Endpoint Security - is it Getting Less Important?
In a recent article, CrowdStrike's field CTO Zeki Turedi is making an interesting point: as attackers are moving from malware-based attacks to credential theft and identity-based breaches, identity is becoming the new major battleground in cybersecurity.
This is especially significant coming from an endpoint security technology firm. It is also the reason why endpoint security companies are diversifying into Identity Threat Detection and Response (ITDR). We've covered ITDR here and here.
This shift is driven by cloud adoption and remote work which is expanding the attack surface: as companies rely more heavily on cloud IaaS and especially SaaS solutions, the attackers' incentive changes. They can now do much more damage by compromising identities, logging in on behalf of unsuspecting users and then proceed to exfiltrate or destroy data, all without any reliance on infecting or gaining a foothold on endpoint devices.
No wonder Crowdstrike is now pointing identity-based attacks account for 75% of initial access attempts. In this context, a few key points for security teams emerge:
Credential-based attacks have lower visibility compared to malware, making traditional detection methods less effective.
Organizational silos and legacy security tools such SIEM create gaps in visibility and impede response times by overwhelming teams with excess data.
Cybersecurity platforms need to unify visibility across cloud, endpoints, and especially identities. Security Operations Centers (SOCs) need real-time intelligence, high-fidelity detections, and AI-assisted automation to keep up.
A recent example of identity based attacks illustrates the point made by Crowdstrike: ransomware operators are now trying to encrypt cloud data without relying on ransomware. As reported by Halcyon research team, the Codefinger ransomware gang is encrypting data in victims' Amazon AWS S3 storage buckets using AWS’s server-side encryption with customer-provided keys (SSE-C) and demanding payment for the decryption key. They do not steal the data but mark encrypted files for deletion within seven days, increasing pressure on victims to pay the ransom.
This identity focused threat actor approach is much more cost effective for the attacker, as they do not need to deploy any malware on the victim's server or infrastructure. In this case, the recommendations closely follow what ITDR should be doing or warning about automatically:
Blocking SSE-C encryption in IAM policies unless explicitly needed
Reviewing AWS key permissions, disabling unused keys, and rotating active ones
Enabling detailed logging to detect unusual S3 activity.
![[Watch Now] How the Cyber Resilience Act Prepares You for Future Cybersecurity Challenges](https://static.wixstatic.com/media/6681e7_2bef27f1f1064b4c90845cd74e3259d9~mv2.png/v1/fill/w_1224,h_1220,fp_0.50_0.50,q_95,enc_auto/6681e7_2bef27f1f1064b4c90845cd74e3259d9~mv2.png)
