In today’s threat landscape, organizations must prioritise cyber hygiene to navigate the prevalence of remote work. A robust cybersecurity program entails fostering individual cybersecurity awareness and deploying effective security tools. While endpoint patching, endpoint detection and response (EDR) solutions, and antivirus software are crucial, recent cybersecurity reports indicate that they are no longer sufficient to reduce external attack surfaces.
Let’s explore three compelling reasons and real-world scenarios that highlight the consequences of neglecting this evolving threat.
1. AI-generated polymorphic exploits can circumvent leading security tools
Recent advancements in AI have given rise to polymorphic malware capable of evading detection by EDR and antivirus solutions. These sophisticated exploits mutate their code with each iteration and employ encryption without relying on traditional command-and-control communications channels. Consequently, security teams face challenges in detecting and mitigating these threats promptly.
Real-world example: ChatGPT Polymorphic Malware Evades “Leading” EDR and Antivirus Solutions
In a recent report, researchers demonstrated the creation of polymorphic malware that successfully evaded antivirus software by exploiting ChatGPT prompts. Another study showcased the development of a polymorphic keylogging malware that bypassed an industry-leading automated EDR solution. These examples emphasise the need for security teams to address security gaps while awaiting patch releases, testing their effectiveness, prioritising vulnerabilities, and rolling out patches to affected systems. This process can span several weeks or months, leaving organisations vulnerable unless supported by complementary security measures.
2. Patching failures and patching fatigue impede security teams
Unfortunately, patch-related issues frequently occur, with updates sometimes breaking systems due to inadequate testing. In some cases, patches fail to address all vulnerabilities comprehensively, leaving systems exposed to further attacks and requiring additional patches for complete resolution.
Real-world example: Suffolk County’s ransomware attack
The Suffolk County government in New York fell victim to a ransomware attack, stemming from the exploitation of the Log4j vulnerability. This breach occurred despite security patches being available since December 2021. The attack resulted in the theft of 400 gigabytes of data, including thousands of social security numbers, leading to an initial ransom demand of $2.5 million. Although the ransom was not paid, the incident incurred significant costs, including data loss, reduced employee productivity, investigation expenses, and ongoing recovery efforts. The county has already spent $5.5 million on remediation.
Real-world example: An errant Windows server update causing significant disruptions
On a personal note, I recall an incident where an automatic Microsoft Windows server update led to authentication service disruptions between IoT clients and AAA servers. This situation occurred during Patch Tuesday and required 24 hours of continuous work to rebuild critical infrastructure and restore normal operations. Similar occurrences have happened over the years, underscoring the importance of disabling automatic updates, frequent backups, and diligent patch management.
3. Endpoint patching is limited to known devices and apps
The shift to remote work and the proliferation of personal devices connecting to organisational networks have created blind spots for security teams. Shadow IT and the absence of company-sanctioned secure remote access increase the organisation’s external attack surface, providing additional opportunities for threat actors.
Real-world example: LastPass’ recent breach
LastPass, a popular password manager, experienced a significant data breach that targeted home computers of DevOps engineers. Exploiting an unpatched vulnerability (CVE-2020-5741) in Plex Media Server installed on one engineer’s personal Windows desktop, threat actors gained access to LastPass cloud-based storage, compromising DevOps secrets and multi-factor authentication (MFA) and Federation databases. The vulnerability had a patch available for three years, but the employee failed to upgrade.
In conclusion, in today’s evolving threat landscape and remote work environment, relying solely on patching for endpoint security is insufficient. Organisations must prioritise cyber hygiene, promote employee awareness, and adopt a comprehensive approach to cybersecurity. By implementing risk-based vulnerability management, leveraging threat intelligence, and utilising unified endpoint management platforms, organisations can enhance their defenses against sophisticated attacks. Embracing advanced solutions, such as AI-guided cyber hygiene tools, is crucial in staying ahead of evolving threats. A proactive, multi-layered approach is essential to safeguard critical assets and ensure organisational resilience.
Written by: James Saturnio
