Separate your infrastructure into secure and insecure endpoints
Endpoints represent hardware or software that contain a runtime, of some sort, responsible for managing applications.
A classic endpoint example is a laptop. This device consists of hardware, an operating system, and applications that sit on top. There are countless variations of this device, as different hardware can be paired with different operating systems and different applications can be installed on top of any combination, each configured differently.
What is consistent about an endpoint - whether a laptop or a traffic light - is the surface area. A Macbook Air has a particular surface area allowing the user to install arbitrary software, compile code, or manipulate network traffic or memory space. Conversely, an iPad has a smaller surface area as these actions are not allowed.
The surface area of a device is what separates secure from insecure endpoints.
Secure endpoints are those running operating systems that were designed with security in mind.
According to CISA:
While all operating system vendors work to continuously improve the security of their products, two stand out as being “secure by design,” specifically, Chromebooks and iOS devices like iPads.
Some organizations have migrated some or all their staff to use Chromebooks and iPads. As a result, they have removed a great deal of “attack surface,” which in turn makes it much harder for attackers to get a foothold. Even if an attacker were able to find a foothold on those systems as part of a ransomware attack, the data primarily lives in a secure cloud service, reducing the severity of the attack.
Secure endpoints can be broken into two camps: secure by design and ephemeral.
Secure by design endpoints are hardware/software devices - such as iPads or Chromebooks - that provide holistic surface area protection, limiting what a user is able to do on the device.
Ephemeral endpoints create security by being disposable. Containers and Platform as a Service (PaaS) solutions are great examples. Ephemeral endpoints generally have more surface area than their secure-by-design counterparts - but naturally short lifespans mean nothing sensitive can be stored on them.
Insecure endpoints are those running operating systems not designed around security.
Traditional devices, like laptops and servers, fall into this category - whether running Linux, MacOS or Windows. These operating systems were designed to empower the end user, providing them access to the full file system, shared memory and capabilities like arbitrary software installation. This empowerment opens the device up to significant impact if it is compromised, as the attacker has unlimited access.
Insecure endpoints can be "patched" to masquerade as secure ones. Patching is generally done by installing defensive controls, such as antivirus or EDR. These controls monitor the surface area and prevent attacks on the endpoint.
Take ransomware, which executes the following flow:
- Drop malware on disk and execute it
- Look for files across the operating system, encrypting each
- Use a built-in utility to laterally move to another endpoint
These steps cannot be performed on a secure by design device, which mitigates such attacks by:
- Preventing all arbitrary software installation attempts
- Sandboxing each application, including separate file systems, so apps cannot interact with each other
- Not including system utilities that support lateral movement
Defensive controls "patch" the insecure device by detecting and preventing ransomware attacks. So, even though these attacks are possible to perform on the endpoint - the control closes the gap.
Updated 17 days ago