LATERAL MOVEMENT: HOW TO BLOCK IT

By Chris Foster, Director of Field Engineering, XM Cyber

ARTICLES

CHRIS FOSTER is the Director of Field Engineering at XM Cyber. He has over 17 years of security experience serving both public and private sector organizations. He previously held senior security positions with Flashpoint, iSIGHT Partners, FireEye and Chevron. Chris spent over a decade in the public sector at numerous organizations, including Booz Allen Hamilton and SAIC, supporting various U.S. Military and Intelligence Community. degree from Vanderbilt University.

Here’s a sobering fact for today’s security teams: If your network is penetrated, the odds are you won’t realize it until nearly six months later. It’s estimated that the average breach now takes 206 days to identify. This means attackers can steal the crown jewels of your network — and be downright leisurely about it.

Any security professional shudders at the thought of giving an attacker hours of network access, let alone months. So how are attackers managing to breach networks and then burrow inside, undetected and undeterred?

Two words: Lateral movement.

WHAT IS LATERAL MOVEMENT?

When thinking about network lateral movement, it’s best to visualize it as an attacker traversing through a network and hunting for the most valuable items to be found. This technique allows attackers to identify, access and exfiltrate an organization’s most critical assets and escape detection until much later.

So why do attackers choose this technique? It’s simple: Often, the best way to target critical assets is to first select an entry point with relatively weak security — an email account, a low-level server, an employee device, etc. to create a foothold. Instead of directly attacking a well-defended server with sensitive data, it’s easier to gain initial access via the weaker target and then pivot laterally to reach the truly valuable assets.

THE RISK POSED BY APTs

It’s important to understand that lateral attack strategies are often the work of the most sophisticated threat actors. These typically aren’t amateur hackers running random malicious scripts, but organized collectives bringing the full power of their skill and experience to bear on a network’s defenses.

Many attacks employing lateral movement are coordinated and executed by Advanced Persistent Threats (APTs), which are classified as “stealthy computer network threat actors” who gain access to a network and remain undetected for long periods of time. APTs are often state-sponsored groups, and their expertise can present an extraordinary challenge for security teams, who may be extremely under-resourced by comparison.

WHY ARE THESE ATTACKS SO DANGEROUS?

Most security solutions are concerned with so-called “north/south traffic.” When attackers attempt to penetrate networks from outside, they are said to be moving from north to south. For example, stopping an attack aimed at an employee device would fall within the purview of north/south defense, as it keeps the attacker outside the network. If you visualize your security perimeter as a straight line, north/south traffic would be a vertical line attempting to cross.

Once inside the network, traffic can move horizontally — or “east/west.” As attackers move laterally through a network mere minutes to hours after initial compromise, they can employ a variety of methods (including stealing credentials and scanning for vulnerabilities) to gain administrative privileges. Once these privileges are secured, it can become very difficult to detect attackers given their activity can now appear legitimate.

So why has the threat of lateral movement become such a pressing danger for today’s organizations? Much of it has to do with the routine way these attacks present themselves. Security teams are often stretched thin and suffer from alert fatigue. After being inundated with a daily barrage of false positives and alerts, it’s human nature to become somewhat immune to routine alerts (such as a policy violation) that often signify lateral movement in a sophisticated cyberattack.

HOW CAN MY ORGANIZATION PREVENT THE THREAT OF LATERAL MOVEMENT?

There are two key strategies you can implement to mitigate the risks presented by lateral movement.

First, it’s critical to develop a better understanding of network characteristics. By using packet-analysis tools to help identify the characteristics of a network, security professionals gain deeper visibility into how devices are communicating, where they are located, where they are identified, etc. In addition to network mapping, it’s important to become more familiar with common attack strategies, particularly the tactics, techniques and procedures (TTPs) attackers use to hide their presence and gain unauthorized permissions.

Second, it’s imperative to take an aggressive posture toward threat detection and mitigation. Given that sophisticated threat actors can stay hidden in a network for months or years undetected, it’s essential to take a vigorous approach to rooting out the threat posed by APT lateral movement. Slow moving, extremely stealthy APTs are better targeted by cutting-edge techniques such as breach and attack simulations (BAS), which accelerate threat hunting and offer continual protection.

WHY BAS SOLUTIONS ARE THE CURRENT GOLD STANDARD FOR PREVENTING APT LATERAL MOVEMENT ATTACKS

BAS solutions are designed to mimic so-called red team exercises, often referred to as red teaming, a security process originally developed by military security personnel in the 19th century. Red teams are tasked with emulating an adversary to exploit an enterprise’s defense and identify vulnerabilities within a controlled environment. This sort of “ethical hacking” is extremely useful when performed by high-level teams to improve organizational resilience.

Yet even the best red team personnel are limited by red teaming being a manual process. For comprehensive, 24/7 protection, automation is required. BAS solutions automate many of the processes of red team exercises by offering:

● Continuous testing for security issues such as unpatched servers and misconfigurations
● Simulation of a variety of common lateral attack strategies
● Real user activity to identify attack vectors
● The ability to mimic the precise attack style of known APTs
● Evaluation of the security status of specific assets — including an organization’s “crown jewels”

THE TAKEAWAY

Lateral movement is perhaps the most important battleground for today’s security professionals. Given the power, reach and expertise of today’s APTs, it’s more important than ever to practice smart organizational security.

Recognizing network characteristics, fighting alert fatigue and cutting-edge BAS solutions are all essential tools for today’s organizations to wield. In a world where defenders need to be perfect every time and attackers only need to succeed once, it’s critical for security teams to lean on the power of automation, simulation and continuous protection.

Additional Resources

computer 1000 angle 5

DEMO: Watch in 3 Minutes

Watch this quick demo to see what the next generation of breach and attack software can do for your organization.

Watch Now

aws

ARTICLE: How APTs Really Work

There seem to be as many definitions of APT as there are actual APTs. 

Read More

315x185 support 176

ARTICLE: A Closer Look at Attack Simulation

What if you could see your organization through the eyes of the attacker?

Read More

THINK LIKE A HACKER