What are the risks of lateral movement in your business? What is lateral movement in the first place? How can your enterprise defend against it?
This guest post by Liron Barak, Co-Founder and CEO of BitDam, answers these questions in-depth and gets your IT security on the right foot.
The Risks Of Attack: Lateral Movement Within Your Organization
By Liron Barak, Co-Founder and CEO of BitDam.
If you had to quickly visualize your cybersecurity stack, what would it look like?
For many, it would be something like a medieval castle surrounded by an army – bravely defending the organization against multiple threats coming at it from different vectors.
In truth, most organizations focus their cybersecurity efforts on preventing external threats from entering the organization. They scan incoming emails for example and have recently also started to scan other collaboration tools such as instant messaging and cloud drives.
Unfortunately, this approach leaves a massive gap.
Cybersecurity Focused On Ingress
Yes, protecting against external threats is not only good practice, it’s essential. However, there is always a risk that something is missed.
If your defense is only against attackers from the outside, then once a threat gets inside it’s free to move on uninterrupted, easily infecting other parts of the network and going on to cause havoc. This is called lateral movement.
An attacker can get into an organization by fooling a random employee to divulge their login credentials, and then move quietly and quickly to the crown jewels of the organization – getting access to the most sensitive data.
A painful recent example is how the SolarWinds attack was carried out. It started with a malicious email to penetrate the organization and then moved laterally within the company to access sensitive data. These types of attacks happen right under the noses of security teams, are difficult to detect, and occur when most security tools are still looking outward at the next external threat.
Real Cybersecurity Is Constant and Ongoing
This scenario shows why organizations cannot solely rely on their perimeter security solutions. They have to constantly scan all internal communication including internal emails, chats, video conferences, and anything shared via cloud drives and collaboration platforms like OneDrive or Google Drive – even if it’s internal only.
Such an approach – monitoring internal as well as external communication – is critical in picking up attacks that might have bypassed external-facing security solutions.
What’s more, with an increase in supply-chain attacks, the concept of a “perimeter” is more fluid than ever before. Where does one company’s perimeter end, and another’s begin? If a trusted supplier is compromised (remember that Target attack?) then traditional perimeter-based solutions are often rendered less effective, if not useless.
The same goes for the current distributed or “Work From Home” work environment. Employees are using their own devices, platforms, and tools to communicate and get work done that are not under the supervision of the organization’s security team. This increases the risk of attackers bypassing traditional security methods and penetrating the organization.
A company that does not continuously protect internal communication and assess it for signs of malicious behavior can be compared to a ship that’s sprung a leak; with the sailors only looking for the next leak, without dealing with the current one – or the rushing water that’s threatening to sink the boat.
Case in Point: Compromised Emails Leading to Lateral Movement
This often happens when it comes to compromised emails. Once an attacker has a user’s credentials – often just a username and password is required – they are “in”. In most cases they can now move freely behind an organization’s well-protected perimeter, helping themselves to data. This data is easily exfiltrated and often ends up for sale on the Dark Web – or worse.
Similarly, once a threat actor gains access to an account, they can send legitimate emails to someone this user corresponds with regularly – so it won’t look suspicious. They can also piggyback on a document that is being shared to attack another device in the company
When it comes to attackers leveraging lateral movement, a familiar pattern emerges:
- Obtain Credentials: The first goal of attackers is to obtain credentials. They want to move around as much as possible within the network, and therefore with each additional endpoint compromised or level of credential obtained, they can move around further – and get closer to the crown jewels.
- Authenticate: Once credentials have been obtained, the attacker can move laterally with more freedom. This can be done using tools such as PowerShell, Server Message Block (SMB), and remote desktop.
- Establish Control: Access is not enough. Next, the attackers will try and establish control. This is usually achieved using a suite of hacking tools.
- Ensure Stealth: To prevent detection, attackers will utilize native and commonly used tools and “live off the land”. This point is critical to understand, especially when it comes to the importance of being aware of – and constantly scanning – internal communication.
In fact, according to IBM research, it takes 280 days to identify and contain a data breach. That means on average attackers are spending the better part of a year inside an organization, undetected. Watching. Listening.
In a recent case, an espionage group known as Palmerworm targeted and gained access to multiple organizations. They moved laterally within these companies, often maintaining a presence on compromised networks for more than a year – undetected of course. Using many of the tactics described above, they accessed and stole sensitive information from companies in the U.S, Japan, Taiwan, and China.
Gaps In Cyber Protection
Unfortunately, today most email security solutions do not scan internal emails. In fact, no traditional Secure Email Gateway (SEG) solutions scan internal email traffic – leaving you exposed. Even newer solutions, which do scan these emails, use the same detection techniques they use for emails coming from the outside; This is ineffective since the profile of these attacks is completely different.
The bottom line? This leaves a giant hole in a company’s cybersecurity posture.
As a cybersecurity or IT professional, you need to be aware of the risks, and ensure that the email security solution that you are using scans internal communications too, and does so in an effective manner.
When it’s the CFO’s email that’s hacked, or a data breach hits the headlines, no one will care if that it started with an intern clicking the wrong button.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021