Combating Lateral Movement and the Rise of Ransomware

When the pandemic made its impact around the globe early last year, it simultaneously ushered in an exponential surge in cybersecurity attacks. In the scramble to mass-migrate businesses to virtual work environments, many did not have the time nor resources to implement strong cybersecurity policies and processes. This climate has allowed ransomware attacks in particular to boom in nearly all industry verticals, impacting critical infrastructure, utilities, transport, food supplies, healthcare, education, and the US economy at federal, state, and municipal levels.

Ransomware attacks are now considered a risk to national security following the sweeping uptick in cyberattacks. In May, President Biden signed an executive order with the goal of bolstering US cybersecurity defenses. Threat actors are quickly evolving their tactics and targets when it comes to deploying ransomware attacks. Seen in recent high-profile cases including Colonial Pipeline, JBS S.A., CNA Financial Corp., and more, ransom demands have skyrocketed, and the adversaries are now specifically focused on exfiltrating large amounts of sensitive data. Once targeting small companies or individuals, threat actors are now making headlines by growing their attack radius to include major infrastructure companies and even leading security firms.

By nature, ransomware attacks are versatile and strategically designed produce significant profits for threat actors. They can be carefully crafted to target a specific business and then strike at a critical moment of weakness. Recognizing the five phases of a ransomware attack is the first step in preparing for detection and prevention.

 
Phase 1 – Research & Campaign
First, the actors research all exploitable aspects of their victim. This may include:

• Collecting employee names and email addresses
• Performing social media crawls
• Understanding financials through press releases and company reports
• Compiling a list of frequently contacted contractors, partners, and/or vendors

Armed with the right background information, the actors can tailor the campaign in which they infiltrate your business. Methods such as phishing/whaling emails and social engineering will target employees. If credential dumps are easily accessible to the actors, then they may authenticate using VPN. If they are using open-source tools, then open ports and vulnerabilities may be leveraged without having to perform a network scan.

 
Phase 2 – Infiltration & Infection
In this phase, the ransomware is installed through the phishing/whaling email, exploit kit, etc. Once the malicious code is downloaded onto an endpoint, code execution begins. When the threat actors shift from an external position to the internal system, this is known as vertical movement in the ransomware attack. At this stage, the network is infected, but no data is encrypted yet for ransom.

 
Phase 3 – Internal Reconnaissance (Lateral Movement)
Threat actors work quickly to hide evidence of their entry and begin to move throughout the network by stealing credentials to elevate their access and permissions. This is called lateral movement and is a key tactic that allows them to avoid detection and embed themselves deep into the network. Jumping from one system to another, the actors seek to compromise additional systems and user accounts along the way. In this stage, the actors may remain undetected for weeks or even months while they stealthily scan for access, data, and assets to steal and encrypt.

 
Phase 4 – File Encryption
Once the threat actors have fully completed their internal reconnaissance and taken inventory of the network, the encryption process begins. Threat actors will usually delete any backups and then perform a secure key exchange. Here, the ransomware contacts the command and control server operated by the actors and generates the keys to be used in the next phase. During this file encryption phase, it is also common for the actors to corrupt local files and folders, making it harder for response teams to restore systems back to its original pre-infiltration state.

 
Phase 5 – Pay Day
Gaining their targets and the payload, the threat actors finally activate the malware and launch their communication announcing the ransom. The ransom notes appear in all compromised points across the victim’s environment and detail the payment demands. Cryptocurrencies such as Bitcoin are common forms of payment as it is untraceable. Upon payment, the victim is given the decryption keys or instructions on how to decrypt their data.

Advanced persistent threats (APTs) are seeing increased success due to lateral movement techniques. When threat actors infiltrate a network, the initial, vertical entry seldom causes damage. Actors are likely to break in through low-level web servers, compromised email accounts, or a poorly protected endpoint device. The real damage begins once the actors secure their foothold and start to pivot laterally through the rest of the environment to find and reach their targeted assets. Examples of lateral movement techniques include:

• Exploiting remote services
• Remote service session hijacking
• Pass the Hash (PtH)
• Pass the Ticket (PtT)

By taking advantage of one vulnerability, threat actors use lateral movement techniques to access many systems within an IT environment, obtaining the privileges and access they need along the way to their target. While pivoting laterally, actors will utilize anything they come across that may help them access a targeted asset more efficiently. By leveraging built-in operating systems and other IT policies and support tools that your business already uses day-to-day, they can save their own resources and evade detection, appearing as anomalous network activity.

