10 Steps to Stopping Lateral Movement Attacks

 

Thinking - @SeniorDBA

It is estimated that over 75% of cyber-attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attachment.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin external communications to the compromised device, usually though a command-and-control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers. They gather even more intelligence and try to elevate their permissions on all compromised systems. This effort can take days or months to complete.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

  1. Malware and Virus Detection – Install and properly configure an anti-malware and anti-virus solution on every endpoint. This offers, as a minimum, basic protection from known malware signatures, and probably offers advanced heuristic protection algorithms to detect behavior to indicate malicious activity even on zero-day attack attempts. The Microsoft Defender endpoint protection feature in Windows 10 is a good example of this type of software that is highly rated and very effective, if properly configured.
  2. Standard User Accounts – Since users are usually the ones that allow the initial compromise through drive-by downloads or click on a phishing email, you must limit the power of the malware by limiting the power of the user. Require all users to login with a standard user account and don’t make them a local administrator on any computer. Even administrators should log into their computer with a standard account as a normal practice. They should only log into systems with administrative rights using a special secondary admin-level account when they need to actually perform administrative tasks.
  3. Enforce Least Privilege – Only allow users access to systems if they have a business need to that resource. Allow minimum privileges by default to only allow the user to do exactly what they need to do, nothing more. This helps prevent malware from using the user’s permissions to gain unauthorized access to sensitive data.
  4. Multifactor Authentication – Implement multi-factor authentication for access to internal and external systems, all applications, and even social media accounts. This basically requires the user to approve access through a mobile application or SMS message before their computer password is accepted. This means that even if a user’s password is stolen or guessed by an attacker, they can’t access the resource without the user’s cellphone.
  5. Conditional Access Controls – Restricting access based on static elements like location, operating system, or even time of day is a basic control that limits account login, even with approved credentials, to enforce compliance dynamically. Microsoft O365 and Azure offer a wide range of conditional access features based on location, operating systems, user risk, etc. to add security options for greater account protection.
  6. Strong Password Management – Require strong passwords that are different for every account. Never allow users to reuse passwords and encourage users to use password managers so they have strong password hygiene. Train users on how to create strong passwords and block common unsafe passwords (i.e. password1, letmein, admin123, qwerty123, etc.) while you also configure systems to log password failure attempts. Always change or eliminate default passwords in a new device before it is used. Require unique passwords across all privileged accounts. Never all anyone to store plain text passwords inside a script, text file, spreadsheet, or database. Implement SSH key management tools.
  7. Patch Management – Configure systems and devices to automatically download and install vendor patches as soon as they become available. If the system needs to be tested before any patch is manually applied, do the testing as soon as possible to target a goal of installing all vendor patches within 30 days. Less vulnerabilities mean it is harder for an attacker to get into a system through a software security weakness. A properly configured and fully patched system is exponentially harder to compromise.
  8. Network Segmentation – Group assets (users, application servers, etc.) into logical units that do not trust each other. Segmenting your network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross trust zones, you can require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. If malware can’t access systems, it severely limits an attacker’s ability to jump from one system to the next. Where possible, go beyond standard network segmentation to segment based on context of the user, role, application, and data being requested.
  9. Implement Threat Behavior Monitoring – Implement base security event monitoring and log events that will help you later understand what systems were compromised. Using advanced threat detection (including user behavior monitoring) you can quickly detect compromised account activity in near real time as well as detect symptoms of possible insider privilege misuse.
  10. Application Whitelisting – If possible, implement policies to only allow known good applications to execute while you block and log all other applications launch attempts. Windows 10 allows you to implement this functionality using AppLocker. As a minimum you can pre-install the software required by a user and block them from installing any new software.

While backups will not help prevent a successful lateral movement attack, if your files are compromised by an attack your only remediation may be to restore/replace the missing or encrypted files from a recent backup. Don’t forget to include offline backups in your security efforts as a safety net when all preventative measures fail.

Cybersecurity @SeniorDBA

While none of these steps will prevent a successful attack on their own, but a combination of tactics can truly limit the ability of a successful attack creating severe damage to your business.  By limiting the scope of an attack you can reduce the cost of recovery, limit the scope/quantity of lost or damaged files, prevent a compromise of critical business intelligence, and build confidence in your ability to protect critical business assets.

Photo by eberhard grossgasteiger on Pexels.com

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.