Jason Rebholz
July 22, 2019

Incident Response: Endpoint Agent All the Things?

The emergence of specialized endpoint technology has slowly and quietly shaped the way we think about security and incident response. We have outgrown the prior notion that installing anti-virus software will fully protect an organization after we saw failure after failure in its ability to keep pace with the next generation of malware and threat actors. In response to this, more mature organizations have started to deploy next-gen anti-virus and endpoint protection platforms (EPP) — yes, this is just one more acronym to track — to help combat today’s threats. Meanwhile forensic providers have started to leverage specialized endpoint technology as part of the incident response process.

As a claims adjuster, or even a seasoned security professional, you may find yourself asking what EPP is — you’re not alone. Spoiler alert, it’s endpoint technology that detects and prevents malicious activity coupled with the ability to investigate and contain security threats. New endpoint technology and marketing buzzwords are popping up left and right. It’s easy to get caught up in the whirlwind of machine learning (ML) and artificial intelligence (AI) and think that all endpoint technology is created equal.

At MOXFIVE, we are often asked about endpoint technology: who uses it, what does it do, when should it be used, where should it be deployed, and how does it help? When vendors tack on technology fees it adds yet another level of complexity for claims adjusters to evaluate whether the costs are reasonable for a specific security event. The reality is that the quality and use of endpoint technology varies widely between vendors, so answering the question of whether it is reasonable is not always straightforward. For example, most “out of the box” endpoint technology does not provide the investigative capabilities required for an efficient response, so it’s important to understand what modifications a vendor has made and how they plan to use the technology.

While every endpoint technology may start out like a standard stock car, it’s left to the incident response firm to customize the technology and take it from a Ford Pinto to a Ferrari. First, it’s important to understand what you’re dealing with, as not every racetrack is fit for a Ferrari. Second, you need to figure out who’s driving it and how well it performs. An immediate question that comes to mind is whether the vendor has custom investigative processes or if they relying solely on automated features of the endpoint technology? Just having an endpoint agent installed in the environment does not mean that there is a quality investigation being performed.

Whether you’re a claims adjuster, underwriter, or Breach Coach, MOXFIVE serves as a technical advisor to help navigate through the growing frequency, severity, and complexity of claims.

In this post we’ll help break down the different types of endpoint technology and how it can support an investigation.

Endpoint Technology for Incident Response

Endpoint technology can be boiled down into three core functions for incident response. They are the ability to investigate, monitor, and contain security threats. Let’s briefly dive into each.


Endpoint Technology Core Functions in Incident Response
Endpoint Technology Core Functions in Incident Response

Investigate

Certain endpoint agents provide the ability to perform a remote investigation of the endpoint. Gone are the days of having to image a system to obtain the required data. The endpoint agent can collect forensic artifacts and provide them to investigators so they can review historical activity on the system. This investigative ability is critical when responding to incidents that occurred prior to having the endpoint technology installed. Without the ability to look backwards, it would be as if the investigator was reading a book that only had every fifteenth page — you can imagine the difficulty in understanding the plot when you are missing so many pages.

Monitoring

Endpoint technology can be used to actively monitor activity on a system to quickly call out malicious activity. Most importantly, this monitoring takes place from the point at which the endpoint agent was installed going forward — it does not include historical data (though some endpoint agents can be configured to collect forensic artifacts, the investigate function, when first installed). The monitoring function is extremely useful when dealing with an active attacker in an environment as it can serve as a flight recorder for the system, giving investigators the ability to see the attacker’s journal of everything they did on the system — “Dear Diary, today I logged into a domain controller and executed a script that deployed malware to 100 systems. I also logged into three more systems, archived data, and uploaded it to the web. Signed, not your friendly attacker.”

Containment

Endpoint agents that help contain security incidents will generally include the ability to:

  • Block execution of malicious files / activity
  • Remove malicious files / artifacts
  • Restrict outbound network communication
  • Quarantine the system from the rest of the network

These capabilities are critical when dealing with large scale enterprises experiencing a malware outbreak or when a threat actor is still active in the environment and you need to kick them out. Used correctly, endpoint technology can reduce rebuild costs by removing malware from systems and protecting them going forward instead of having to rebuild entire networks.

Use Cases

It goes without saying that every attack scenario is different and unique to the environment. However, there are high level guidelines below that can be applied when you have a solid understanding of the endpoint technology’s capabilities and how it is going to be used in the response efforts.

Example Endpoint Technology Use Cases in Incident Response
Example Endpoint Technology Use Cases in Incident Response

Takeaway

Endpoint technology has provided investigators the ability to scale in ways that were not possible before. Instead of leveraging an army of boots on the ground, you can scale a small team of specialized responders with the right tooling. When done correctly, it provides a more efficient investigation resulting in a higher degree of confidence and lower total engagement costs for the investigation. When used ineffectively, endpoint technology can provide a false sense of security and unnecessarily increase costs.

The reality of our current situation is that the endpoint products vary so widely in their capability and the forensic vendors’ customization. It isn’t always straight forward on what value, if any, the endpoint technology adds to an investigation. One must understand the functionality of the technology, how it is being used, and the unique attack scenario that occurred to gauge when endpoint technology is appropriate, and a value add for the response efforts. This is not to diminish the effectiveness of endpoint technology by any means, it’s something that can be extremely valuable in an investigation. What it comes down to is using the right tool for the right job.

Insurance carriers that partner with MOXFIVE gain access to our technical advisors that support claims teams in answering these questions and ensure that breach victims are given the highest degree of service while managing costs and investigative rabbit holes.

Jason Rebholz

Jason was born and raised in incident response, having helped over a thousand companies who were victims of cyber-attacks. He spent over a decade conducting investigations into APT threat actors, financial / organized crime, and hacktivists that targeted the SMB space and Fortune 100 companies. As a founding member of MOXFIVE, Jason now supports organizations in mitigating the impact of cyber-attacks through building a more secure and resilient infrastructure and assisting ransomware victims in securely restoring business operations following ransomware attacks.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine

HOW WE CAN HELP

Our mission is to minimize the business impact of cyber attacks. 

Incident Management

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More