Instead of relying on your favorite EDR or antivirus vendor for endpoint security, here is what your security team can and should implement for endpoint security.
Endpoint security is not about products, solutions, or vendors. As with everything else in the world of cybersecurity, we believe it is about solid implementation of sound architecture principles, taking care of various risks.
You could use commercial or free and open-source tools. As we do not advertise any security vendor, this article focuses only on free and open-source solutions.
1. Endpoint Defense
1.1. Anti Malware
- For Linux, use ClamAV: an open-source antivirus engine for detecting trojans, viruses, and other malicious software. Alternatively, you could use the free version of Sophos for Linux.
- For Windows, use Windows Defender: a built-in antivirus solution that provides real-time protection against malware.
- Steps (ClamAV):
- Download ClamAV: https://www.clamav.net/
- Install and configure ClamAV following the documentation: https://docs.clamav.net/
- Schedule regular scans and signature updates.
- Steps (Windows Defender):
- Open Windows Security app.
- Click on “Virus & threat protection” and make sure real-time protection is enabled.
- Schedule regular scans and signature updates.
It could take anyone with the skills to use Google an average of 15 minutes to an hour to bypass most antivirus solutions, which is why you should not rely on them alone for your defense strategy. If a hacker somehow gets to execute malicious code on your endpoints, you must have the capability to detect it via other means, some of which are described further in this article. One key point to detect: the execution of PowerShell scripts or VB scripts, or unknown, new binaries, on any of your endpoints.
1.2. Host Firewall
The objective of a firewall is to prevent others on the same network accessing the endpoint in an unauthorized manner. This is especially important when you are on the move, such as being in an airport, in a coffee shop or other public places where anyone could be with you on the same unprotected network.
- Implement a host-based firewall using iptables on Linux or Windows Firewall on Windows systems.
- Steps (Linux):
- Install iptables:
sudo apt-get install iptables
- Configure iptables rules: https://help.ubuntu.com/community/IptablesHowTo/
- Save and reload rules:
sudo netfilter-persistent save
- Install iptables:
- Steps (Windows):
- Open Windows Firewall settings.
- Configure inbound and outbound rules: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule
1.3. HIPS (Host-based Intrusion Prevention System)
-
- Use OSSEC, an open-source HIPS that provides intrusion detection, log analysis, and more.
- As a closed-source alternative, you can use Comodo Advanced Endpoint Protection (free for personal use).
- Steps (OSSEC):
- Download OSSEC: https://www.ossec.net/
- Install and configure following the documentation: https://documentation.wazuh.com/
- Steps (Comodo AEP):
- Download Comodo AEP: https://www.comodo.com/endpoint-protection/advanced-endpoint-protection.php
- Install and configure following the documentation: https://help.comodo.com/topic-399-1-783-10136-Introduction-to-Comodo-Advanced-Endpoint-Protection.html
1.4. Application Whitelisting
Application whitelisting is one of the most effective methods to prevent the execution of malicious code once a hacker can bypass your AV. As we mentioned earlier, bypassing any AV solution takes little time and resources.
-
- Implement an application whitelisting solution using AppArmor on Linux or Windows AppLocker on Windows.
- Steps (Linux):
- Install AppArmor:
sudo apt-get install apparmor
- Configure profiles for allowed applications: https://wiki.ubuntu.com/AppArmor/
- Install AppArmor:
- Steps (Windows):
- Open Group Policy Management Console.
- Configure AppLocker rules: https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/applocker-overview
2. Disk Encryption
- For Linux, use LUKS to encrypt the disk.
- For Windows, use BitLocker, a built-in disk encryption feature available in Windows 10 Pro and Enterprise editions, or VeraCrypt as a free alternative for other Windows editions.
- Steps (Linux):
- Install LUKS:
sudo apt-get install cryptsetup
- Encrypt disk using the guide: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system/
- Install LUKS:
- Steps (Windows, BitLocker):
- Ensure that you have Windows 10 Pro or Enterprise edition.
- Open “BitLocker Drive Encryption” settings.
- Follow the guide to enable BitLocker: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838
- Steps (Windows, VeraCrypt):
- Download VeraCrypt: https://www.veracrypt.fr/en/Downloads.html
- Install and configure VeraCrypt following the documentation: https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html
By using LUKS for Linux and BitLocker or VeraCrypt for Windows, you can ensure that your data is encrypted and protected from unauthorized access.
3. Network Access Control
- Use PacketFence for Network Access Control and device compliance.
- Steps:
- Download PacketFence: https://packetfence.org/
- Install and configure following the documentation: https://packetfence.org/documentation.html/
4. BYOD Security – Unified Endpoint Management
- Use WSO2 IoT Server for unified endpoint management.
- Steps:
- Download WSO2 IoT Server: https://wso2.com/iot/
- Install and configure following the documentation: https://docs.wso2.com/display/IoTS320/
5. Remote Access/VPN
- Implement OpenVPN for secure remote access.
- Steps:
- Download OpenVPN: https://openvpn.net/
- Install and configure following the documentation: https://openvpn.net/community-resources/how-to/
6. Secure Configuration Baselines (Security Hardening)
- For general configuration baselines, use CIS Benchmarks.
- For systems that require compliance with United States Department of Defense (DoD) standards, use Security Technical Implementation Guides (STIGs).
CIS Benchmarks provide a comprehensive set of security best practices and configuration guidelines for various operating systems, software, and hardware. They are developed by the Center for Internet Security (CIS) and are widely used across industries.
