pine blister rust emerged in the United States and began rapidly ravaging entire forests. As the disease spread across the country, the government stepped in to protect the flailing timber industry by banning the growth and sale of gooseberries and currants — two innocent-looking culprits behind the outbreak.

As hosts, these berry plants carried the disease without being harmed themselves, essentially serving as a launchpad for the virus. The idea was that by eliminating these two plants, white pine blister rust could no longer reproduce and infect more vulnerable pine trees. But in the process, people missed out on two very popular (at the time) summertime fruits, along with their numerous health benefits. (Fun fact: the black currant is a nutritional superstar that delivers 4x as much vitamin C as oranges!) Luckily, the ban was lifted in the 1960s, and new varieties of rust-immune gooseberries and currants were developed, much to the delight of pie lovers across America.

Now you’re probably thinking, what does tree fungus have to do with cybersecurity? Stay with us here…

Cyber intruders typically follow a sequential set of steps to execute their attacks. While there are many methods they can use to jump start their efforts, compromising identities and abusing privileged credentials is an especially productive tactic.

A Windows Defender Application Control (WDAC) vulnerability that recently came to light illustrates the efficacy of this approach. An attacker can exploit this particular flaw (CVE-2020-0951), execute commands on the endpoint and bypass the WDAC system, which is meant to block malicious software from running. But first, the adversary must gain privileged access to launch the attack — underscoring the critical need to enforce privilege security on the endpoint.

While most organizations today recognize this well-worn “privileged pathway,” privileged accounts exist everywhere within an organization. In fact, many privileged credentials are hardcoded or embedded enterprise software, systems and servers. Since privileged accounts can’t be completely eradicated, and are very much needed to support a healthy IT ecosystem, how can they peacefully co-exist in environments that are constantly at risk of threats like ransomware infection that originate on the endpoint?

Organizations can take a page from the white pine blister rust eradication playbook and apply similar logic used by mid-century forest and agriculture experts to:

  • Securely manage “host” gooseberry and currant plants (or, in our case, privileged local admin accounts), making it difficult for the rust (or attacker) to hopscotch its way into a susceptible white pine (or IT network), while enforcing granular least privilege policies for IT administrators who have powerful access.
  • Remove new berry plant species’ ability to “carry” the virus. In the digital realm, this equates to removing administrative rights from regular user accounts. This is one of the most effective ways to reduce your endpoint attack surface. If end-users require elevated privileges to perform certain approved tasks like updating Windows or changing their laptop’s power settings, automated just-in-time privilege elevation can automatically give them the privileges they need for a certain period — and take them away as soon as the task is complete.
  • Carefully monitor for additional species that could threaten the forest — and test them before they can grow and spread. In our enterprise analogy, if an end-user launches an application on their laptop that’s legacy, unknown or unapproved by the organization, the ability to rapidly analyze the application’s risk level can help identify, block and contain attacks on the endpoint — all without hindering end-user productivity or burdening IT help desk teams.
  • Promote tree health and growth by bringing in experienced arborists and their tools to address issues (or common attack vectors, such browsers containing saved passwords or known bad or “blacklisted” applications) putting the tree (or business) at risk, prune the dead wood (such as removing excess entitlements) and help all the tree’s living parts (or users) work together productively in a safe and controlled manner.

By following these simple yet effective steps as part of a defense-in-depth approach, your organization can significantly reduce the risk of ransomware and other endpoint attacks without introducing user friction. In other words, you can have that gooseberry pie and eat it too!

Speaking of tools that can help keep your endpoints secure — from servers, to workstations, to laptops — check out CyberArk Endpoint Privilege Manager. Request a 30-day trial of our fully SaaS solution and you can start strengthening your security posture on day one.

Previous Article
Breaking Down the CMMC and How CyberArk Can Help Support Compliance
Breaking Down the CMMC and How CyberArk Can Help Support Compliance

As mobile workforces and cloud service usage continue to surge, organizations are struggling to provide sec...

Next Article
Why Reporting Cybersecurity Business Impact is About Seeing the Forest from the Trees
Why Reporting Cybersecurity Business Impact is About Seeing the Forest from the Trees

You know when you get stuck sitting next to that one relative who takes forever to tell a story or get to t...