Brad Hibbert, Lead Solutions Strategist at BeyondTrust
As highlighted in the 2017 Verizon Data Breach Investigation Report (DBIR), 75% of attacks come from the outside and a whopping 81% of hacking-related breaches leveraged either stolen and/or weak passwords. While the specific tactics may vary, the stages of an outsider attack are similar and usually follow four steps.
First, the attackers penetrate the perimeter but more than likely, they execute a successful drive-by download or launch a phishing attack to compromise a user’s system and establish a foothold inside the network; all the while flying “under the radar” of many traditional security defenses. Next, they establish a connection – unless it’s ransomware or self-contained malware, the attacker quickly establishes a connection to a command and control (C&C) server to download toolkits, additional payloads, and to receive additional instructions. According to the Verizon report, social attacks were utilized in 43% of all breaches in this year’s dataset. Almost all phishing attacks that led to a breach were followed with some form of malware, and 28% of phishing breaches were targeted. Once inside the network, attackers begin to learn about the network, the layout, the assets. They begin to move laterally to other systems and look for opportunities to collect additional credentials, upgrade privileges, or just use the privileges that they have already compromised to access systems, applications and data. Lastly, the attacker collects, packages and eventually exfiltrates the data.
How to stop lateral movement
While the Data Breach Investigations Report and nearly every security vendor on the planet makes recommendations on reducing the risks associated with each stage of the attack, it is worth focusing on the stage related to lateral movement. If you can create barriers to move laterally you may be able to protect access to high-value assets, or at least slow the attacker down enough that you can adequately contain the outbreak and mitigate the impact of the breach. To that end, below are ten steps organizations can take to stop lateral movement:
- Use Standard User Accounts. Enforce that all users have a standard user account. Administrators across all platforms should log in with their standard accounts as normal practice. They should only log in with administrative rights when they need to perform administrative tasks. This might sound obvious and reasonable but in practice, doesn’t always happen
- Enforce the Principle of Least Privilege. If a user does not need access to systems, applications or data, remove it. As a first step remove administrator rights on desktops for all users
- Implement Application Whitelisting. Implement policy to allow known good applications and log all other applications and launch attempts. If possible, restrict launching of end user applications with known critical security vulnerabilities
- Require Multifactor Authentication: Implement multi-factor authentication for access to internal systems, applications and even data. While implementing static multi-factor authentication based on whether a system or application is good, getting too restrictive can become frustrating for users. Look for solutions that can also restrict access based on the risk associated with the environment or activity. For example, if someone tries to launch a sensitive application after hours for the first time, or tries to run a sensitive command on the Unix server that is missing critical patches, step up the security and trigger to re-authenticate with multi-factor
- Use Context-Based and Adaptive Access Controls: At some point people need access to do their jobs, but continue to lock down when they have access, and from which location they have access. Restricting access based on static elements like time of day or subnet is good, but restricting access dynamically based on risk (i.e. does a ticket exist for the access, does this request adhere to a normal access patterns, have I received recent alerts from my threat detection layers, etc.) adds greater protections
- Implement Strong Password Policy Management: Require strong passwords, and that they should be changed frequently. Deny password reuse. Log failed authentication requests
- Automate Password Management: Require unique passwords across all privileged systems and accounts. Eliminate hard coded passwords in service accounts and scripts. Implement SSH key management tools
- Segment Networks: Group assets, including application and resource servers, into logical units that do not trust one another. Segmenting the network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross the trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring
- Consider Micro-Segmentation: Where possible, go beyond standard network segmentation. Segment based on context of the user, role, application and data being requested.
- Implement Threat and Advanced Behaviour Monitoring: Somewhere along the line, accounts have access to stuff. Implement base security event monitoring and advanced threat detection (including user behaviour monitoring) to more accurately and quickly detect compromised account activity as well as insider privilege misuse and abuse.
In today’s sophisticated threat landscape, one product will certainly not provide the protection enterprises need against all stages of an attack. And while some new and innovative solutions will help protect against or detect the initial infection, they are not guaranteed to stop 100% of malicious activity. In fact, it’s not a matter of if, but a matter of when you will be successfully breached. You still need to do the basics – patching, firewalls, endpoint AV, threat detection and so on. But you also need to protect against, and monitor for, lateral movement. So, assuming the bad guys get in, following the ten recommendations can help you can stop them, slow them down, and/or detect them faster in order to mitigate the impact.