Lateral movement has been a common factor in breaches for some time. As the effectiveness of perimeter defences has been gradually eroding, the main issue for attackers is no longer how to get into an organization – but how to move across the network to access their final target.
The typical environment has developed over time into a fragmented collection of technical resources – a variety of applications, servers, IT infrastructure, cloud workloads and more. While these resources are separate, they are all connected by identity and access management– the infrastructure governing access throughout.
This is what attackers use to move laterally. Starting at patient zero, they move from one machine to another by abusing identity until arriving at their target destination to drop ransomware, steal sensitive information and more.
Understanding the fundamentals of lateral movement
As mentioned, it all starts with attackers gaining a toehold on a single machine, which is typically achieved through the use of malware or exploits.
Using patient zero as a launchpad, an attacker will gain access to different machines by compromising credentials. Passwords, hashes and usernames are extracted from system memory and once dumped, used to connect to subsequent machines and resources. The aim is to continually escalate levels of access along the way to gain permissions with increasingly more valuable resources. Attackers are also able to abuse privilege escalation vulnerabilities to shortcut this process. By leveraging underlying flaws in identity infrastructure, an attacker can quickly assign their malicious account administrator roles.
Ultimately, this chain reaction is repeated until attackers arrive at their target to deploy malware, exfiltrate data or access critical resources. Seemingly complex, such techniques have become commonplace; as with anything in security, the knowledge and tools required to carry out such attacks are now freely shared online.
The critical challenges of lateral movement detection
The key challenges of stopping lateral movement are a lack of visibility and an inability to act in real time.
Visibility is hard for three main reasons. First, such attacks abuse the very infrastructure put in place to act as an arbiter of trust for a domain. IAM governs access. By subverting the central system deciding who has access to what, an attacker’s actions are implicitly trusted regardless of malicious intent.
Second, lateral movement has a very limited footprint. Attackers ‘live off the land’: posing as trusted users, they use resources already available in the environment to achieve their ends. Their actions appear authentic. Requiring very few additional tools or processes, and often using trusted protocols to communicate externally, the chances of controls being able to spot anomalies are low.
The fragmented nature of identity poses the final challenge to visibility. Most organizations now operate a combination of on-premises directories and cloud-based IdPs which do not fully interoperate. This creates blind spots that attackers can leverage and introduces a significant amount of management complexity – which also drives up cost.
Without visibility, stopping lateral movement is hard. Understanding a baseline of activity for key resources like service accounts which are targeted by attackers to travel across an environment is impossible. Without this, building rules to stop malicious use is impossible. Not only this, but common targets such as access interfaces, legacy applications, IT infrastructure and more are unprotected by MFA and wide open to abuse. Ultimately, security teams are left scrambling and on the back foot.
Establishing proactive defence using next-gen MFA and risk-analysis
Effective protection against lateral movement relies on consolidated visibility of identity across the multitude of silos in the environment, and proactive and adaptive authentication.
While historically difficult, it is now possible to capture, analyze and better understand consolidated identity data. This can be used to build a picture of the behaviour of human and automated accounts to understand events at a granular level, right down to individual access requests. By doing this, organizations can use risk analysis to pinpoint anomalous behaviours, highlighting where a threat actor is abusing an identity for malicious ends.
However, without the ability to deny access to the cascading array of technology used to move laterally, organisations will ultimately be unable to address the problem. Commonly abused access interfaces such as PsExec or Remote Powershell, for example, are a gift to attackers who pose as admins and run commands on remote systems. Other resources such as file shares, legacy applications and other critical IT infrastructure are also typically wide open and used as stepping-stones in lateral movement. Closing-down suspicious access to these is central to suffocating the movement of a threat actor.
Doing so requires deploying proactive authentication on such resources to block malicious access attempts. This is where MFA, widely successful as a perimeter access control method, can have a real impact on lateral movement when deployed across the elements of a network targeted by attackers. Lateral movement is effectively shut down.
For security teams looking to address this threat, it is impossible to understate the importance of a consolidation. Identity infrastructure typically develops over time, leading to a mix of on-premise and cloud-based identity infrastructure, often from a variety of competing providers. A connective tissue is needed to ensure consistent outcomes. Centralised identity security will allow an organization to configure, manage and enforce authentication and access policies in a manner which reduces resource burn and ensures a more strategic approach to risk mitigation.
While lateral movement is a longstanding problem, the ability to address it in this way is only now becoming a reality. For too long, attackers have had freedom of movement, using identity as a universal attack vector to traverse environments unchecked for maximum impact. Organizations must put themselves back on the front foot – which they can only achieve with full visibility of the threat posed by identity and by proactively wrapping MFA round exposed assets. Only in this way can they reduce risk effectively.