Limiting the Blast Radius - Preventing Lateral Movement is Absolutely Critical

Blog_4lateralmovement

 

Introduction

This whitepaper provides a detailed exploration of lateral movement tactics outlined in the MITRE ATT&CK framework (v12.1). We provide insights into the adversaries’ tactics (including those leading up to and following lateral movement. We will also cover best practices for detecting and preventing lateral movement. We will also explore financial, risk, and organizational impacts, as well as the latest technologies and best practices to defend against these tactics.

The impact of a limited attack of one device versus a larger attack of devices across your network can be extraordinary. The damage done can quickly escalate to a much larger and complex breach, potentially costing millions in lost revenue, regulatory fines, legal fees, and reputational damage.

That is the reason that attackers have invested heavily in making lateral movement and defense evasion tactics more sophisticated and harder to detect.  Looking into the most damaging breaches in 2022, lateral movement was a major contributor to the size of damage done in the Uber breach, to attacks on six US state governments, and to most Industrial IoT attacks.  Previous to that, Solarwinds and Microsoft exploits were exponentially worse because of lateral movement or, in the case of Colonial Pipeline, the fear that the attack would spread across the entire operational network.  

Looking back 10-20 years ago, attackers mainly relied on techniques like exploiting vulnerabilities, using stolen credentials, and leveraging trusted relationships to move within a network. As defenders put more effective controls in place, attackers have developed techniques to move around a network evading detection.  Combined with persistence, they conduct reconnaissance, discover exposed vulnerable devices/credentials/applications/data, and escalate privileges.

In the following sections, we will explore each of the nine lateral movement techniques in enterprise networks, and discuss best practices for detecting and preventing them. We will also examine the latest technologies and best practices for defending against lateral movement attacks.

 

Lateral Movement Techniques (for enterprise)

(Authors’ Note:  Lateral Movement in ICS networks is a more prominently used attack vector as compared to the attack flow in an IT network.  This is due to the types of devices in an ICS network, their capabilities, and unique vulnerabilities. But the concepts are the same.  For brevity, we are listing only the IT exploits, and have provided a link to the ICS tactics in a chart that follows.)

Exploitation of Remote Services uses known vulnerabilities in services such as WIndows SMB, domain controllers, RDP, and other remote access methods that are often accessible from the internet or may not be patched or configured securely. 

Internal Spearphishing uses a compromised user account to send phishing emails to other employees, containing a malicious attachment or link that installs malware.  The attacker can then use the compromised computer to move laterally within the network.

Lateral Tool Transfer  uses transfer tools and scripts to compromise systems. These tools include password dumping, remote access, and utilities to escalate privilege and compromise the endpoint or asset.

Remote Service Session Hijacking  gains access to other systems, via a variety of methods, including Session Fixation or Adversary-in-the-Middle attacks. Two common types of remote service session hijacking are:

  • SSH Hijacking intercepts SSH traffic or compromises a system with an active SSH session.
  • RDP Hijacking intercepts RDP traffic or compromises a system with an active RDP session.

Remote Services use Valid Accounts to log into a service specifically designed to accept remote connections, such as SMB, telnet, SSH, or VNC.

Replication Through Removable Media moves onto systems, including or air-gapped, by copying malware to removable media (e.g.; USB) and autorunning when the media is inserted.

Software Deployment Tools let adversaries move laterally by installing malware across a network or to execute commands remotely. They avoid detection using common IT tools to remotely install and manage software.

Taint Shared Content injects malicious code into a shared file or folder accessed by multiple users. Once the shared content is accessed, the malware infects the user's device and can move laterally throughout the network.

Use Alternate Authentication Material gains access to sensitive information via application access tokens, stolen credentials, or harvested credentials from previously compromised systems.  Examples include:

  • Application Access Tokens are typically used by applications to authenticate with other applications or services, but can also be used by attackers to access sensitive systems.
  • Pass the Hash steals hashed credentials from a compromised device and uses them to authenticate to other systems. 
  • Pass the Ticket steals ticket-granting tickets (TGTs) from a compromised device and uses them to authenticate to other systems. TGTs are used in Kerberos authentication and can grant access to multiple systems.
  • Web Session Cookie often bypasses MFA since the session is already authenticated.

 

Tactics, Techniques and Prevention

This chart lists the MITRE ATT&CK Framework Lateral Movement techniques for enterprise networks, those techniques that can escape detection of MDRs and XDRs using common tactics, and the impact of preventing lateral movement:

Lateral Movement Techniques
in enterprise IT networks

Common tactics known to evade detection

Network Lateral Movement Prevention is Effective

Exploitation of Remote Services

yes

yes

Internal Spearphishing

yes

no

Lateral Tool Transfer

yes

unless admin control is not compromised 

Remote Service Session Hijacking

yes

yes

Remote Services

yes

yes

Replication Through Removable Media

yes

no

Software Deployment Tools

yes

unless admin control is not compromised 

Taint Shared Content

yes

yes

Use Alternate Authentication Material

yes

no

 

This chart lists the MITRE ATT&CK Framework Lateral Movement techniques for ICS networks, those techniques that can escape detection of MDRs & XDRs using common tactics, and the impact of preventing lateral movement:

Lateral Movement Techniques in ICS networks

Common tactics known to evade detection

Network Lateral Movement Prevention is Effective

Default Credentials

yes

yes

Exploitation of Remote Services

yes

yes

Hardcoded Credentials

yes

yes

Lateral Tool Transfer

yes

yes

Program Download

yes

yes

Remote Services

yes

yes

Valid Accounts

yes

yes

From the charts above, some pretty evident conclusions can be drawn.

