How stopping lateral movement can defend against ransomware [Q&A]
Over the last couple of years the number of ransomware attacks has soared. While high profile attacks make the headlines organizations of all sizes are at risk.
One of the keys to stopping attacks is to prevent them from moving laterally through networks. We spoke to Amit Serper, area VP of security research for North America at microsegmentation specialist Guardicore to get his view on how businesses can protect themselves.
BN: How does lateral movement work?
AS: While IT security teams invest heavily in preventing network intrusions, daily reports of crippling attacks remind us that network compromise is inevitable. This makes an effective strategy for preventing successful intrusions from advancing and causing further negative impact a critical aspect of modern security operations.
Lateral movement is the set of steps that attackers who have gained a foothold in a trusted environment take to identify the most vulnerable and/or valuable assets, expand their level of access, and advance in the direction of high-value targets. It typically starts with an infection or credential-based compromise of an initial data center or cloud node. From there, attackers employ various discovery techniques to learn more about the networks, nodes, and applications surrounding the compromised resource.
As attackers learn about the environment, they often make parallel efforts to steal credentials, identify software vulnerabilities, or exploit misconfigurations that allow them to move successfully to their next target.
BN: Why is preventing lateral movement so key to defeating ransomware?
AS: Ransomware is the attack method of choice for financially motivated cybercriminals. In fact, it's predicted that a ransomware attack will occur every 11 seconds in 2021.
Ransomware attacks begin with a breach, often through a phishing email or network perimeter vulnerability. The malware will start to move through a network from its initial landing point, attempting to maximize damage. Attackers typically look to take control of a domain controller, compromise credentials and locate and encrypt any backups in place to prevent operators from restoring infected services.
Since lateral movement is necessary to execute a successful ransomware attack, security operations teams that can detect and block unauthorized activity early in the attack chain will be in a better position to reduce the blast radius.
BN: What are the key ways in which movement can be prevented?
AS: Enterprise infrastructure is made up of countless independent applications and services that work together to form a funcional network. It can be thought of like a hotel -- just because an individual has access to the main lobby, doesn’t mean they should have access to the penthouse, the vault, and every guest room in the building.
The most effective way to prevent lateral movement is to insert a security layer between these applications to isolate and segment critical infrastructure. In the White House's recent memo urging corporate executives to take immediate steps for ransomware attacks, segmenting networks was identified as a key best practice. In years past, organizations opted for firewall technology for segmentation, but as the complexity of cloud and distributed environments has increased, granular microsegmentation controls applied at the workload and process level are emerging as the solution of choice.
Before these policies can be created, organizations must first visualize the east-west traffic in their environment. Once a clear baseline of sanctioned east-west traffic is established and viewable on a real-time and historical basis, it becomes much easier to identify unsanctioned lateral movement attempts.
BN: How can companies ensure attacks are detected early?
AS: While challenging for most organizations, early detection is key to preventing lateral movement in ransomware attacks. There are four main pillars to success:
- Visibility at the workload and process level: Strong visibility provides an advantage by allowing security operations teams to identify potential attack vectors to critical applications as ransomware attempts to spread. This visibility must be provided at the workload/process level in order to identify high-value targets from broader IT assets.
- Informed segmentation policies: Policies should be based on observed ‘normal’ communication flows between environment assets. Configuring policies to alert you to anything outside of routine activity provides an early warning of unusual activity, prompting investigation.
- Deception tools: An effective way to discover an active breach in progress with high-fidelity incidents is to set up honeypots, lures or a distributed deception platform that can identify unauthorized lateral movement.
- IDS system and malware detection tools: These help detect ransomware operators' propagation attempts, whether this means using automated anomaly detection or predefined rules and signatures for known exploits.
BN: How can businesses prioritize the prevention of lateral movement?
AS: Despite being one of the most popular buzzwords in modern cybersecurity vocabularies, working toward a Zero Trust architecture prioritizes the prevention of lateral movement. Zero Trust eliminates the idea of a trusted network inside a defined corporate perimeter, driving security operations teams to trust no traffic or user until verified.
The concept of Zero Trust has been around for over a decade and is now becoming a reality through the application of microsegmentation technologies. Organizations are leveraging microsegmentation to secure all resources no matter the location, guarantee access control follows the least privileged model, and ensure all traffic is logged and inspected.