After many years, lateral movement still presents a problem for organizations. Abusing identity infrastructure designed as much as 20 years ago, using techniques that have long since been in the public domain, we could assume that security and risk teams would have a handle on it by now. Unfortunately, that’s not true.
Think of the scale of the impact: lateral movement has played a role in most big-name breaches in recent memory. The most recent Uber breach, the SolarWinds compromise, and the ransomware attack on the Colonial Pipeline are all examples of what can happen when an attacker has the freedom to move across an environment without being stopped. In fact, lateral movement figures in almost 60% of attacks today.
To address this threat, first, it’s important to understand it. The precursor to lateral movement is achieving initial compromise. Relatively trivial to achieve nowadays, attackers can obtain the credentials necessary to gain a toehold through any number of well-worn techniques. Social engineering exploits and phishing are common, although with 24 billion user names and passwords circulating on the dark web, there’s a low barrier of entry.
From patient zero, threat actors begin lateral movement in earnest. In essence, this entails compromising new identities, both human and machine, or elevating existing privileges to gain access to the next network resource – each more valuable than the last. They aim to arrive at critical systems, databases, and other high-value targets.
Technically, attackers use a variety of methods once inside an environment to compromise identities. These range from dumping passwords, hashes, and usernames from system memory, abusing vulnerabilities in identity infrastructure or even grabbing credentials directly from network shares.
The challenges of defending against these attacks
Attackers don’t need malware to perform lateral movement. Attackers “live off the land” – using available tools and infrastructure and disguising themselves as legitimate users. In the Uber attack, for example, not even that was needed. The whole attack could have been instigated from a home computer, an impressive feat for an attack that managed to penetrate corporate systems with such depth.
Additionally, the disparate nature of identity inside the modern enterprise makes a consolidated view of this risk difficult. Organizations now typically use a fragmented mix of legacy on-premises identity directories and cloud-based IdPs - which don’t fully integrate with one another. This creates blind spots for attackers to slip into.
This all combines to mean that it’s very difficult to act in time to stop a threat actor moving around a network. Given the lack of visibility and the dynamic nature of lateral movement, some security teams are behind the attacker.
Guidelines for lateral movement detection and prevention
Implementing multi-factor authentication in the areas of the environment that are used in such attacks suffocates a threat actor’s attempts to move laterally. Wrapping MFA around legacy applications, PAM solutions, critical IT infrastructure and access interfaces like PsExec and Remote Powershell offers a secondary challenge that stops them from being abused. Of course, security teams need to issue this in an intelligent manner which adapts to the user to ensure minimal friction.
Organizations should also seek to provide controls on the automated, non-human, identities also used in lateral movement, otherwise known as service accounts. Security teams can achieve this by building a baseline picture of activity to understand what normal behavior looks like, so they can spot and block anomalies.
Preventing lateral movement can choke off a path used by ransomware actors, prevent data breaches, and deny access to business-critical infrastructure. Done correctly, identity can become a force-multiplier for organizations, instead of having it used against them.
Yaron Kassner, co-founder and CTO, Silverfort
