Protecting the enterprise from lateral movement attacks

Cyberattacks have become even more prevalent with the increased virtualization of our work and social spaces. In fact, according to Identity Theft Resource Center the number of 2021 data breaches, through September 30, exceeded the total number of events in 2020 by 17%, and 2020 was a record-breaking year. The trendline is only pointing in the wrong direction.

While data breaches do come in varying degrees, they cause damage regardless. This damage often revolves around cybercriminals trying to launch ransomware or steal your data, and they are getting more sophisticated at doing so every day. Their methods? Essentially, they seek to gain initial access to your IT environment, evade your defensive measures, and often escalate privileges and move laterally to get from the initial point of entry to the targets that have the most value.

Let’s look at lateral movement further and explore why it is important and how to minimize the impact of adversaries moving around your environment.

What is lateral movement?

Lateral movement is a set of techniques that threat actors use to progressively maneuver throughout a network environment. Depending on their objectives, they navigate around your network to find the targets, often in multiple hops between various systems. These hops are often opportunistic, and the attacker may not always know where they will move next.

Hackers typically start moving around the network after they’ve already got initial access (for example, as a result of successful phishing email) and some level of administrative privileges. This admin access can then be used to launch various attack techniques, such as Pass-the-Hash (PtH) exploit vulnerabilities in remote services (for example, RDP), or even hijack legitimate remote services sessions to move to another system, or to look for artifacts to leverage.

Lateral movement can be particularly dangerous, as attackers take advantage of existing privileged access permissions. This activity is extremely difficult to detect because the attackers are harnessing legitimate privileges throughout the organization to unpredictably move around from system to system.

Building a lateral movement defense

No single “silver bullet” solution can prevent adversarial lateral movement and still ensure legitimate user activity is not impacted. Organizations use a combination of configuration hardening, network segmentation, multi-factor authentication, and various other mitigation approaches to build a multi-layered defense.

One of the important components of this defense-in-depth strategy is Privileged Account Management (PAM). The concept of PAM is to remove high privileges from regular user accounts and use dedicated “administrative” accounts with limited access for specific purposes. This would reduce the chance of successful lateral movement in case a non-privileged user account is compromised. Traditionally, organizations have maintained dozens, if not hundreds, of such privileged accounts to enable essential administrative tasks in the IT ecosystem. However, with today’s cybercriminals becoming increasingly advanced in their tactics, these privileged credentials represent a serious security risk. They can be hijacked by attackers or misused by insiders, either accidentally or maliciously. Therefore, privileged access management has focused primarily on locking down those accounts, resulting in a complex ongoing struggle to reduce and manage the associated risks.

Against this backdrop, Privileged Activity Management — an evolution of the traditional concept of PAM — has emerged as an effective way to reduce online attack surfaces and secure data and networks from adversarial lateral movement.

The evolution of PAM

The traditional concept of Privileged Account Management centered around a vault, which rotated user accounts and credentials according to policy. With this approach, passwords were changed as soon as users had finished their session. Over time, Privileged Account Management morphed into Privileged Access Management, which incorporated session proxies, improving network segmentation and security, and offered the ability to record what was happening within the network, while accounts themselves remained stored in the vault.

However, the problem with this approach is that you end up with what’s known as ‘standing privilege.’ In most environments, attackers are not interested in vaults or passwords per se; they are looking for artifacts in a network that can be leveraged to gain access to a privileged account and move laterally without being noticed. Therefore, the greater the number of privileged accounts, the bigger the attack surface available to attackers and the greater opportunity for lateral movement throughout a network.

The traditional notion of PAM has lulled many into a false sense of security, which is where Privileged Activity Management comes in. The goal here is to fix the resulting standing privilege problem by only creating privilege when users use it. All administrative accounts that organizations use daily tend to be highly privileged, often with some super or admin user privileges attached. And as these accounts usually retain their privileges post-use, the more of these that an organization has, the bigger the security threat.

The best practice is to keep the environment as close to zero standing privilege as possible, which effectively means that no privileges are assigned to accounts when they are not in direct use. Privilege is only added when it’s needed — during an ‘activity’ — and it’s removed at the end of the session. These accounts then no longer pose a risk and cannot be leveraged by threat actors. This approach not only removes a means of lateral movement for a would-be attacker, but also significantly reduces the compliance burden facing organizations.

To use an analogy, we wouldn’t expect a fleet of taxis to wait outside our home, with each one pre-programmed to go to different destinations, just in case they are needed. And the same should be true of privileged accounts. In a traditional PAM paradigm, organizations have to maintain multiple accounts, one per “destination” (e.g., one for Active Directory and another for SQL Server), to avoid accumulating too much destructive power in a single account and reduce the potential damage. But the accounts are still there, like pre-programmed taxis outside your home. A zero-standing privilege model provides a greatly reduced attack surface and eases compliance headaches into the bargain, as privileges are removed at the end of each session (on-demand privilege).

In a time when cybercriminals are becoming increasingly advanced in their methods of attack, it is vital for organizations to ensure that they are as ready as possible. To keep their data safe and secure, they need to make sure they’re actively on the defense. It is high time to retire the conventional approach to Privileged Account Management. Modern Privileged Activity Management takes an extremely different approach. Providing each admin with just enough access to perform a specific task and only for as long as it takes to perform that task minimizes the risks that come from various admins and various platforms. Organizations can reduce their attack surface and remove opportunities for attackers to infiltrate security systems, while greatly reducing management overheads in the process.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.