  • Some attack vectors in the lateral movement stage cannot be detected, because:

    • Adversaries use common tools so that their activity appears to be normal behavior on the endpoints.

    • Protections and detections for IT vs. ICS will be differences in purpose and use of IT devices vs. ICS devices. For instance, IT devices tend to perform a broad range of tasks and communicate with many different hosts and types of hosts, while OT devices tend to perform a single task and communicate with a limited number of hosts.

  • Device cloaking technology, particularly for ICS/IIoT/IoT is the most effective way to combat adversaries’ success because it prevents initial access, minimizes lateral movement, and circumvents the techniques that move over the network. Additionally, preventing an adversary from gaining an initial foothold is the most effective means of preventing lateral movement overall.

  • Protecting credentials and access controls limits the damage a threat actor can do. Phishing campaigns can thwart most common detections, but spearphishing requires much more effort on the part of the threat actor. The human factor must be taken into consideration, so passwordless and FIDO authentication should be used where possible.

  • The proper combination of network/endpoint protection, SASE/SSE, passwordless and FIDO technologies can PREVENT 95% of lateral movement that allow threat actors to avoid detection. These technologies are relatively simple to design, deploy, and maintain compared to the complex and ineffective tools of the past. For instance, 2-3 of the best-in-class network/endpoint and SASE/SSE technologies on the market today can replace the 6-14 products that would have been required in the past.

Understanding how these tactics are performed and their impact on the rest of the attack flow serves to develop the controls, processes, and technologies that will interrupt attackers from completing their attack plan which prevents them from reaching their goals.

Mitre Attack Flow Interruption_white bg

Designing your Defense Strategy

Lateral Movement tactics are used by attackers to spread the damage they can do across as many devices as possible. Ransomware is an excellent example since it is the most well-known type of lateral movement exploit because:

  1. its mechanisms for spreading across the network are automated so the spread can be very fast, 

  2. threat actors build code into their ransomware that specifically evade the protections that an organization has in place, and 

  3. be sold as ransomware-as-a-service to leverage a greater number of victims. 

Lateral movement tactics are used only after gaining a foothold into at least a single device, attackers will cycle between move and doing recon to find new targets inside the network. Once a bad actor has gained access to an extensive number of devices and a broad array of device types, the options available to them to do damage becomes much greater. That is why preventing initial access and lateral movement are critical to constructing a more effective defense. For every prevention of those two attack vectors, the negative consequences by the rest of the attack campaign is reduced to nothing, or limited to a single device.

Assessing your risk exposure leads to improving your cybersecurity technology acquisition budget, user training, and device/network hardening plan. The key objective is to balance prevention with detection, for a solid layered defense model.

 

Layered Defense - Preventing & Detecting Lateral Movement

Prevention

Traditional technologies that can prevent these attacks include intrusion prevention systems (IPS), firewalls, and endpoint hardening and containment tools. Nonetheless, these well-deployed technologies have a reputation for being easily bypassed by bad actors and penetration testing teams. This is not due to defects in the technologies themselves, although there are a number of CVEs being published that might cause some to belabor this point. The truth is that there are three primary reasons these older technologies don’t measure up to their promise:

  • Legacy security protections were designed for a perimeter-based, single-purpose role in days-long-ago when attacks were not as sophisticated.

Firewalls for example, despite their reputation for being porous, are an effective prevention technology for the purpose for which they are designed.  Firewalls that are properly configured prevent bad actors from accessing an asset from outside the firewall.  So bad actors must find a way around the firewall, typically though another device, user error or stolen credentials.  Once compromised, outbound malicious traffic from a device inside the firewall is able to operate freely on the local network as well as initiate traffic to devices outside the firewall perimeter.

If we were to place a firewall in directly in front of each device, a majority of the inbound threat vectors would be prevented.  Adding outbound packet inspection would prevent malicious traffic from escaping the device.

  • Legacy administrative interface designs bring a lot of baggage.  That leads to policy rules that drift from their original intent and design.  And legacy protections are tied to the underlying data structures and assumption  designed without full consideration for modern computing - cloud, remote, BYOD, IoT, etc.   Changing those architectural underpinnings would cause extensive unintended consequences to their loyal customer base.

  • The complexity of these tools in the cybersecurity portfolio with dated integrations creates many gaps because changes in one technology can improve the posture in one place while creating a gap in another place.

Replace or update these legacy preventions with technologies that are designed to address the ways that computing has changed leads to best practices and best-in-class implementations:

    1. Update outdated operating system, device drivers, and software (taking into consideration the legitimate concerns and complexities involved in making changes to production equipment.)

