By Morey Haber, Chief Security Advisor, BeyondTrust
In 2020, the UAE famously endured a 250% year-on-year surge in cyberattacks. Some 78% of organizations in the country reported ransomware infections that year. Ransomware infections typically start with a phishing campaign, after which attackers use lateral movement to establish a beachhead before the final payload drop.
Lateral movement is the threat actor’s journey from an overlooked entry point to the secrets vault — a journey that is characterized by escalation of privileges, deployment of additional malware, and eventual compromise of critical data. Lateral movement uses a range of techniques including credential dumping and Pass-the-Hash (PtH) but is notoriously tricky to detect. Indicators of compromise (IoC) for lateral movement include unusual authentication patterns such as logons outside business hours or from unexpected locations, but the list is so long that formulating a defense strategy can be overwhelming. Here are 10 best practices that can form the foundation of a sound action plan.
1. Zero trust
Zero-trust principles and azero-trust architecture (ZTA) vastly reduce the attack surface, which subsequently restricts opportunities for lateral movement. The principles call for continuous monitoring and an assumption of compromise that helps accelerate detection and response. Many of the subsequent best practices on this list are vital cogs in a zero-trust security environment.
2. Network segmentation
Breaking networks into zones allows organizations to impose controls on traffic between more sensitive and less sensitive systems. In this way, logical segments and individual assets can be protected from the laterally mobile attacker. Sensitive segments, which are home to sensitive data, can be isolated from all but the most secure remote-access sessions. Enterprises can limit the use of RDP, SSH, and HTTPS between network zones and only allow them through gateway proxies.
3. Least privilege
If we assume for a moment that an account has been compromised, we can restrict lateral movement by ensuring its associated privileges include only those necessary for the carrying out of role-based tasks. All identities, accounts, users, processes, and machines should be subject to this principle of least privilege. If an attacker hijacks a lower-level account, they will not be able to hop at will to adjacent areas. Least privilege can be reinforced with just-in-time (JIT) access, where credentials for the carrying out of tasks have a validity period outside of which passage will not be granted. Such a system works best when constant reviews are conducted. Since manual reviews of large networks are impractical, privileged access management (PAM) solutions may be necessary to maintain best practice.
4. Privileged accounts and session management (PASM)
Keeping secrets safe requires a safe. Active management of them requires PASM, also called privileged password management. PASM is capable of thwarting several identity-based attacks and account-hijacking threats and can reduce the effectiveness of many others. One-time passwords (OTPs), for example, can prevent a stolen password being used for repeated incursions. And regular rotation of credentials or dynamic generation of secrets can shrink the attacker’s window of opportunity. PASM becomes very powerful when it combines active credential management with real-time privileged session monitoring and threat detection and response capabilities.
5. Paths to privilege
Laterally moving threat actors try to elevate hijacked low-level accounts to those from the “admin” family, such as superusers or application owners. Once the attacker has the right privileges, they can glide through every network space with ease. To block potential elevation paths, organizations would usually look to nested groups, domain trusts, and misconfigurations, but in complex IT environments, advanced detection capabilities may be needed to find some less obvious links.
6. Multi-factor authentication (MFA)
MFA should be implemented for all users, whenever possible, and always for any remote logon, for all privileged accounts, and for any attempt to access a critical system. MFA increases confidence in the legitimacy of an identity and significantly reduces the risk of credential theft.
7. Regular monitoring
The attack landscape does not sleep, so defenders must design a security landscape that is constantly vigilant. Regular audits of identities, accounts, permissions, and network configurations can uncover misconfigurations before attackers have a chance to exploit them. Watchfulness can detect anomalous network activity, allowing real-time red flags and faster mitigation and response.
8. Vulnerability management
Patch, patch, patch. Systems and software that are running current versions are more hardened against assault. Laterally moving attackers exploit known vulnerabilities, so timely patching and configuration management are great ways to close the gaps. For the sake of strategy, it is worth revisiting the common practice of monthly vulnerability assessments. Staggered reviews will help protect from attackers who would take advantage of this well-known schedule.
9. Identity security
Enterprises should be aware of their identity “hygiene”. To protect against lateral movement, an identity-governance program backed by a PAM solution (including PASM) is a strong step forward. Additionally, non-human integrations and privileged accounts must be monitored for potential abuse that could indicate lateral movement. Identity threat detection and response (ITDR) capabilities are quickly gaining ground in modern environments as a means to promote identity hygiene, but ITDR solutions tend to work most effectively when integrated with PAM and other techniques.
10. Incident response
An incident-response playbook is just a theory until it is tested. Better to do this before a live incident than to discover during an incursion that workflows and roles are ill-defined. Swift, effective response to lateral movement will come from having conducted drills based on the playbook. If done regularly, the drills will give people the confidence to isolate affected systems in real time, conduct forensic analysis, recommend updates, and restore the organization to normal operating conditions more quickly.
Think sideways
Defending against lateral movement requires lateral thinking. Modern cybersecurity must account for it because it is now almost always part of a successful attack. The good news is, if we can stop lateral movement, we are almost guaranteed to deny the attacker their payday. Just as lateral movement is the foundation of most successful breaches, the best practices described here are the foundation of a robust cybersecurity strategy.