Endpoint Hardening and Preparedness in a Changing Threat Landscape

Today’s cyber threat landscape is a volatile place. To many, the most significant contributor to its current state is the conflict between Russia and Ukraine and the cyber activity that has accompanied it. Our partners at Deep Instinct have been closely reporting on the events, and how they’re impacting the threat landscape.

It is impossible to speak of the cyber threat landscape without covering geopolitical situations — which is expected, provided one does so with an understanding of the uncertainty accompanying current events. It is unclear how long such circumstances will last, or what the lasting impacts of a complicated geopolitical situation may be.

How the threat landscape is changing

Tanium’s goal is to stay abreast of the key trends, extracting actionable intelligence so that it can help. The following is an overview of the key trends in the cyber threat landscape:

• Possible increase in ransomware attacks amidst economic instability: With the US choosing heavy sanctions against Russian interests as its primary response to Russia’s incursion, the resulting economic instability may result in more ransomware attacks targeting US interests. Russia has been described by the FBI as a “permissive operating environment for cybercriminals” and warned that the US could experience “a possible increase in cyber threat activity” from hackers operating with the backing of Russia.
• Emergence of new destructive malware: As stated in a recent article from Deep Instinct, Russian cyber activity “aimed at sowing chaos and disrupting communications within Ukraine’s government and military institutions” in the weeks leading up to the invasion included the deployment of new disk-wiping malware called HermeticWiper (along with widespread DDoS attacks and web defacements). In the weeks since, at least two new destructive malware strains have emerged from the conflict, accompanied by novel infection vectors, and supporting malware designed to ensure the successful delivery of destructive payloads.
• Phishing and other scams leveraging the conflict: As with any high-visibility world events (including cyberattacks), threat actors are quick to seize upon available information and public uncertainty to create convincing phishing lures and social engineering campaigns. The motives behind such campaigns alternate between espionage, credential theft, and financial scams.
• Potential “spillover” of cyber activity affecting US targets: The Cybersecurity and Infrastructure Security Agency (CISA), along with other multinational cyber agencies, has repeatedly expressed concerns that the cyber activity observed in the Russia and Ukraine situation could move outside the conflict zone and impact organizations within the US, EU, or Western territories.
• Involvement of hacktivists raises stakes: Acts of hacktivism amidst geopolitical conflicts risk being misattributed by both sides, being interpreted as state-sponsored adversarial activity, and unintentionally escalating tensions. Hacktivism (no matter how well-intentioned) can escalate kinetic activity on the battlefield and heighten the risks in cyberspace — a reality that could claim lives, destroy critical infrastructure, or result in retaliatory actions targeting the US and nations with which the US maintains alliances. A recent example highlighting this paradigm is the leaking of Conti data (including its source code) after it was stolen from the ransomware group by a Ukrainian hacktivist in response to Conti’s public pledge to back Russia in the conflict. Ransomware code has been leaked before, as with Babuk ransomware, and it led to the re-use and modification of the ransomware by new threat actors. This is a real risk here as well.

While much of what is described above is related to the cyber effects of one particular geopolitical conflict, experts forecast several threats expected to impact the cyber threat landscape soon – many of which have already begun making themselves known. Organizations are encouraged to be on the lookout for the following:

• Continued influence campaigns and attempts by state-sponsored actors to take out secure lines of communication depended upon by the public for reliable reporting
• Critical infrastructure targeted in attacks
• Continued warnings of impending foreign influence attacks targeting US organizations and critical infrastructure from CISA
• Spikes in fuel/energy prices, economic instability, and cyber insurers covering less and charging more
• Increased compromises of open-source libraries and packages and other technologies comprising supply chains
• Ransomware:
  • Increased ransomware activity overall, with an emphasis on a return to targeting consumers, SMBs, and mid-market organizations
  • Increased focus by cybercriminals (with ransomware and BEC leading the charge) on SaaS and cloud technology
  • Publication of Conti source code may lead to new variants leveraged by new actors, as was the case when Babuk ransomware’s code was leaked
  • Emergence of new, loosely affiliated hacking groups, as observed in the Russia/Ukraine war
• The likely “trickle-down” of malware used in conflicts into the hands of cybercriminals, who are free to modify and repurpose as they see fit – and vice versa
• Increase in multi-prong cyberattacks, such as ransomware attacks combined with influence campaigns, DDoS, destructive malware, false flag ops, etc.

