The future of work is “less about a place and more about people’s potential,” notes a recent Accenture study, which found that 63% of high-growth companies have already adopted “productivity anywhere.”
Organizations around the world are fast embracing this hybrid workforce model that puts employee workstations at the edge, far beyond the “walls” of the traditional corporate network. Nearly all our CyberArk Remediation Services team’s recent engagements reflect this reality: workstations are now one of the easiest ways for attackers to compromise identities, launch ransomware attacks, exploit privileged credentials and start moving toward sensitive IT systems and exfiltrate confidential data.
By the time incident response experts are engaged, attackers have proliferated throughout the environment. Many organizations believe that deploying endpoint security protections during a cyber attack is like putting storm windows on your house in the middle of a hurricane. Our remediation services engagements have consistently found that organizations can accelerate recovery efforts by implementing the following foundational Identity Security controls at the endpoint before an inevitable attack. These foundational controls include:
1. Remove local admin rights. Microsoft Windows, macOS and Linux administrator accounts are used to install and update workstation software, configure system settings and manage user accounts. Attackers target these privileged accounts to disable antivirus software or disaster recovery tools and launch ransomware and other types of malicious software. Moving local admin rights away from standard users and into a secure digital vault with credential rotation is the fastest and simplest step toward hardening employee workstations. It dramatically limits an adversary’s reach, while minimizing the impact of unintentional (yet inevitable) employee errors, such as clicking on a phishing link.
2. Enforce least privilege. Employees often have a legitimate need to perform an action requiring administrative privileges. Just-in-time privileged access enable workers to perform certain specified tasks, based on policy, at the right time for the right reason — without requiring end-user action or help-desk intervention that can hinder productivity.
3. Institute application control policies. Blocking ransomware and other attacks at the endpoint requires more than just the ability to allowlist and denylist known applications. Organizations must be able to:
- “Greylist” applications, such as sandboxing an unknown application and allowing it to run but not access the internet to reduce ransomware risks.
- Implement advanced conditional policies, so workers can use trusted applications safely. For example, allow Excel to run but prohibit it from launching PowerShell to defend against BazarBackdoor malware.
- Create comprehensive rules covering specific executables (i.e., by considering a hash, file name, file path) as well as groups of executables (i.e., default-allowing applications that are signed by a specific vendor, have a specific product name associated with them and originate from a designated trusted updater source).
4. Protect cached credentials. Credential theft is the No. 1 area of risk for organizations today. Many popular business applications allow credentials to be stored in memory, and many web browsers and password managers cache application and website credentials locally. Once logged in with these stolen credentials, attackers may try to circumvent single sign-on (SSO) solutions as well. Since threat actors can often retrieve cached credentials without ever needing admin privileges, having the ability to automatically detect and block credential harvesting attempts is a crucial endpoint security layer.
5. Set up traps. And speaking of detection, endpoint protection tools that support privilege deception functionality — such being able to create fake “honeypot” privileged accounts — can help flag would-be attackers right off the bat.
6. Monitor privileged activities. Attackers often fly under the radar, probing defenses and planning their next moves. By proactively monitoring privileged workstation activity, organizations can automatically identify and stop adversaries before they can move laterally, escalate privileges and inflict serious damage. Having complete records of privileged workstation activity is also key in streamlining compliance audits and speeding forensics investigations.
Inadequately protected employee workstations represents a common security gap — one I’ve seen too many times in my incident response work. If I could offer one piece of advice for organizations looking to shore up security against ransomware and other damaging attacks, it’s this: don’t wait — behave as if you’ve just been breached. By following key Identity Security-centric steps to mitigate risk, as well as separating workstations from servers and embracing a layered defense-in-depth strategy, your organization will be better equipped to isolate attacker activity, minimize impact, regain control of your environment and restore trust quickly and efficiently.