    2. Extend the edge security model across the extended enterprise (all remote access, third party access, WfA, IoT, cloud, and BYOD)

      • Block all east/west peer traffic.

      • Allow access only to the ports necessary for north/south traffic (between clients and servers)

      • Block all broadcasts and multicasts coming from endpoints.

      • Remove communication security stack from the O/S to prevent compromised systems from bypassing/replacing/disabling endpoint protections and evading detection.

      • Implement port-level deny-by-default access rules.  Plan and deploy a zero-trust framework, meaning the principle of “absolute least privilege”, giving only the minimum amount of access required for the role and work to be performed.


    3. Implement passwordless and FIDO2 technology and develop rule/role-based logon restrictions

Newer technologies are not restricted by “the legacy ways of doing things”.  User interface design has advanced by leaps-and-bounds over the last 3-4 years. Perimeter-less architectures have been developed with a broad understanding of the extended enterprise: mobile, BYOD, cloud, IoT, edge computing, Work-from-Anywhere, and third-party access. Innovative ways of cloaking devices and networks, true zero trust and true microsegmentation, and the rapidly evolving attack prevention are coming from startups that will become the ‘next big thing”. In this rapidly changing technology landscape, you should be looking for those technologies that can replace multiple technologies. Byos is a technology that does all of the above.

Detection and Other Protection

Of course, defense-in-depth presumes that no single prevention technology or mitigation is completely foolproof, so the other areas of defense should not be neglected.  A regimen that includes the following protections are needed as well:

  • Awareness training

  • Vulnerability scanning and remediation

  • Anti-malware, anti-phishing, and other endpoint protection software

  • Network activity monitoring 

  • Implement EDR/MDR/XDR/SIEM/SOC and Incident Response

 

Conclusion 

Adversaries’ rewards come from reaching their goals - whether those goals are financial, disruptive, or for achieving notoriety. By understanding the specific methods used for  lateral movement, you will develop effective ways to reduce the “blast radius”.  The most effective and cost-effective means of doing that is to prevent the compromise of the first device by making it undiscoverable and inaccessible.

When controls are in place that prevent Lateral Movement, the damage is far less so more time is spent being proactive opposed to reactive. By implementing effective prevention layers of security in various stages of the attack chain, organizations reduce the rate of adversaries’ overall success. 

Intrusion detection, firewalls, and EDR/MDR/MDR/SIEM have limited effectiveness in preventing attackers from moving freely across a network. Regular vulnerability scans, penetration testing, red/purple exercises, and dark web monitoring help identify potential exposures where your organization’s information could be or has been compromised or improperly exposed, but they require extensive resources and people to keep up-to-date and properly maintained. State-of-the-art defenses are technologies that cloak devices from being discovered or accessed, prevent lateral movement over the network, and provide ‘absolute least privilege’ access controls. 

It should be clear that an emphasis on preventions does not suggest that these other defensive controls should be ignored. A solid layered defense model includes detection and response, in addition to the preventative measures we put in place. At the same time, prevention will reduce the necessary operating budget for detecting and responding.

To learn more about how Byos can help you achieve your goal preventing your adversaries from reaching their goals, connect with us on LinkedIn or use the button below to start a conversation.

 

Epilogue: What are the Characteristics of Technologies that Truly Prevent Attack Vectors?

Many vendors play fast and loose with the term “prevent”. For instance, one vendor made the claim that their solution prevented attacks because it was able to “detect in real time”. Obviously, nothing’s perfect. And conceivably, we would not argue that anything connected to a network has the potential to be breached. With that stated, it’s appropriate to provide the criteria that we propose need to be met:

  • It cannot be bypassed, disabled, impersonated or otherwise compromised for the protections that the technology is employed to prevent.

  • It cannot be reverse engineered nor have any of its components accessible from being easily revealed.

  • It stops an attack technique before the attack has an opportunity to start.

  • It does not produce false positives.

  • It must prevent both known and unknown threats.

  • Fail-open is not an option.  (But many situations will dictate “fail-open” to be necessary. A life-supporting medical device is a good example.)

  • Its access controls must be “default deny”.

  • For any conditions outside the parameters that are known, it will deny access.

Our definition for “prevention” does not rise to the level that the likelihood of an event occurring must be mathematically impossible. But, we think a reasonable definition is that the barrier to success is so low that attackers will abandon their efforts to even try. For instance:

  • If a device in all cases discards any and all IP packets from sources that are not fully trusted, then the ability of an adversary to even know that the IP address is valid would be “impossible”.  The device would not even process malformed packets.

  • If a user opened a malicious website, clicked on a malicious email in a link, or plugged an infected USB drive into their device; if the device were unable to send packets to any of its peers on the local network or to any device outside the local network, its ability to discover and spread to other devices would be contained. Similarly, the ability to exfiltrate information or do any other damage would be prevented.

 

Denial-of-Service (DoS) Attack Prevention: The Definitive Guide

Preventing Attackers from Gaining Initial Access to Your Network