Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

How to prevent lateral movement in a Network

September 2024 by Patrick Houyoux LL.M. ULB, Brussels, Trinity College, Cambridge, UK. President – Director PT SYDECO

Cybersecurity has become a critical priority for modern businesses, facing increasingly sophisticated and diverse threats. Lateral movement, where an attacker moves across a network after an initial intrusion, is one of the most dangerous and insidious techniques. It allows cybercriminals to expand their access and compromise critical resources, often before detection and response are in place. Understanding lateral movement and implementing effective solutions to counter it is essential to protect digital assets and ensure business continuity.

I – DANGERS OF LATERAL MOVEMENT WITHIN A NETWORK

Lateral movement within a network can cause substantial damage, as once an attacker has compromised an access point, they can gradually expand their control and reach critical targets. The main types of damage that can result include:

1. Compromise of Sensitive Data:

o By moving laterally, an attacker can access network segments containing sensitive information (customer data, financial information, intellectual property files, etc.). This can lead to data breaches, leaks of confidential information, and significant financial losses, as well as fines for non-compliance with the regulation in force.

2. Industrial Espionage:

o A hacker with access to internal resources can steal trade secrets, product plans, or proprietary technologies. This espionage can give rival companies a competitive advantage or lead to reputational damage and loss of market share.

3. Sabotage of Systems:

o Attackers can exploit their access to modify, destroy, or alter critical systems, causing production halts or IT service outages. This can result in prolonged service interruptions with heavy economic and operational consequences.

4. Propagation of Malware:

o Lateral contamination can enable rapid spread of malware (ransomware, trojans) throughout the network. For instance, ransomware can encrypt files on multiple machines, forcing the company to pay a ransom or lose access to vital data. The impact can be magnified if entire segments are infected simultaneously.

5. Control of Infrastructure:

o Once an attacker has compromised several machines, they can establish backdoors and maintain persistent access to the network. This allows them to take full control of the infrastructure, hijack servers for malicious activities (cryptocurrency mining, DDoS attacks), or exfiltrate information continuously without detection.

6. Loss of Trust and Reputation Impact:

o Data leaks or disruptions caused by lateral attacks can severely affect a company’s reputation. Clients, partners, and investors lose trust, leading to decreased sales, contract terminations, and deterioration of the company’s value.

7. High Recovery Costs:

o Recovering from lateral contamination may require substantial investments to analyze and remediate compromised systems. This includes data restoration, implementing new security measures, and legal costs related to disputes or fines.

In summary, lateral movement can transform a simple intrusion into a devastating attack, impacting security, finances, and business continuity. This highlights the importance of solutions like ARCHANGEL 2.0 that prevent such propagation.

II – METHODS USED BY HACKERS TO ACHIEVE LATERAL MOVEMENT

Hackers use various techniques to perform lateral movement in a network once they have compromised an initial access point. Common methods include:

1. Credential Theft:

o After gaining access to a machine, attackers often try to steal credentials (passwords, tokens) from other users. They then use this information to access other systems.

2. Exploitation of Vulnerabilities:

o Hackers identify unpatched vulnerabilities in other parts of the network, allowing them to take control of other machines.

3. Use of Administrative Scripts:

o Hackers can exploit native tools like PowerShell or PsExec to execute remote commands on other systems, making their activities less suspicious.

4. Internal Reconnaissance:

o They map the network to identify interesting targets (file servers, databases, etc.) using tools like ARP scanning or Netstat.

5. Data Exfiltration:

o Once they have compromised several machines, they can gather critical or sensitive data and exfiltrate it from the network.

III – HOW ARCHANGEL 2.0 PREVENTS SUCH MOVEMENTS

PT SYDECO researchers have developed an innovative system that prevents lateral movement or contamination within a private network protected by ARCHANGEL 2.0. By combining VPN and micro-segmentation, ARCHANGEL 2.0 achieves this result.

Micro-segmentation: ARCHANGEL 2.0 isolates each resource or application within the network, limiting communication between segments to authorized paths. This prevents an attacker from accessing other parts of the network, even if they compromise a point.
Secure VPN Server: Installed within the system and through which all traffic must pass, it creates a secure perimeter where only legitimate connections are allowed:
It performs comprehensive access control, eliminating the risk of unauthorized access from outside.
It protects against external threats by preventing direct access to the company’s internet without passing through the VPN.
It reinforces strict network separation, with users only accessing what is strictly necessary through micro-segmentation.

IV – PRACTICAL APPLICATION OF THE ARCHANGEL 2.0 SYSTEM TO ATTACK METHODS

The VPN system combined with micro-segmentation is designed to effectively counter each of the most common attack methods mentioned above. Here’s how it addresses each threat:

1. Credential Theft:

o Secure VPN: Network access is conditional on strong authentication via the VPN, with potentially multi-factor authentication (MFA). Even if an attacker steals credentials, they will not be able to connect without authenticating via the VPN.

o Micro-segmentation: Each network segment is isolated. Thus, even if the attacker gains access to a machine using stolen credentials, they cannot access other network resources or segments, significantly limiting their reach.

2. Exploitation of Vulnerabilities:

o VPN + Micro-segmentation: Micro-segmentation reduces the attack surface as each segment is restricted to specific and critical services. Even if a vulnerability exists, it will be confined to a specific segment, preventing its spread to other parts of the network.

o Inter-segment Flow Control: Communications between segments are strictly controlled. Unpatched vulnerabilities cannot be exploited through flows that have not been explicitly authorized.

3. Use of Administrative Scripts:

o Enhanced VPN Monitoring: Any attempt to use remote administration tools (PowerShell, PsExec) will be monitored and can be blocked through the VPN. Visibility is improved as all traffic passes through a central point (the VPN server), facilitating the detection of suspicious activities.

o Strict Micro-segmentation: Permissions for executing remote commands are segmented by role and user, drastically limiting the use of malicious administrative scripts across the network.

4. Internal Reconnaissance:

o VPN + Micro-segmentation: Network scans (ARP scanning, Netstat) will be ineffective as visibility between segments is restricted. Attackers will not be able to map the entire network as they only have access to their specific segment. Additionally, any unauthorized communication attempts will be immediately detected and blocked.

o Isolation of Sensitive Resources: Segments containing critical resources (databases, servers) are accessible only to a limited number of authorized users via secure paths.

5. Data Exfiltration:

o VPN + Rigorous Controls: The VPN centralizes and monitors all outgoing traffic. Any attempt at data exfiltration will be monitored and can be blocked in real-time. All traffic is controlled, and segmentation policies prevent the attacker from reaching segments containing sensitive data.

o Dynamic Segmentation: Segments containing sensitive data can be dynamically separated, limiting access even in the event of a user or machine compromise.


V - Conclusion

Lateral movement is a serious and complex threat that can compromise the security and business continuity of an organization. To defend against these attacks, it is crucial to implement robust solutions like ARCHANGEL 2.0, which offer advanced protection through micro-segmentation and a secure VPN. These technologies not only block lateral movement, but also strengthen overall network security by controlling access and siloing critical resources.

We encourage organizations to adopt ARCHANGEL 2.0 to benefit from proactive protection against lateral movement and other advanced threats. To learn more about how ARCHANGEL 2.0 can secure your network and protect your assets, contact us today. Don’t let lateral movement compromise your business – choose a leading cybersecurity solution and strengthen your defenses today.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts