Security Validation Best Practices: Endpoint Security

As we continue our blog series on security validation, we look at the Cymulate best practices for validating endpoint security solutions for antivirus (AV) and endpoint detection and response (EDR). But first, let’s recall the principle of security validation as defined by Cymulate.

Why Endpoint Security is Critical

Endpoint security is often identified as the most critical control point given endpoint devices are the primary target of threat actors. Threat actors are looking to gain initial access to an endpoint, escalate their privileges, then move laterally across other endpoints on the network in search of systems and data of value (or your IT crown jewels).

Endpoint security controls include legacy signature-based antivirus (AV) solutions and more sophisticated behavior-based endpoint detection and response (EDR) solutions within a broader endpoint protection platform (EPP). Most organizations are making the move towards EDR solutions given the increase in fileless attacks over file-based (signature) attacks as threat actors increase the level of sophistication of their attacks.

Recent Attacks Highlight the Importance of Endpoint Security

In the first half of 2024, we have already witnessed some extremely notable attacks that rendered critical endpoint systems inoperable causing wide-spread damage and disruption:

• Change Healthcare attack on claims processing and payment systems
• Ascension Health attack on critical care systems
• CDK Global attack on dealer systems

Given the critical importance of endpoint security controls, it is essential to validate them frequently to ensure they are operating as intended and can stop the latest cyber threats. These controls can support a lot of tuning and configuration for the detection and prevention of malicious threats, but how do you know your controls are operating effectively?

Cymulate Best Practices for Endpoint Security Validation

The Cymulate best practices for endpoint security validation include a comprehensive assessment of endpoint security controls with an extensive array of execution methods used by threat actors to exploit and compromise endpoints.

With more than 490 test scenarios, the assessment covers a full range of critical attack types, including known malicious files for AV controls and malicious behaviors for EDR controls involving ransomware, worms, and trojans. The test scenarios will challenge the most highly rated endpoint security controls by using the full range of execution methods and malicious behaviors from the most advanced threat actors across the globe.

The Cymulate endpoint security assessment includes the following best practices for both AV controls and EDR controls plus rootkits, DLL side-loading and different forms of code injection.

1. Best Practice: Known Malicious Files (Antivirus)

Security teams should conduct validation tests using a comprehensive suite of the latest known malware file samples to determine the detection and prevention capabilities of the antivirus solution and verify that the signature database is up to date and that the software is properly configured to scan all relevant files and data streams.

These tests are designed to simulate signature-based malware samples that are dropped to disk (without execution) to check the response of traditional antivirus and anti-malware software solutions running on the endpoint.

2. Best Practice: Malicious Behaviors (EDR)

Today’s threat actors have moved beyond signature-based attacks that are easily detected by endpoint security controls to more behavior-based attacks that are harder to detect because they often use legitimate system processes and user behaviors to bypass security controls. These types of attacks require more sophisticated EDR solutions to detect and prevent attacks based on suspicious and malicious behaviors.

Security teams should simulate a wide range of adversary behaviors using different execution methods and payloads covering the latest malware, ransomware, worms, and trojan samples to validate their EDR detection and prevention capabilities fully.

3. Best Practice: Rootkits

Rootkits are a type of malware that typically operates at a low level in the operating system to avoid detection. They often manipulate core system functions and substitute system calls to try to disguise their malicious actions.

Security teams should test their endpoint security controls to validate the integrity of system binaries and determine if the controls can detect when system functions have been altered by a threat actor.

4. Best Practice: DLL Side-Loading

DLL side-loading is another method used by threat actors to load malicious DLL files into the memory space of legitimate applications.

Security teams should simulate these DLL side-loading behaviors to test their endpoint security solution and validate that it can detect and prevent DLL files from being loaded into memory.

5. Best Practice: Code Injection

Code injection is a method used to exploit the applications that are running on the endpoint devices with the goal of compromising systems, applications and/or data.

Security teams should simulate the injection of malicious code into input fields of their trusted applications running on their endpoints.

Recommended Frequency: Weekly

The goal of these best practices is to thoroughly test the effectiveness of an organization’s endpoint security controls and policies by simulating malicious file samples and behaviors to gain access and control of endpoint devices.

Given the critical role that endpoints play in day-to-day business operations and the diversity of endpoint devices (Windows, Mac, Linux, Desktops, Laptops, Servers, etc), it is highly recommended that these validation tests be run weekly to identify weaknesses in your endpoint security solutions.

For more information, download our solution brief and schedule a demo of our endpoint security assessment.