Lateral movement and credential theft were present in almost every breach in the past 10 years; it’s crucial for organizations to prioritize detecting and responding to these tactics.
Leveraging privileged credentials to operate a modern IT network is the norm for most companies, and unfortunately hackers know this and use it to their advantage. In almost every breach over the past 10 years, privileged credential theft and the ensuing lateral movement is present; it only takes the theft of one highly privileged account to bring a company to its knees. While this might sound ominous, that’s precisely what lateral movement attacks are counting on.
Endpoint security remains a top priority for all organizations in 2020, as attacks become more complex. In fact, Help Net Security notes that 70% of cyber-attacks originate from endpoints. Yet, forecasts show that securing this vulnerability will only comprise 24% of the global security spending of about $128 billion.
This and the increasing shortfall of cyber security professionals reveal the difficulties of the modern cyber security landscape; leading to a spike in demand for talent in the area. An overview of the cyber security industry by Maryville University points out that the demand for skilled security professionals has risen to almost 3 million around the globe; and the numbers are expected to increase. (ISC)2 reports that the shortage of cyber experts has increased 40% since 2018. Under these circumstances, more organizations have started relying on breach detection, threat hunting, response, and automation software and/or managed security services to augment their defense capabilities.
What is Lateral Movement?
Lateral movement is an attack technique that hackers use to spread through a network as they search for key assets and data. One often overlooked challenge hackers face is figuring out where they are in a breached environment, where they can go, and where the data is stored that satisfies their objectives. In order to increase the odds of finding the correct location and/or data, a hacker will almost always turn to lateral movement techniques. Most of these techniques leverage live-off-the-land tradecraft that relies on privileged credentials and techniques that mimic what windows domain administrators do every day; this is precisely what makes detection so difficult for most organizations, assuming the anti-malware tools fail to catch the malicious toolset.
Best Practices in Prevention
Here are some of the actions you can take:
1. Apply the principle of least privilege. Limiting privileged account distribution and monitoring privileged credential use in real-time are good places to start for detecting lateral movement within your network. Users in your network must have access standards and their accounts must be tiered according to what they can access. A regular scrub of privileged accounts and an adhered to policy of account use and distribution is a necessity in today’s IT environments; as hackers point out, privileged accounts – usually IT managers – are their first target.
2. Implement application whitelisting. Only allow necessary applications to run in your network and log all attempts to launch other applications. Application whitelisting is not a silver bullet, but it can make the launching of malware a bit more difficult and cause the adversary to make more noise which will increase the chances of detection.
3. Use multi-factor authentication (MFA). It’s alarming how many systems today still use single-factor authentication in managing account and network access. Enabling MFA in your systems that support it and especially any internet facing web application can help improve your chances of preventing privileged access that enables lateral movement.
4. Automate or reinforce password management policies. In addition to MFA, your organization can benefit from the added layer of security that automated password protocols and SSH key management tools can provide. Unique passwords that these tools use eliminate a sizeable portion of brute force attacks.
5. Leverage on-prem technologies for catching the reconnaissance phase of a breach. A considerable vulnerability for hackers is leveraging targeted port scanning when determining their location. A tuned Intrusion Detection System (IDS) will pick up on tell-tale signs of port scanning and alert you before it’s too late.
6. Use Managed Detection and Response Services. The lateral movement phase of an attack constitutes a point in the breach where the hacker is observable to defenders. With the right technology, automation, and human monitoring this phase of the breach can be caught even if anti-malware or next-generation anti-virus misses.
While Dark Reading notes that an average cybercriminal takes nine hours and 42 minutes to accomplish lateral movement attacks, more advanced vectors can access a network within 19 minutes. As attackers get better at lateral movement, organizations must counter this by increasingly taking the defensive high ground.