Lateral movement is a critical element in the execution of long term, persistent ransomware attacks. Rather than just compromising a single asset or target, threat actors use these techniques to establish a persistent, malicious presence in their victim’s environment.

On average, a security breach averages approximately 150 days between the initial compromise and detection. Most companies are unable to detect lateral movement because it is lost among the regular traffic of daily network traffic and operations. Even platforms such as SIEMs (Security Information and Event Management), advanced analytics tools, anti-malware, and anti-virus solutions have proven inadequate at catching this phase in the attack lifecycle.

However, it is during the lateral movement phase that threat actors are most vulnerable to detection. Having the right tools and cybersecurity best practices in place can minimize the chance of infiltration and, in the case of a breach, detain the actors before they can take root and devastate your business. Below are the three core elements needed to prevent lateral movement:

 
Purpose-Built Managed Detection & Response (MDR) Platform
When an attack occurs, detection and response times often determine whether the actors succeed in their efforts. To combat the sophisticated attacks occurring in today’s cyberthreat landscape, investing in an around-the-clock true Managed Detection and Response (MDR) service means that you can fight back within minutes and hours, not days and weeks. MDRs can help close the gap between the identification of an event and the actual response and remediation. By immediately shutting down or isolating endpoints, MDR analysts can terminate malicious processes, delete bad files, and stop the threat from moving laterally into other systems.

Combining both prevention and advanced tradecraft detection technologies means that you can monitor your account activity and behavior in real-time; a critical factor in staying ahead of threat actors. 24/7 active threat hunting and response service provided by experienced analysts can detect reconnaissance activities at their earliest stages. With monitoring, detection, and response executed in tandem, MDR analysts have unparalleled visibility into hacker tradecraft, lateral spread, and remote privileged activity.

 
Proactive Threat Hunting by Experienced Analysts
Threat hunting is the practice of being proactive in the search for cyberthreats within an organization’s network. It is performed deep within the network to deliberately search for hidden actors and malware that may have found a way to exist undetected otherwise. Many organizations invest in various managed services and tools in defense, but MDR threat hunting is a crucial, offensive strategy. Threat hunting has three main components:

• Investigation through threat intelligence and hypothesis
• Analysis of Indicators of Compromise (IoC) / Indicators of Attack (IoA)
• Machine learning and advanced telemetry

Threat hunters are high-specialized and trained specifically in hacking tradecraft. They always take an ‘assume breach’ stance and investigate thoroughly to find evidence of suspicious behavior or changes that may indicate the existence of threat. These threat hunters rely on security experience and human analysis of current threat tactics, techniques, and procedures (TTP) to instigate hypothesis-driven hunts. The human-powered element is a vital link that synchronizes collected threat intelligence, data logs, and advanced security technology towards safeguarding your business.

 
Strict Cybersecurity Hygiene & IT Best Practices
Set your business up for success by adopting tried and true cybersecurity hygiene practices. When consistently executed, they can help prevent breaches from occurring at all. This is especially true for the IT world as even one breach could be detrimental to your operations. Here are some examples of cyber hygiene best practices you can implement to strengthen your in-house security and fight back against lateral movement:

• Implement a principle of least privilege (PoLP) and zero trust model/architecture
• Ensure networks are properly segmented
• Practice stringent password management including password complexity, rotation, and expiry
• Establish app-based multi-factor authentication (MFA/2FA) for all devices and RMM tools
• Keep your software up to date. Ensure that patching and upgrade activities are completed particularly for firewall and VPN appliances.
• Remove internet-exposed remote desktop services (RDP) services
• Run regular vulnerability assessments against all systems on your network

When an attack occurs, detection and response times often determine whether the actors succeed in their efforts. With attackers acting faster than ever, investing in an around-the-clock true Managed Detection and Response (MDR) service means that you can fight back within minutes and hours, not days and weeks.

Blackpoint’s SNAP-Defense is a Security Operations & Incident Response platform built by experienced engineers and former cybersecurity operators. It detects lateral movement in its earliest stages, allowing you to instantly neutralize threats before they spread. SNAP-Defense is the only product on the market that alerts on privileged activity, giving our MDR analysts the ability to detain an infected asset before threat actors can complete their mission. Learn more about Blackpoint’s mission to help MSPs and their clients fight and win against lateral movement here.

• White House Statements & Releases: “FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks”
• MITRE ATT&CK Lateral Movement Definitions Page