CISOs are faced with the challenge of their enterprise-level environments being vulnerable to lateral movement in their networks. Carolyn Crandall, Chief Security Advocate and CMO at Attivo Networks, says most CISOs are familiar with the role lateral movement plays in attacks, but organisations need to back up this knowledge with action.
A thief breaking into your home can be a minor experience, or a devastating one. It’s one thing when the criminal leaves after grabbing the first item they see, but it’s a whole different story when they have time to map out where your valuables are and plan the best ways to steal them. Worse yet is when the thief secures the ability to return repeatedly and steal from you again and again. All of this can occur even with doors and windows locked and perimeter security systems installed.
A similar scenario often crops up in cybersecurity. When attackers gain access to an organisation’s network, they look for opportunities to move laterally through the environment and escalate their privileges. They use this information to gain control of resources, change permissions and security settings for greater access, and cover their tracks. This activity can be extremely tricky to detect as these attackers will impersonate real users and appear like regular activities.
Most CISOs are familiar with the role lateral movement plays in attacks, but organisations are not backing up this knowledge with action. Most still rely heavily on perimeter defences, behavioural anomaly detection and log management, which provide limited visibility and unmanageable alert volumes. Today’s advanced threats actively leverage lateral movement, which has become an Achilles heel for many organisations. As this issue becomes more severe, CISOs are increasingly beginning to take note.
Thinking laterally
The authors of last year’s Mandiant Security Effectiveness report found that 54% of the ‘techniques and tactics used to execute testing of lateral movement were missed’. They also found that 96% of lateral movement behaviours did not have a corresponding alert in the SIEM, meaning that defenders were left blind in the face of an attack. These stats are concerning, especially since there are solutions to prevent lateral movement.
From the endpoint, lateral movement defences can stop a threat actor at an earlier stage of the attack cycle and reduce the risk of a more significant breach. One approach relies on ‘micro-segmentation’, which divides a network into smaller pieces to slow or stop attacker progress. Others work on an intelligence basis by identifying signs of attack. Intruders often give away their intentions, offering a further opportunity to stop them as they carry out reconnaissance or test the network for vulnerabilities.
Defenders may also use deception and concealment technology to trick threat actors into giving away their presence or tactics. They can place fake Active Directory (AD) credentials or other bait on the network or within endpoints that look like real production assets and serve as tempting targets for attackers. In reality, they are bait or breadcrumbs that lead to traps that reveal the attacker’s presence and allow security teams to banish them from the environment. Innovations in concealment technology can hide real data and AD objects, preventing attackers from finding or accessing the targets they seek.
Once defenders identify an attack, they should seek to impede attackers from gathering intelligence on targets such as credentials, live hosts, open services and AD accounts. Defenders can also look for vulnerabilities, exposures and misconfigurations that create attack paths and remediate them so attackers can’t easily achieve lateral movement and privilege escalation. Those seeking an Active Defence can also use the attacker’s force against them by intercepting their queries for data and redirecting them into decoys as they attempt to move laterally.
The lessons of lateral movement
Unfortunately, many enterprise-level production environments remain vulnerable to lateral movement, which poses a challenge to CISOs. When they’re assessing their enterprise security solution stack, CISOs should make sure they can efficiently detect activities like discovery, privilege escalation and lateral movement. Otherwise, they’re leaving their organisation vulnerable to longer attacker dwell time, subsequently amplifying the magnitude of the compromise.
It’s incumbent upon security staff to protect their employers by responding quickly to the latest threats and disrupting a threat actor’s attack paths. It also isn’t enough to simply install lateral movement detection systems. Ideally, governments and regulators should put pressure on organisations to establish lateral movement and credential identity entitlement protections and better threat intelligence sharing. These defences are increasingly necessary and should be a de facto part of security architecture.
Lateral movement and Privilege Escalation in the news
Lateral movement is not a niche issue: it is present in roughly 60% of attacks, and over 80% of attacks used privileged access. In the SolarWinds attack, threat actors kept their malware footprint very low as they quietly stole through networks, using credentials to perform lateral movement and establish legitimate remote access. If more efficient security controls to detect lateral movement and privilege escalation had been in place, the attackers would not have had as much time to conduct their attack and the SolarWinds breach might have been less widespread and damaging.
Lateral movement has shown up in many other high-profile incidents, including the NotPetya attacks of 2017, in which a piece of malware spread itself to a wide-range of remote systems on the network. Lateral tool transfer also occurred during the 2017 WannaCry outbreak. A ransomware cryptoworm attempted to copy itself to remote computers using a vulnerability in the implementation of server message block (SMB) in Windows systems. These warning signs highlight the pressing need to detect and derail lateral movement attack activities.
Lockdown learnings
The severity of the SolarWinds incident has significantly elevated public awareness of advanced attacks and their disrupting influence on business operations. Organisations should mobilise today to protect themselves and their AD environments with efficient lateral movement detection. At a time when one clever phishing email tricks an employee into handing over a password, it’s time to shift investments so that in-network threat detection is a part of every security programme.
Advanced attacks have shown that the battleground has moved inside the network. For organisations to give security teams the tools they need to combat these adversaries, they should ensure they have deployed the right controls for attack path visibility, lateral movement and privilege escalation detection.