Freely subscribe to our NEWSLETTER

First, the attackers penetrate the perimeter but more than likely, they execute
a successful drive-by download or launch a phishing attack to compromise a
user’s system and establish a foothold inside the network; all the while flying
"under the radar" of many traditional security defenses. Next, they establish a
connection - unless it’s ransomware or self-contained malware, the attacker
quickly establishes a connection to a command and control (C&C) server to
download toolkits, additional payloads, and to receive additional instructions.
According to the Verizon report, social attacks were utilized in 43% of all
breaches in this year’s dataset. Almost all phishing attacks that led to a
breach were followed with some form of malware, and 28% of phishing breaches
were targeted. Once inside the network, attackers begin to learn about the
network, the layout, the assets. They begin to move laterally to other systems
and look for opportunities to collect additional credentials, upgrade
privileges, or just use the privileges that they have already compromised to
access systems, applications and data. Lastly, the attacker collects, packages
and eventually exfiltrates the data.

How to stop lateral movement

While the Data Breach Investigations Report and nearly every security vendor on
the planet makes recommendations on reducing the risks associated with each
stage of the attack, it is worth focusing on the stage related to lateral
movement. If you can create barriers to move laterally you may be able to
protect access to high-value assets, or at least slow the attacker down enough
that you can adequately contain the outbreak and mitigate the impact of the
breach. To that end, below are ten steps organizations can take to stop lateral
movement:

– 1. Use Standard User Accounts. Enforce that all users have a standard user
account. Administrators across all platforms should log in with their standard
accounts as normal practice. They should only log in with administrative rights
when they need to perform administrative tasks. This might sound obvious and
reasonable but in practice, doesn’t always happen

– 2. Enforce the Principle of Least Privilege. If a user does not need access to
systems, applications or data, remove it. As a first step remove administrator
rights on desktops for all users

– 3. Implement Application Whitelisting. Implement policy to allow known good
applications and log all other applications and launch attempts. If possible,
restrict launching of end user applications with known critical security
vulnerabilities

– 4. Require Multifactor Authentication: Implement multi-factor authentication
for access to internal systems, applications and even data. While implementing
static multi-factor authentication based on whether a system or application is
good, getting too restrictive can become frustrating for users. Look for
solutions that can also restrict access based on the risk associated with the
environment or activity. For example, if someone tries to launch a sensitive
application after hours for the first time, or tries to run a sensitive command
on the Unix server that is missing critical patches, step up the security and
trigger to re-authenticate with multi-factor

– 5. Use Context-Based and Adaptive Access Controls: At some point people need
access to do their jobs, but continue to lock down when they have access, and
from which location they have access. Restricting access based on static
elements like time of day or subnet is good, but restricting access dynamically
based on risk (i.e. does a ticket exist for the access, does this request adhere
to a normal access patterns, have I received recent alerts from my threat
detection layers, etc.) adds greater protections

– 6. Implement Strong Password Policy Management: Require strong passwords, and
that they should be changed frequently. Deny password reuse. Log failed
authentication requests

– 7. Automate Password Management: Require unique passwords across all privileged
systems and accounts. Eliminate hard coded passwords in service accounts and
scripts. Implement SSH key management tools

– 8. Segment Networks: Group assets, including application and resource servers,
into logical units that do not trust one another. Segmenting the network reduces
the "line of sight" access attackers must have into your internal systems. For
access that needs to cross the trust zones, require a secured jump server with
multi-factor authentication, adaptive access authorization, and session
monitoring

– 9. Consider Micro-Segmentation: Where possible, go beyond standard network
segmentation. Segment based on context of the user, role, application and data
being requested.

– 10. Implement Threat and Advanced Behavior Monitoring: Somewhere along the line,
accounts have access to stuff. Implement base security event monitoring and
advanced threat detection (including user behavior monitoring) to more
accurately and quickly detect compromised account activity as well as insider
privilege misuse and abuse.

In today’s sophisticated threat landscape, one product will certainly not
provide the protection enterprises need against all stages of an attack. And
while some new and innovative solutions will help protect against or detect the
initial infection, they are not guaranteed to stop 100% of malicious activity.
In fact, it’s not a matter of if, but a matter of when you will be successfully
breached. You still need to do the basics - patching, firewalls, endpoint AV,
threat detection and so on. But you also need to protect against, and monitor
for, lateral movement. So, assuming the bad guys get in, following the ten
recommendations can help you can stop them, slow them down, and/or detect them
faster in order to mitigate the impact.