STIGs, on the other hand, are developed by the Defense Information Systems Agency (DISA) for the DoD. They provide security hardening guidelines for DoD systems and are tailored specifically to meet the security requirements of the US military and other government organizations. STIGs are stricter and may include additional security measures not found in the CIS Benchmarks.
- Steps (CIS Benchmarks):
- Download CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
- Follow guidelines for your specific OS: https://workbench.cisecurity.org/
- Steps (STIGs):
- Access DISA STIGs: https://public.cyber.mil/stigs/
- Download the appropriate STIG for your system or application.
- Follow the STIG guidelines to configure and harden your system.
7. Build Compliance Checking
- Use OpenSCAP for automated compliance checking.
- Steps:
- Download OpenSCAP: https://www.open-scap.org/
- Install and configure following the documentation: https://www.open-scap.org/documentation/
8. Logging and Monitoring
- Implement ELK Stack (Elasticsearch, Logstash, Kibana) for centralized logging and monitoring.
- Steps:
- Download ELK Stack: https://www.elastic.co/downloads/
- Install and configure following the documentation: https://www.elastic.co/guide/index.html/
9. Process Protection
-
- Use Linux Security Modules (LSM) like SELinux or AppArmor on Linux and Microsoft’s Data Execution Prevention (DEP) on Windows for protecting process memory from malicious actions of other programs.
- Steps (Linux, SELinux):
- Install SELinux:
sudo apt-get install selinux
- Configure SELinux policies: https://wiki.debian.org/SELinux/Setup
- Install SELinux:
- Steps (Windows, DEP):
- Open System Properties.
- Enable DEP for essential Windows programs and services: https://docs.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
10. Sandboxing
- Implement Firejail for sandboxing applications on Linux.
- Steps:
- Download Firejail: https://firejail.wordpress.com/
- Install and configure following the documentation: https://firejail.wordpress.com/documentation-2/
- For Windows:
Sandboxie
Sandboxie is a popular sandboxing solution for Windows that allows you to run applications in a secure and isolated environment. This can prevent malware, security threats, and unwanted changes to your system.
- Steps (Sandboxie):
- Download Sandboxie: https://www.sandboxie.com/
- Install Sandboxie following the installation guide: https://www.sandboxie.com/InstallHelp
- Run applications within Sandboxie by right-clicking the application and selecting “Run Sandboxed” or by using the Sandboxie Control interface.
Windows Sandbox
Windows Sandbox is an integrated feature available in Windows 10 Pro and Enterprise editions. It provides a lightweight virtual environment to safely run untrusted applications without affecting the host system.
- Steps (Windows Sandbox):
- Ensure that you have Windows 10 Pro or Enterprise edition.
- Enable Windows Sandbox by following the guide: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
- Launch Windows Sandbox from the Start menu and run applications within the isolated environment.
These application sandboxing solutions for Windows provide an additional layer of security by isolating potentially unsafe programs from your main system.
11. Memory Protection
- Use PaX/Grsecurity for advanced memory protection on Linux.
- Steps:
- Download PaX/Grsecurity: https://grsecurity.net/
- Follow the guide to apply patches and configure: https://en.wikibooks.org/wiki/Grsecurity/
12. Security Monitoring: Detecting Malicious or Anomalous Behavior
- Implement Wazuh for security monitoring and intrusion detection.
- Steps:
- Download Wazuh: https://wazuh.com/
- Install and configure following the documentation: https://documentation.wazuh.com/
13. Threat Hunting
Threat hunting is a proactive approach to identifying and mitigating cyber threats in your environment. It involves the use of various tools, techniques, and intelligence to search for signs of compromise or malicious activity that may have evaded traditional security measures.
Velociraptor is an open-source, endpoint visibility tool designed for threat hunting, digital forensics, and incident response. It allows security teams to collect and analyze endpoint data, quickly identify threats, and remediate them.
- Steps (Velociraptor):
- Download Velociraptor: https://www.velocidex.com/
- Install and configure Velociraptor following the documentation: https://docs.velociraptor.app/
- Deploy Velociraptor agents to endpoints.
- Use the Velociraptor web interface or API to query endpoint data, create custom hunts, and analyze results.
In addition to Velociraptor, there are other threat hunting tools and platforms that can be used to enhance your security posture:
TheHive
TheHive is an open-source Security Incident Response Platform (SIRP) designed to facilitate threat hunting, incident management, and collaboration among security teams.
- Steps (TheHive):
- Download TheHive: https://github.com/TheHive-Project/TheHive
- Install and configure TheHive following the documentation: https://github.com/TheHive-Project/TheHiveDocs
- Integrate TheHive with your existing security tools and platforms.
- Use TheHive’s web interface to manage incidents, analyze data, and collaborate with your team.
YARA
YARA is an open-source tool used to create custom rules for identifying and classifying malware based on textual or binary patterns. It is a versatile and powerful tool for threat hunting and malware analysis.
- Steps (YARA):
- Download YARA: https://github.com/VirusTotal/yara
- Install and configure YARA following the documentation: https://yara.readthedocs.io/en/stable/
- Create custom YARA rules for identifying threats specific to your environment.
- Use YARA to scan files, memory, or network traffic for matches to your custom rules.
You could use these step-by-step instructions and by utilizing the provided open-source tools, create a comprehensive endpoint security strategy.
Remember to keep all software up-to-date and continuously monitor your environment for threats to ensure the highest level of protection.
If you require the assistance of an expert team, Kloudwerk is here to help!
And, if you have a LOT of time on your hands, you can explore what CISA collected as free security tools here.