“Blind spots” in lateral movement in corporate cybersecurity [Q&A]

Communication network

Significant time, attention, and investment goes into building strong perimeter and endpoint defenses to prevent malicious attackers from gaining access to corporate networks.

While this is important, organizations also need a network security strategy. Because when an attacker infiltrates your network, the race to discover malicious activity and resolve incidents quickly begins.

Each time a malicious attacker lurks undetected, they are free to move laterally within the network, expanding their reach and causing more damage. Peter Manev, co-founder and chief strategy officer at Stamus Networks, believes this type of lateral movement is a blind spot for many companies. We spoke to him to find out why and discuss his best practices for enterprise security for his team to respond.

BN: What is a lateral movement attack?

PM: Lateral movement is a technique used by cyber attackers to expand their presence and control within a compromised environment. Threat actors often gain initial access to endpoints through successful phishing or other social engineering attacks, malware infections, or common vulnerabilities or exposures. The attacker then uses a variety of tools to obtain credentials, increase privileges, and ultimately imitate your attack. Legitimate users have to navigate through different systems until they find what they’re looking for. This is typically sensitive data or other high-value assets that can be compromised for financial gain, disrupting business operations, or effectively shutting down an organization.

BN: How does it work?

PM: There are usually three stages of lateral movement.

  • Reconnaissance — After gaining initial access to a corporate network, an attacker can discover where they’ve gotten, what freedoms they have, and how they can use that freedom to achieve their goals. try to understand. Depending on your findings and the privileges available at your initial beachhead, you can leverage a variety of tools to take the next step.
  • Credential Dumping and Privilege Escalation — Attackers cannot traverse the network without valid access credentials, so this is where they focus next. They often use tactics like credential dumping and keylogging to steal credentials. Once they have valid credentials, they can easily impersonate a user, escalate their privileges, and move throughout the environment.
  • Gaining Access — This pattern serves as a blueprint for attackers. Repeat this process throughout the network until you can access the targets identified during the reconnaissance phase.

How cybercriminals perform these steps can have a significant impact on detection. For example, if the attacker’s goal is to reach the target as quickly as possible, they may not care about being detected and end up making a lot of noise on the network. For example, an opportunistic ransomware attack could do that. On the other hand, if stealth and time are your priority, you can try to remain undetected for months, allowing you to move laterally within your network and expand the scope of your compromise.

Organizations must deploy appropriate network monitoring tools to quickly detect and respond to threats in either scenario.

BN: What are the biggest risks of lateral movement attacks?

PM: The biggest risk of lateral movement is that it exposes more of an organization’s layout and infrastructure to threat actors. Additionally, as the footprint of cybercriminals on networks grows, so does the risk and impact of attacks. Successful lateral movement can cause the attacker to shut down operations and significantly impact the target’s business.

Another important point to consider is that an attacker may intentionally destroy a device in order to disrupt an organization’s infrastructure and operations. Just recently, a well-known vendor advised a customer to replace a physical device because a software vulnerability could not be patched. We also recently saw a major Internet service provider shut down and thousands of modems permanently destroyed.

In these and other cases, endpoint detection and response (EDR) will not help protect your enterprise from threat actors. This is why it is so important for organizations to implement a layered defense that combines EDR and network monitoring, especially on critical infrastructure. Organizations can only detect threats quickly if they have visibility into their networks. This is important to reduce the damage that can occur after a successful attack.

BN: Why is lateral movement a blind spot for many companies?

PM: Expanding on the endpoint challenges we talked about earlier, a big blind spot is actually monitoring edge or legacy devices where endpoint detection can’t be installed. Examples include routers, switches, firewalls, VPN concentrators, virtual infrastructure, gateways, SCADA devices, medical equipment, and most of the military, industrial, medical, and automotive device domains. Almost every week, we see critical common vulnerabilities and risks in these systems being discovered and exposed.

A big thing to consider are vulnerabilities and breaches that we don’t know about or haven’t disclosed. Therefore, the already dangerous need to monitor all communication aspects of critical infrastructure is heightened.

Plus, you can’t protect something you don’t know is there. Therefore, you cannot protect or monitor devices that may or may not exist within your organization. Customer deployments often result in the discovery of devices or entire networks that are unknown to the organization’s security and network teams.

Organizations should use network-based threat detection and response (NDR) tools to closely monitor communication between all devices on the network and give security teams a complete picture of network activity. . This serves three purposes. It’s about minimizing risk, auditing your current security policies and controls, and adding another layer of security visibility (as we all know, visibility is king).

BN: Where should companies start when building a strategy to stop lateral movement?

PM: The most effective defense is early detection, as it is very difficult to stop lateral movement through preventive controls. And the most effective way to achieve early detection is to take a multi-layered approach. For example, rather than relying solely on one-dimensional point solutions such as intrusion detection systems (IDS), network security monitoring (NSM) tools, and network detection and response (NDR) solutions, enterprises can integrate the capabilities of all three. You should consider which platform you want to use. . This provides a more complete set of detection methods that can identify lateral movement early in the kill chain after initial system access.

These tools search for and highlight anomalies in credential usage, logon failures, app usage, connection patterns, port and protocol usage, cryptographic analysis, flow patterns, connection details and details. can. Then, once suspicious activity is detected, we use advanced prioritization algorithms to prioritize lateral movement attacks, ensuring only the most urgent threats supported by evidence are on the security team’s review list. Push it to the top. This is critical because alert fatigue can be just as devastating to security teams as lack of insight into suspicious activity and threats. However, with a manageable list of action items, security teams can respond quickly and catch threats before cybercriminals can cause significant damage.

Importantly, the network is uniquely positioned to detect and track lateral movement. All you need to do is use the right tools and adopt the right strategies to take advantage of them.

image credits: Photoguest Tober / Shutterstock

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button