In this rapidly changing landscape, what you do today is essential in your preparedness and response capabilities if you are attacked. Regardless of your industry, all organizations should instrument their environment with risk and attack surface reduction in mind.

Why endpoint hardening and preparation is critical

The best time to have asset management and patching workflows dialed in was yesterday. The second-best time is today. While many adversaries are currently focused on systems of interest in countries engaged in active military conflict, researchers and threat intelligence specialists have indicated a likely uptick in cybercrime behavior as the effects of sanctions related to those conflicts cause economic uncertainty in various parts of the world. It is imperative that you use this time today to close any gaps in patch management for operating systems and third-party tools, and tune policy to reduce your attack surface.

Place your highest priority on reducing coverage and visibility gaps, remediating patch failures, and updating third-party software. The current threat landscape does not support tolerance for endpoints that are 30, 60, or 90 days out of compliance. You should take this opportunity to bring all systems current on their operating system patches and third-party software, including servers and workstations.

In the immediate future, you should prioritize the following actions:

• Request emergency change authorization to urgently apply missed and outdated patches
• Deploy a patch management solution or remediating patch failures
• Address Operating System Patches
• Update Third-Party Software
• Remove unauthorized, unused, or unsupported software
• Apply policy to reduce the attack surface
• Ensure incident response plans are supported by tooling in the environment
• Review recommendations from CISA, as a part of their “Shields Up” initiative, to reduce your risk of a cyberattack; CISA is also requesting organizations to report any signs of attack to their office
• Review CISA’s Known Exploited Vulnerabilities Catalog, which contains 95 new vulnerabilities, added after analysis of vulnerabilities that have been used by Russian cyber threat actors

How Tanium can help

Tanium can help organizations address these urgent recommendations with the following:

Tanium Patch

Tanium Patch offers the solution to deploy patches, coordinate maintenance windows, and report accurately and real-time on the state of your patching efforts. New and existing customers can operationalize Tanium Patch and begin receiving actionable data on their patch status in hours, not days or weeks.

Tanium Deploy

Initial access and lateral movement by an attacker are often accomplished through the compromise of vulnerable, out-of-date software. Organizations should not limit third-party application updates to internet-facing systems alone. Once inside your environment, threat actors may compromise internal systems using these vulnerable third-party applications. Additionally, “shadow IT” (software deployed outside the knowledge or support of the IT department) can introduce unexpected vulnerabilities into the environment. You can use Tanium Deploy to uninstall unapproved software automatically, keeping your environment free of disallowed applications.

Tanium Enforce

During an attack, threat actors will constantly seek to expand scope, permissions, and access across the environment. In addition to applying security updates for software and operating systems, you can proactively harden endpoints to reduce the options available to a malicious actor in your network.

Tanium Enforce is your solution to manage Windows policy settings, including those that can limit your attack surface. Auditing scripts, executables, and Windows installer with AppLocker audit, or managing PowerShell execution policy are just a few examples of the more than 5,000 device security and configuration settings available in Tanium Enforce. As mentioned by Deep Instinct, most users in your organization have no need to execute scripts. Some other hardening steps may include:

• Create a policy to restrict script execution
  • Visit Microsoft’s documentation for more details on PowerShell Execution Policies.
• Reducing workstation-to-workstation traffic (RDP, PowerShell Remoting, SMB)
• Disable Administrative shares
• Disable insecure protocols (SMBv1)
• Prevent service accounts and local accounts from logging on remotely
• Implement Anti-Malware and Attack Surface Reduction Rules on Windows systems

Next steps

You can read more on how to prepare for cyberwarfare in this latest Endpoint article.

---

If you need hands-on support, we have you covered. Tanium is offering endpoint hardening assistance at no cost, no commitment, for 45 days, including patch and deploy components of the client management solution. We are also offering no-cost services to assist in operationalizing this software. Existing customers can reach out to their account reps. If you’re not currently a customer, contact us here to get started.